Bank for International Settlements research finds ECB cyber stress test scrutiny raised cybersecurity investment by about 45% and by about 80% at laggard banks

The Bank for International Settlements has published research finding that supervisory scrutiny can materially raise banks’ cybersecurity spending even without direct capital penalties or public disclosure of bank-level results. Analysing the European Central Bank’s 2024 cyber resilience stress test using confidential supervisory data for 109 large euro area banks from 2019 to 2024, the paper finds that the stress test announcement was associated with an increase in cybersecurity investment of around 45% across the sector, while banks identified as prior underinvestors increased spending by about 80% relative to their peers. The paper argues that the design of the ECB exercise helps isolate a “scrutiny channel” because it was qualitative, had no direct Pillar 2 capital consequences and did not publish individual bank results. The stronger response was concentrated in laggard banks that faced more intensive supervisory follow-up, including deeper reviews and supervisory findings, while laggards receiving less supervisory attention showed little change. The research also finds that laggard banks reduced reliance on external outsourcing, stabilised specialised cyber staff and adjusted cyber insurance coverage, supporting the view that targeted supervisory scrutiny can help address systemic underinvestment in cyber resilience.