数字风险监管：网络压力测试的证据

Disciplining digital risk:evidence from cyber stress tests by Nordine Abidi, Leonardo Gambacorta, Christoffer Kok,Leonardo Madio, Ixart Miquel-Flores and Alberto Partida Monetary and Economic Department May 2026 JEL classification: G21, G28, G32, L86, K23 Keywords: cyber risk, bank supervision, stress test, ITinvestment BISWorking Papers are written by members of the Monetary and EconomicDepartment of the Bank for International Settlements, and from time to time by othereconomists, and are published by the Bank. The papers are on subjects of topicalinterest and are technical in character. The views expressed in this publication arethose of the authors and do not necessarily reflect the views of the BIS or its membercentral banks. This publication is available on the BIS website (www.bis.org). Disciplining Digital Risk:Evidence from Cyber Stress Tests Nordine Abidi∗Leonardo Gambacorta†Christoffer Kok‡ Leonardo Madio§Ixart Miquel-Flores¶‖Alberto Partida∗∗ Abstract Investmentincybersecurityinaninterconnectedbankingsystemhaspublic-goodproper-ties:positiveexternalitiescangeneratesystemicunderinvestment.Usingconfidentialsupervi-sorydatafrom the European Central Bank,we first identify“laggard”European banks thatunderinvestrelativetotheircyber-riskprofiles,andthenexaminehowsupervisoryscrutinyaf-fectstheirincentivestoinvest.Weexploitthe2024ECBCyberResilienceStressTest(CyRST)asaquasi-naturalexperiment.Inadifference-in-differencesdesign,wefindthatfollowingtheCyRSTannouncement,laggardbanksincreasedcybersecurityinvestmentbyabout80%rel-ativetotheirpeers.Theresponseisstrongeramonglaggardssubjecttohigh-intensitysu-pervisoryoversight,consistentwithscrutinyexertingadiscipliningeffect.Overall,theresultssuggestthattargetedsupervisoryscrutinymayhelpmitigateunderinvestmentincentivesandstrengthenbanks’operationalriskmanagement. Keywords:CyberRisk,BankSupervision,StressTest,ITInvestment.JELCodes:G21,G28,G32,L86,K23. 1Introduction Cyber risk has emerged as a primary operational and systemic threat to the global finan-cial system.High-profile incidents, such as the ransomware attack that disrupted ICBC’saccess to the U.S. Treasury market1and the data loss at the service provider CloudNordic,2illustrate how localized attacks can propagate rapidly across financial networks. While theseepisodes resonate with classic models of financial contagion (Allen and Gale, 2000; Acemogluet al., 2015), cyber risk introduces unique challenges. Specifically, the resilience of the finan-cial system is disproportionately threatened by its most vulnerable institutions, which canbecome entry points for shocks with cascade effects (e.g., Duffie and Younger, 2019; Gogolinet al., 2021; Eisenbach et al., 2022). Amid these concerns, public attention to cyber-relatedrisks has grown exponentially. While cybersecurity provides strong private operational benefits, its systemic dimensioncreates a classic public-good problem3.Disruptions at a single institution or critical ser-vice provider can propagate across interconnected financial networks, potentially affectingmultiple institutions at once.This makes cyber resilience different from many other op-erational investments: while the benefits of cybersecurity are partly private, they are alsopartly system-wide. A bank that is better protected is less likely to become an entry pointfor broader disruption.Because banks internalise only part of the broader benefits of cy-ber resilience, they may invest less than is optimal from a system-wide perspective (see,e.g., Kashyap and Wetherilt, 2019; Aldasoro et al., 2023; Anand et al., 2024). In principle,this underinvestment problem creates a role for supervision.But most supervisory toolsoperate through hard incentives, such as capital consequences or market discipline throughdisclosure. This paper first identifies underinvestment and then studies how a policy imposing su-pervisory scrutiny affects banks’ investment decisions.We present evidence thattargetedsupervisory scrutiny, implemented through a non-capital-based stress test, can disciplineunderinvestment in cyber resilience. We draw on a unique confidential dataset and analyze the European Central Bank(ECB)’s 2024Cyber Resilience Stress Test(CyRST), a novel exercise designed to assess a bank’s ability to respond to and recover from a sophisticated cyberattack. There are sev-eral features that make the CyRST a suitable quasi-natural experiment. First, the CyRSTwas first announced to the public on March 9, 2023, which serves as our primary treatmentannouncement.4 Second, the exercise was purely qualitative, with no direct implicationsfor Pillar 2 capital requirements. This is particularly important, as it isolates the “capitalchannel” common in traditional stress tests (e.g., Acharya et al., 2018b; Gropp et al., 2019)from other channels. Third, individual bank results were kept confidential, thereby mutingthe “disclosure channel” through which markets discipline banks (Goldstein and Leitner,2018; F