Investment in cybersecurity in an interconnected banking system has public-good proper- ties: positive externalities can generate systemic underinvestment. Using confidential supervi- sory data from the European Central Bank, we first identify “laggard” European banks that underinvest relative to their cyber-risk profiles, and then examine how supervisory scrutiny af- fects their incentives to invest. We exploit the 2024 ECB Cyber Resilience Stress Test (CyRST) as a quasi-natural experiment. In a difference-in-differences design, we find that following the CyRST announcement, laggard banks increased cybersecurity investment by about 80% rel- ative to their peers. The response is stronger among laggards subject to high-intensity su- pervisory oversight, consistent with scrutiny exerting a disciplining effect. Overall, the results suggest that targeted supervisory scrutiny may help mitigate underinvestment incentives and strengthen banks’ operational risk management.
Nothing contributes so much to the prosperity and happiness of a country as high profits