Cyber attacks can impair banks’ operations and precipitate bank runs. When digital infrastructure is shared, banks defend themselves by investing in cybersecurity but can free-ride on the security measures of others. Ex ante free-riding by banks interacts with the ex post coordination frictions underpinning bank runs. While the temptation to free-ride induces under-investment in cybersecurity, the prospect of a run encourages greater investment. System-wide cybersecurity is suboptimal and sensitive to rollover risk and bank heterogeneity. Regulatory measures, including negligence rules, liquidity regulation and cyber hygiene notices, facilitate constrained efficient cybersecurity investment. We suggest testable hypotheses to inform future empirical work.