Abstract: Investment in cybersecurity in an interconnected banking system has public-good proper-ties: positive externalities can generate systemic underinvestment. Using confidential supervi-sory data from the European Central Bank, we first identify “laggard” European banks that underinvest relative to their cyber-risk profiles, and then examine how supervisory scrutiny affects their incentives to invest. We exploit the 2024 ECB Cyber Resilience Stress Test (CyRST) as a quasi-natural experiment. In a difference-in-differences design, we find that following the CyRST announcement, laggard banks increased cybersecurity investment by about 80% relative to their peers. The response is stronger among laggards subject to high-intensity supervisory oversight, consistent with scrutiny exerting a disciplining effect. Overall, the results suggest that targeted supervisory scrutiny may help mitigate underinvestment incentives and strengthen banks’ operational risk management.
