Back

BIS Study Reveals Cybersecurity Investment Gaps in European Banks

Severity: Low (Score: 21.9)

Sources: Cms.Law, Bis

Published: 2026-05-27 · Updated: 2026-05-27

Keywords: cyber, digital, risk, disciplining, evidence, stress, tests

Summary

A recent BIS working paper highlights the underinvestment in cybersecurity among 'laggard' European banks, identified through the ECB's 2024 cyber resilience stress test. The study shows that supervisory scrutiny can significantly increase cyber security investments, with an overall increase of approximately 45% across the banking sector following the stress test announcement. Laggard banks, which invested less than their cyber risk profiles suggested, increased their cybersecurity spending by about 80%. These banks also reduced reliance on external outsourcing and stabilized specialized cyber staff. The findings indicate that supervisory attention can effectively motivate banks to enhance their cyber resilience without direct financial penalties. The analysis utilized confidential data from 109 large euro area banks from 2019 to 2024. Key Points: • BIS study shows a 45% increase in cybersecurity investment post-ECB stress test announcement. • Laggard banks increased spending by 80%, driven by supervisory scrutiny rather than incidents. • Supervisory attention can enhance cyber resilience without direct financial penalties.

Detailed Analysis

**Impact** The event affects 109 large euro area banks, with a focus on those identified as "laggards" that underinvest in cybersecurity relative to their cyber-risk profiles. The underinvestment poses systemic risks due to the interconnected nature of European financial networks, potentially leading to widespread operational disruptions. The business consequences include increased vulnerability to cyber incidents and slower recovery capabilities, impacting financial stability across the Eurozone. **Technical Details** The articles do not provide information on specific attack vectors, TTPs, malware, CVEs, or infrastructure details related to cyber incidents. The focus is on supervisory scrutiny and investment behavior rather than active cyber threats or technical exploitation. **Recommended Response** Financial institutions should prioritize increasing cybersecurity investment, particularly in operational risk management, specialist staffing, and IT system upgrades. Supervisory bodies should maintain or enhance scrutiny intensity to incentivize laggard banks to improve cyber resilience. Monitoring should focus on investment trends and the effectiveness of cyber resilience stress tests rather than specific threat indicators.

Source articles (2)

  • Disciplining digital risk: evidence from cyber stress tests — Bis · 2026-05-26
    Cyber risk has become a major concern for financial stability. As banks become more digital and interconnected, cyber incidents can spread rapidly across networks and disrupt several institutions at t…
  • BIS: Disciplining digital risk – evidence from cyber stress tests — Cms.Law · 2026-05-27
    This BIS working paper uses confidential supervisory data from ECB and identifies “laggard” European banks that underinvest relative to their cyber-risk profiles, and considers how supervisory scrutin…

Timeline

  • 2024-01-01 — ECB conducts cyber resilience stress test: The ECB initiated a qualitative stress test to assess banks' ability to respond to cyber attacks, focusing on operational resilience.
  • 2024-05-01 — BIS working paper published: The BIS published findings on cybersecurity investment gaps in European banks, emphasizing the impact of supervisory scrutiny.
  • 2026-05-26 — BIS working paper reported by CMS Law: CMS Law reported on the BIS findings, summarizing the implications for cybersecurity investment among European banks.

Related entities

  • Financial (Industry)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed