Chase Ramps Up Security: Is It Enough?Bank Announces Cybersecurity Centers, Other Initiatives
In a letter to shareholders, JPMorgan Chase CEO Jamie Dimon says that by the end of 2014, the financial institution will have spent more than $250 million annually on cybersecurity, with approximately 1,000 people focused on the initiative. "This effort will continue to grow exponentially over the years," Dimon says.
By comparison, the letter says the bank spent $200 million on cybersecurity in 2012, when 600 employees were dedicated to the effort. JPMorgan Chase is the top U.S. holding company with $2.4 trillion in assets, according to the Federal Financial Institutions Examination Council.
The bank is building three cybersecurity operations centers at its regional headquarters. Dimon says the centers will "provide points of coordination for all incoming information, the identification of threats, the protocol around managing our responses and the security of our buildings around the world."
A major focus for the centers, Dimon says, will be to "pull together all our internal information from Internet and systems monitoring, as well as reconnaissance from our partners in industry and government."
In addition, Dimon says JPMorgan Chase is moving rapidly to implement chip cards using the EMV standard, as well as tokenization, for credit and debit card transactions, "which we will need to do in conjunction with merchants."
"Too many organizations have multiple cybersecurity silos across the company, making separate decisions, not sharing and not coordinating information," he says. "The cybersecurity battle cannot be won with a siloed approach. Cybercriminals can circumvent individual defenses but have a harder time when the defenses are layered, coordinated and adaptive to the constantly evolving threats."
Although many major banks have security operations centers, Gartner's Litan says JPMorgan's initiative "sounds much more purposeful, integrated and intelligent, at least on paper."
Dimon, in his letter to shareholders, says that the bank's concerns around cybersecurity continue to intensify.
"We're making good progress on these and other efforts, but cyber-attacks are growing every day in strength and velocity across the globe," he says. "It is going to be a continual and likely never-ending battle to stay ahead of it - and, unfortunately, not every battle will be won. Rest assured that we will stay vigilant and do what we need to do to enhance our defenses and protect our company."
Tubin credits Dimon for taking a leadership role on cybersecurity. "Dimon takes cybersecurity very seriously and is legitimately concerned with cyber-attacks," he says. "He's been in the financial services space a long time and knows what he's talking about."
Shirley Inscoe, fraud expert at consultancy Aite Group, says Dimon's comments on the significance of cyberthreats are on the mark.
"JPMorgan Chase is often targeted by all manner of threats - DDoS attacks, malware, hackers," she says. "It is refreshing to see a CEO who fully understands and appreciates these risks."
Inscoe says the level of investment JPMorgan is making is in line with other institutions relative to their size. "But JPMorgan Chase does tend to be very aggressive and creative in their methods," she says.
But she sees a potential downside in Dimon's comments. "There may be an element of criminals who take Dimon's comments as a challenge and further target the organization to see if they can defeat their protections," she says. "For some hackers, it is a game, while others have far more sinister intent."
In recent months, JPMorgan Chase has been targeted in several cyber-attacks.
For example, in December 2013, it revealed that between July and September, hackers accessed servers for its UCard Center website, which supports prepaid cards used for payroll and government benefits (see: Chase Breach: 465,000 Accounts Exposed). The bank said the breach may have exposed information, including card numbers, for prepaid card customers.
The bank also acknowledged intermittent online issues on July 24, 2013, although it declined to comment on whether the issues were tied to DDoS attacks launched by Izz ad-Din al-Qassam Cyber Fighters, a group that claimed credit for attacks against a number of leading U.S. banks (see: DDoS is Back; 2 Banks Attacked).
JPMorgan Chase did not immediately respond to a request for additional information.