ECB cyber stress tests boost bank investment by 80 percent

A new ECB working paper provides the first evidence that targeted supervisory scrutiny can effectively address underinvestment in cybersecurity.

The 2024 Cyber Resilience Stress Test (CyRST) acted as a quasi-natural experiment, revealing that 'laggard' European banks — those underinvesting relative to their cyber-risk profiles — significantly increased their cybersecurity spending.

Following the CyRST announcement, these banks boosted investment by approximately 80% relative to their peers.

This response was particularly pronounced among laggards subject to high-intensity supervisory oversight, demonstrating a clear disciplining effect.

The findings suggest that non-capital-based stress tests can mitigate the systemic underinvestment problem inherent in cybersecurity, where individual banks fail to fully internalize the broader benefits of their security efforts for the interconnected financial system.

The CyRST was designed to isolate the 'scrutiny channel' by explicitly neutralizing traditional regulatory levers.

It carried no direct capital consequences (Pillar 2 requirements) and involved no public disclosure of bank-level results, allowing researchers to study how heightened supervisory attention influences investment.

Using confidential supervisory data from 109 Significant Institutions in the euro area from 2019 to 2024, the study tracked detailed IT and cybersecurity spending.

The empirical strategy first identified 'laggard' banks based on their pre-CyRST investment relative to cyber-risk profiles, then used a difference-in-differences design to analyze changes post-announcement.