JPMorgan to double cyber security spending to £310 million after hack

The CEO of US investment bank JPMorgan says the company will double its spending in cyber-security following a data breach which affected approximately 84 million account holders.

Post Carbanak, bank CEOs fear cyber-attacks will harm business growth
Post Carbanak, bank CEOs fear cyber-attacks will harm business growth

Speaking at the Institute of International Finance conference in Washington late on Friday, Jamie Dimon said that the firm would look to increase its cyber-security spending, especially with the investment giant having been hacked last month.

“We had a little problem recently,” said Dimon, referencing the data breach, before adding that the firm intends to double its cyber-security spending from US$ 250 million (£156 million) annually in 2014 to US$ 500 million (£311 million) in five years time.

“We have to be vigilant,” he said, adding that issues around cyber security 'will happen for a long time'. “We need help and [need to continue] working together with the government. The government knows more than we do.”

JPMorgan was breached in late August across its Chase.com and JPMorganOnline websites as well as its Chase and JPMorgan mobile applications. Hackers managed to obtain names, phone numbers, emails and postal addresses of 76 million individual customers and seven million SMEs after compromising an employee's credentials using a phishing email attack.

Investigators have since said that at least 13 other companies were targeted by unknown hackers, with many believing that it could be the work of a nation-state.

Fidelity Investments publicly revealed that it was targeted by the hackers, although both the firm and JPMorgan deny that any financial information was lost.  

In response to the news, Solarwinds cyber security expert Patrick Hubbard told SCMagazineUK.com that it's difficult to know how and where the money might be used, and while he expressed scepticism about the amount – “spend does not equal security” – he said that it could be used to restore faith in a brand since its damaging data breach.

“It's about making the other executives feel comfortable,” he said, adding that these people in the financial services industry would be happy with the money as ‘something they could quantify'.

He said that JPMorgan will push most money into new processes and accountability, and believes that most of it will go into security awareness training. “It really does start with training and awareness,” he said, which contradicts a recent study into security spending.

Hubbard – whose official title is ‘head geek' at the IT management software provider - said that smarter companies are starting to protect their assets based on those that are most at risk. “They know where they're going to see the risks and so know where to spend the money from the beginning to the end. We're starting to see that more and more.”

Scott MacKenzie, CISO at cyber-security solutions provider Logical Step, added that JPMorgan was making a proactive step.

“The doubling of spend on cyber-security by JPMorgan over the next five years, is a proactive response following their recent hack. This is despite of there being no evidence that any customer accounts or passwords were compromised.  I feel this will go a long way to mitigate any reputational damage suffered by JPMorgan following the recent hack,” he told SC in an email.

Tenable's EMEA technical director Gavin Millard said that the move may be seen as a 'PR stunt' but believes the investment is a promising sign, not least for how security is increasingly being entwined in the business.

"Whether this is a PR stunt or a measured approach to a breach could be hotly debated by cynical security professionals, but I would see this as a positive move," he told SC.

"Having the CEO stand up publicly and state that the problems need to be fixed will set the right tone to enable the staff at the bank to implement any control they deem necessary to protect customer data and the business as a whole. Security can't be fixed by money alone though, it takes effort, education and awareness at all levels but with the focus they are placing on security, this shouldn't be a problem for JP Morgan."

Just last week, it emerged that the UK financial services sector has been actively responding to the JPMorgan data breach. The House of Commons Treasury Select Committee has reportedly being held several ‘high-level' meetings with regulators and other experts in cyber-crime, while London fund manager Legal and General warned FTSE350 companies to use the incident to improve their own cyber security practises.

Update: Sarah Clarke, former group functions IT risk strategy manager at Aviva but now MD of information security consultancy Infospectives UK, told SC that the spending is the latest sign of the 'boom, bust' spending in the security sector

"JPMorgan's dramatic increase in cyber security spending is typical of the universal security boom/bust cycle. Fear following an incident boosts attention and spend, but work kicked off frequently founders later. As noise abates and belts are tightened the security team becomes the poor relation again. Money goes to projects with an easier to prove ROI, leaving immature processes and benefits unrealised," she said.

"So the question isn't really whether $500 million (£310 million) can fix the problems, it's whether security foundations, left holey by previous bust cycles, will be identified and shored up. And whether new vulnerability and threat detection capability, partnered with red hot security awareness training, third party security governance and forensic incident management experts, will be given time to bed in and yield results."