数字风险监管：来自网络压力测试的证据

Disciplining digital risk: evidence fromcyber stress tests Nordine Abidi, Leonardo Gambacorta,Christoffer Kok, Leonardo Madio,Ixart Miquel-Flores, Alberto Partida banks to reallocate resources towards cyber-related investments.Using a confidential supervisory dataset for a panel of 109 Significant Institutions (SIs) in the euro area from 2019 to 2024, we track detailed IT and cybersecurity spending, operationalrisk governance, specialist staffing, and the replacement of end-of-life systems. Our empiricalstrategy first identifies “laggard” banks, defined as those that invest less than predicted by investment strategies following the CyRST announcement.We document three main findings. First, the CyRST announcement acted as a coordi-nating signal, thus leading to an increase in cybersecurity investment of approximately 45%across the sector. Second, this response was highly heterogeneous and concentrated amongthe laggards. These banks exhibited a rapid catch-up effect, increasing their cybersecurityinvestment by approximately 80% relative to non-laggard banks. Beyond monetary invest-ment, we document other effects:laggard banks responded to scrutiny by consolidating objectives. ber resilience, they may invest less than is optimal from a system-wide perspective (see,e.g., Kashyap and Wetherilt, 2019; Aldasoro et al., 2023; Anand et al., 2024). In principle, this underinvestment problem creates a role for supervision.But most supervisory tools disclosure.This paper first identifies underinvestment and then studies how a policy imposing su-pervisory scrutiny affects banks’ investment decisions.We present evidence thattargetedsupervisory scrutiny, implemented through a non-capital-based stress test, can discipline (ECB)’s 2024Cyber Resilience Stress Test(CyRST), a novel exercise designed to assess1Cyber attacks reveal fragility of financial markets, Financial Times, 20242Cyber Tzar Planet: Threat dashboards reveal growing systemic risk, Financial Times, 2025 Cybersecurity in financial networks has the properties of a quasi-public good.Defensive investmentsgenerate positive externalities because stronger protection at one institution lowers the probability that itbecomes an entry point for contagion.However, cybersecurity is neither fully non-rival, since defensiveresources can become congested during large-scale incidents, nor fully non-excludable, as some protections(e.g., proprietary encryption or internal access controls) remain private. As a result, banks internalise onlypart of the systemic benefits of their investments, leading to underinvestment relative to the socially optimallevel. visory dataset on banks’ cybersecurity investment.First, using only pre-treatment data,we estimate the expected level of cybersecurity investment for each bank as a function of arich set of bank-specific characteristics. We then classify as “laggards” those banks whose average investment residual over 2020–2021 falls below the sample median.Second, usinga difference-in-difference design, we exploit the public announcement of the 2024 CyRST inMarch 2023 to examine whether investment behavior changed after the policy announcement,between laggards and non-laggards. than with past cyber incidents. In a before-and-after analysis, the CyRST announcement isassociated with an average increase in cybersecurity investment of approximately 45% acrossthe sector. In our main difference-in-differences specification, this response is concentratedamong laggards, whose investment rises by 81% relative to non-laggards.This pattern isconsistent with the CyRST disproportionately affecting banks that had previously invested ECB Working Paper Series No 3222 evidence consistent with supervisory scrutiny affecting behavior through a distinct channel.Third, it provides empirical support for Anand et al. (2024), who argue that regulatoryintervention is necessary to move the financial system from a fragile, low-investment equi-librium to a more resilient one.More broadly, the findings suggest that targeted scrutinymay complement traditional regulatory tools in settings where operational risks are difficult theoretical model. Section 5 describes our data. Section 6 details the econometric approach.Section 7 presents our findings. Section 8 concludes.2Related Literature in shaping financial intermediation.ECB Working Paper Series No 3222 intervention changes investment behavior, especially among banks that have invested less et al., 2020). Recent studies on EU stress tests likewise show that public disclosure leads tomarket discipline and balance sheet adjustments by participating banks (see, e.g., Petrellaand Resti, 2013; Schäfer et al., 2016). Other studies found that these programs induce banksto de-risk, adjust lending policies, and increase capitalization (e.g., Acharya et al., 2018b;Goldstein and Leitner, 2018).Our work departs from this literature by analysing a different type of supervisory exercise—one focused on operational resi