Kartik Anand, Chanelle Duley, Prasanna Gai
Review of Finance, Volume 30, Issue 3, May 2026, Pages 1109–1150, https://doi.org/10.1093/rof/rfaf079
Cyber risks have emerged as a major threat to financial stability, with recent incidents demonstrating how cyberattacks can disrupt critical market infrastructure. This paper develops a theoretical framework showing that cybersecurity investment involves a fundamental protection-resilience tradeoff, with important implications for both optimal bank behaviour and financial regulation.
We model cybersecurity as a risk-management decision where banks face a strategic contest with attackers. Investing more in cybersecurity increases the probability of successfully defending against attacks (i.e., protection), but diverts resources from productive investment. This reduces expected returns and weakens the bank’s balance sheet, leaving it less able to absorb losses if an attack succeeds (i.e., resilience). This tension parallels classic risk-management problems, but with a key difference: the failure threshold is endogenous. When a bank allocates more to protection, it simultaneously reduces its capacity to service withdrawals following a successful breach, raising the likelihood that an attack triggers a run.
We characterise how the nature of bank fragility shapes equilibrium cybersecurity. When failure is fundamentals-based (insolvency-driven), bank and creditor actions exhibit strategic complementarity. Anticipating greater cybersecurity investment, creditors deem that the loss to resilience is detrimental to their chances of being repaid and so demand a higher compensation. The bank, in turn, in incentivised to invest more in cybersecurity to ensure that it remains protected and can repay the creditors. But, when failure is panic-based (illiquidity-driven), actions become strategic substitutes. In this case, anticipating greater cybersecurity lowers creditors’ required compensation since, now, the increase in protection is deemed more favourable to their chances of being repaid. This reduction in the bank’s debt-burden increases the opportunity cost of strengthening protection, and so the bank reduces its cybersecurity. Notably though, along the equilibrium path, greater cybersecurity both increases the bank’s protection and reduces its overall debt-burden, implying that, at least locally, the usual risk-return trade-off vanishes.
We demonstrate that private equilibria are constrained-inefficient, with the direction of misallocation depending critically on the failure mechanism (see Figure 1). When failure is illiquidity-driven, banks underinvest in cybersecurity relative to the social optimum—they neglect the social costs of disrupted payments and credit provision. When failure is insolvency-driven, banks overinvest, allocating excessive resources to preventing attacks at the expense of balance-sheet resilience that would mitigate social costs when breaches occur. Revenue-neutral Pigovian policies can achieve constrained efficiency by targeting either the protection or resilience margin, depending on market conditions. Extending the framework to multiple banks sharing common IT infrastructure, we characterise optimal regulation when cybersecurity exhibits public good properties. Policy design must account for whether cyber risk operates as a weakest-link or best-shot public good, with interventions targeted accordingly at the most vulnerable or most capable institutions.
This paper contributes a tractable framework linking operational risk management, bank runs, and financial stability. For researchers, it provides new insights into how incomplete information and coordination failure interact with ex-ante risk management. For policymakers, it offers concrete guidance on tailoring cybersecurity regulation to market conditions and structures.
Figure 1
