Can Supervisory Scrutiny Discipline Cyber Risk? Evidence from the ECB’s Cyber Resilience Stress Test
Posted:
Time to read:
Cyber risk has become one of the central challenges facing financial regulation. Recent incidents have demonstrated that operational disruptions can propagate across financial and technological networks with remarkable speed. The ransomware attack on ICBC disrupted activity in the US Treasury market, while the cyberattack on CloudNordic led to widespread data loss among its customers. More recently, the arrival of powerful frontier AI models stresses the accelerated pace at which cyber risk can impact finance. Such episodes illustrate a core insight from the systemic risk literature: the resilience of an interconnected system may depend disproportionately on its most vulnerable nodes. While these dynamics have long been studied in the context of financial contagion (Allen and Gale, 2000; Acemoglu et al, 2015), cyber risk introduces a parallel channel through which disruptions can spread via shared technological dependencies and critical service providers.
Cyber risk is no longer viewed by supervisors as a low-probability tail event. As ECB Supervisory Board member Anneli Tuominen recently observed, risks that supervisors once regarded as belonging to extreme scenarios have increasingly become part of the baseline operating environment for financial institutions. The number of cyber incidents reported by banks to the ECB rose sharply through 2024, while cybersecurity is now consistently ranked among the foremost concerns of chief risk officers in global banking. In a recent survey conducted by the Institute of International Finance, three-quarters of chief risk officers identified cybersecurity as their top risk concern, with geopolitical tensions cited as a key driver. These developments suggest that cyber resilience is no longer a niche operational issue but a core component of financial stability policy.
The geopolitical dimension adds further urgency. European supervisors have increasingly warned that cyber threats cannot be analysed independently from the broader strategic environment. Recent supervisory discussions have highlighted scenarios involving sophisticated cyberattacks potentially enhanced by artificial intelligence, reflecting growing concerns that technological advances may simultaneously increase the capabilities of both financial institutions and malicious actors. In this environment, operational resilience is becoming inseparable from questions of geopolitical resilience and economic security.
These concerns also arise against a broader structural backdrop. The Draghi Report on European competitiveness emphasised Europe’s dependence on a limited number of non-European providers of cloud services, digital infrastructure, and advanced technologies. As banks increasingly rely on common third-party technology providers, vulnerabilities originating outside the banking sector may nonetheless have systemic consequences for financial stability. The resulting concentration risks have elevated operational resilience from a back-office technology concern to a central challenge for financial regulation and supervision.
This feature places cyber risk squarely within the broader literature on systemic risk and financial stability. Just as financial contagion can emerge from interconnected balance sheets (Acemoglu, Ozdaglar and Tahbaz-Salehi, 2015), cyber incidents can spread through technological dependencies, shared service providers, and payment infrastructures (Duffie and Younger, 2019; Eisenbach et al, 2022). The resilience of the financial system may therefore depend disproportionately on its most vulnerable institutions.
A central implication follows. Cybersecurity investment exhibits many of the characteristics of a quasi-public good. While banks bear the private costs of cybersecurity expenditure, part of the benefit accrues to the wider financial system. As a result, individual institutions may underinvest relative to the socially optimal level (Kashyap and Wetherilt, 2019; Aldasoro et al, 2023; Anand et al, 2024). This creates a natural rationale for regulatory intervention.
Yet cyber risk poses particular challenges for conventional prudential tools. Capital requirements remain an important component of the prudential framework, but cyber vulnerabilities are dynamic and potentially more difficult to measure. Similarly, while disclosure often promotes market discipline, revealing institution-specific cyber weaknesses may itself create vulnerabilities in a domain where adversaries actively search for exploitable information. These characteristics suggest that supervisory scrutiny may play a useful complementary role alongside existing prudential tools. This raises a broader regulatory question: can supervisory scrutiny itself influence firms’ incentives to invest in cyber resilience?
In a recent paper, Disciplining Digital Risk: Evidence from Cyber Stress Tests, we examine this question using the European Central Bank's 2024 Cyber Resilience Stress Test (CyRST). The exercise was designed to assess banks’ ability to respond to and recover from a severe cyberattack, but it also offers a uniquely attractive setting for studying supervisory behaviour. The ECB’s exercise is notable because it focused on cyber response and recovery capabilities rather than capital adequacy. Unlike conventional supervisory stress tests, it assessed how banks would manage and recover from a severe cyber incident, reflecting a broader shift in supervisory priorities from solvency alone towards operational resilience.
The reason is that the CyRST deliberately neutralised the two channels through which stress tests are traditionally understood to operate. First, the exercise carried no direct capital consequences. Second, individual bank results were not publicly disclosed. Consequently, the CyRST provides a rare opportunity to isolate a third mechanism that has received comparatively little attention in the literature: the supervisory scrutiny channel.
The notion that supervisory attention can influence firm behaviour is not entirely new. Recent work on banking supervision suggests that supervisory scrutiny can affect bank decisions even absent formal sanctions (for example, Kok et al, 2023). However, empirical evidence remains limited, particularly in domains characterised by operational and technological risks rather than traditional balance-sheet risks.
Using confidential supervisory data covering 109 significant euro-area banks between 2019 and 2024, we first identify institutions that appear to underinvest in cybersecurity relative to their cyber-risk profiles and financial characteristics. We refer to these institutions as ‘laggard’ banks. We then exploit the announcement of the CyRST in March 2023 as a quasi-natural experiment and implement a difference-in-differences framework to examine whether supervisory scrutiny altered their behaviour. The identification strategy relies on comparing pre-existing laggards with otherwise similar banks before and after the stress-test announcement.
Our findings suggest that it did. Following the announcement of the CyRST, laggard banks increased cybersecurity investment by approximately 80 per cent relative to non-laggard institutions. Importantly, event-study estimates reveal no evidence of differential pre-trends, supporting a causal interpretation of the results.
The effects also extend beyond headline spending. Relative to their peers, laggard banks reduced certain forms of external ICT dependency, accelerated the replacement of legacy systems, retained specialised cyber personnel, and reconfigured cyber-insurance arrangements. These adjustments suggest that the response reflected broader changes in cyber-risk management rather than a simple increase in expenditure.
Perhaps most importantly, the response is concentrated among banks facing more intensive supervisory engagement during the exercise. Laggard institutions subject to greater supervisory attention exhibit substantially stronger behavioural adjustments than otherwise comparable banks exposed to less intensive scrutiny. This pattern is difficult to reconcile with explanations based solely on industry-wide technological trends or evolving cyber threats. Instead, it is consistent with supervisory scrutiny operating as a disciplining mechanism in its own right.
The implications extend beyond cybersecurity.
For much of the modern era, prudential regulation has relied heavily on capital regulation and market discipline. Our findings suggest that supervisory scrutiny may represent an additional channel through which supervisory authorities can influence behaviour, alongside capital regulation and market discipline. . The credible prospect of detailed supervisory examination may increase the expected cost of underinvestment and encourage firms to align behaviour with supervisory expectations, even where neither capital penalties nor disclosure mechanisms are available. The result is particularly relevant for areas where traditional prudential instruments face important limitations. Capital requirements are difficult to calibrate for risks that evolve rapidly and generate limited historical loss data. Disclosure requirements may be ineffective or even counterproductive where transparency itself creates vulnerabilities. Cybersecurity is perhaps the clearest example, but similar challenges arise in areas such as artificial intelligence governance, cloud concentration risk, and operational resilience more broadly.
The broader significance of this insight may extend well beyond banking. Cybersecurity, artificial intelligence governance, cloud concentration risk, operational resilience, and critical infrastructure protection all involve risks that are difficult to quantify, rapidly evolving, and characterised by significant externalities. In such contexts, traditional prudential tools may prove relatively blunt. Targeted supervisory scrutiny may therefore become an increasingly important component of the regulatory toolkit.
More broadly, the findings contribute to an emerging debate concerning the future of financial regulation in an increasingly digital economy. The findings suggest that the supervisory toolkit may be broader than the capital channel alone and that targeted supervisory scrutiny can play a useful role in domains where traditional levers face particular challenges. The ECB's Cyber Resilience Stress Test provides an example of how such a mechanism may operate in practice.
More broadly, the findings contribute to an emerging debate about how supervisors can address risks that are difficult to quantify, rapidly evolving, and characterised by significant externalities.
The authors’ paper is available here.
The views expressed in this article are those of the authors and do not necessarily reflect those of the European Central Bank (ECB), the International Monetary Fund (IMF) or the Bank for International Settlements (BIS).
Nordine Abidi is an Economist at International Monetary Fund.
Leonardo Gambacorta is the Head of Emerging Markets at Bank for International Settlements.
Christoffer Kok is the Head of the Stress Test Experts Division at the European Central Bank.
Leonardo Madio is an Associate Professor of Economics at the University of Padua.
Ixart Miquel-Flores is a Supervisor at the European Central Bank and a PhD Candidate at the Frankfurt School of Finance & Management.
Alberto Partida is a Senior Team Lead in Banking Supervision at the European Central Bank, working on cyber risk with a focus on resilience and emerging threats
OBLB types:
Jurisdiction:
Share: