European Central Bank working paper finds cyber stress test scrutiny drove about 80 percent higher cybersecurity investment at laggard banks

The European Central Bank has published a working paper examining its 2024 Cyber Resilience Stress Test that finds supervisory scrutiny was associated with materially higher cybersecurity investment by euro area banks that had previously underinvested relative to their cyber risk profiles. Using confidential supervisory data, the authors estimate that the March 2023 announcement of the exercise was followed by an average increase of about 45 percent in cybersecurity investment across the sector, while identified laggard banks increased investment by about 80 percent relative to peers. The paper is presented as research and states that the views are those of the authors and do not necessarily reflect those of the ECB. The analysis covers 109 Significant Institutions from 2019 to 2024 and treats the stress test as a setting to isolate a supervisory scrutiny channel because the exercise had no direct Pillar 2 capital consequences and no public disclosure of bank-level results. Laggard banks are defined as those investing below levels predicted by their cyber risk profiles and financial characteristics before the announcement. The paper finds the response was strongest where supervisory engagement was more intensive, measured through substantive findings, data-quality flags and on-site inspections, while laggards subject to lower-intensity attention showed no significant change. Beyond spending, the research reports related adjustments including reduced external ICT outsourcing, lower turnover in some specialist ICT control functions, changes to cyber-insurance arrangements and a relative decline in reported significant cyber incidents among laggard banks.