JPMorgan Chase, the US banking behemoth with a global footprint spanning over 100 countries, is on the front lines of the financial industry's fight to safeguard its systems and customer data.
The valuable data held by financial organizations make them a lucrative target for financially motivated cybercriminals. Meanwhile, they are also a target for nation-state actors and hacktivists because of the cascading impact a cyber event could have on the global economy.
Cast against the backdrop of escalating cyber threats, the financial industry has been compelled to accelerate its cyber resiliency. This has been further fueled by new regulations like the EU's Digital Operational Resilience Act (DORA), demanding significant levels of cybersecurity preparedness.
JPMorgan’s Global CISO, Pat Opet, spoke to Infosecurity Magazine about these challenges and the bank’s approach to tackling them, in coordination with the wider financial industry.
This includes keeping up to date with the evolving threats facing finance firms, securing a widening supply chain and complying with complex regulatory requirements.
Opet also highlighted what he views as the biggest challenges and successes in the cybersecurity industry today.
Infosecurity Magazine: What have you found to be the most effective approaches to meeting compliance requirements amid rising cybersecurity regulation in the finance industry globally, including the DORA regulations?
Pat Opet: In general, we view our compliance obligations as necessary provability for our security controls. We seek to evidence the fact that our controls are operational and deployed in all the places we expect them to be and automate that evidence to the greatest extent possible.
DORA has two elements to it broadly that we look at. One is operational resilience – having response and recovery processes for tail risk disruptive events. We believe foundationally that security is made up of detection, prevention and the response and recovery components.
Financial services in the US have put in an enormous of effort into response and recovery, particularly for tail risk scenarios.
We’ve changed our third-party obligations over the past several years to ensure that third parties are institutionalizing response and recovery to the extent that we expect them to.
However, the reporting requirements for DORA are burdensome.
The fact that we have to report incidents for every legal entity in any country that’s subject to this regulation, and also individually report on the impact of an incident relative to that legal entity when we’re a multi-provider business, is very taxing.
In general, the more regulatory fragmentation there is, the harder it makes it for us to have consistency in the control outcomes that we expect.
"The reporting requirements for DORA are burdensome"
Therefore, we’re big supporters of regulatory harmonization.
We are also supporters of incident notification rules but the level to which it is taken in DORA is introducing a lot more overhead that we’re not sure we’ll see the value for.
In the US, the reporting obligations are public, but in the EU, the obligations under DORA are private. I’m not sure if the industry knows where that’s headed.
We are of course prepared to have the processes necessary to comply as we always would with any regulation. But the complexities of incident reporting here, in the 72-hour period with the level of depth expected, is burdensome.
IM: How have cyber-threats targeting JPMorgan Chase and the wider financial industry evolved in the past year?
PO: Disruptive impacts to third-party dependencies have been pervasive throughout the past year and that’s been largely driven by ransomware attacks targeting perimeter facing vulnerabilities in our third parties or those that serve the broader ecosystem.
These issues can cause business disruption in many of these companies.
My personal view is that the ransomware actors have become far more sophisticated. They have leveraged automation to a great extent to perform mass compromise of vulnerable entities followed by selective targeting of victims.
I think a lot of that is to do with the nationalization of vulnerability data in some foreign countries. For example, we’re seeing China in the news with respect to cyber activity. Their national security laws require vulnerabilities to be disclosed by security researchers and companies in China to the government first. Those turn into zero days that are exploited by nation-state actors with follow-on exploitation by ransomware actors.
It is also impossible to ignore the geopolitical conflicts, particularly between East and West, as contributing factors to the threat environment in general.
Obviously we’re paying very close attention to the alleged compromise of telecom networks by Volt Typhoon [in November 2024].
As a critical infrastructure entity ourselves, we depend on telecommunications. While what has been reported has been the targeting of particular data of sensitive individuals, there’s nothing to say that this level of pervasive access couldn’t be used to cause disruption.
I think that geopolitical conflict has gone from serving intelligence purposes to potentially serving disruptive purposes. Everybody who’s in a seat like mine needs to be paying close attention to that.
The last trend is the combination of multi-factor authentication (MFA) phishing, token theft and search engine optimization poisoning, which has created an incredibly dangerous scenario that I don’t think is well understood.
For many years MFA was incredibly effective, mostly because it wasn’t pervasive. Attackers just worked against organizations that didn’t leverage MFA.
Once it was prioritized from the White House on down, and security practitioners across the globe were promoting the use of MFA, many organizations adopted it. However, many of the methods of MFA that were adopted are phishable.
Now we’re in a situation where bad actors are page ranking malicious websites to cause individuals to sign in to what they believe are legitimate websites that are designed for MFA phishing. It’s created a situation where MFA codes are being operationalized in real time by bad actors.
IM: What are the challenges of monitoring cyber threats across JPMorgan’s global IT estate and supply chain? What approaches are you taking to address this challenge?
PO: In general, many suppliers don’t operate with the same level of maturity in the control ecosystem that an organization in a highly regulated financial institution would.
That itself leads to situations where these organizations are either compromised, and the concern is the disruption of services on one side, or the use of software that the suppliers distribute is exploited as a mechanism to establish access on the other side.
"Industry still lacks the necessary capabilities to evaluate the efficacy of open source or commercial software"
It is challenging because the supply chain is broad. We’ve done a couple of different things to try and mitigate this. We’ve increased the depth of our analysis for controlled maturity within our most critical third parties. We have a robust third-party program which we run across the whole supplier base that JPMorgan interacts with.
For our most critical third parties, we’ve placed leaders from our penetration testing group with our third-party oversight organization to dig deeply into the areas we believe ultimately lead to compromise. This helps us better understand the likelihood of failure for the supplier and also help the supplier uplift their practices.
In addition, several years ago we built an intelligence and security operations function that is focused on our supplier base, not on JPMorgan. The goal there is to passively collect as much information as possible about our supply chain and the entire ecosystem, and use those risk signals to proactively inform suppliers that they may have vulnerabilities prior to those issues becoming a problem.
We’ve seen a huge degree of efficacy in the speed at which our suppliers fix issues when compared to the market as a result of this specific focus on intelligence collection and then direct follow-up action.
On the software supply chain side, industry still lacks the necessary capabilities to evaluate the efficacy of open source or commercial software. Practitioners in the community and companies that support all of us have made great strides in vulnerability identification for open and closed source packages and binary analyses. But the capabilities to perform malware analysis on a third-party package aren’t pervasive. This means the SolarWinds type scenario is still one of meaningful concern to the community.
We work through the Open-Source Security Foundation to try and increase practices on both sides and have experiment with a lot of tooling that we hope can enable us to do this internally.
IM: How have you sought to build a strong cybersecurity culture across the wider business in your time as global CISO? What approaches have you found most effective and are there any that haven’t worked as well as you had hoped?
PO: We have experimented with a bunch of things. First and foremost, the burden is on us to have a talented security team and to meet the technology community shoulder to shoulder. Too often, security is high level and not in the detail. The first step in driving the right culture is ensuring we can meet the developers where they are and bring back some data and details to the table.
Second is that we have to view ourselves as an enablement organization. We are there to support getting things done not preventing things from happening. If you combine those two things – the right level of depth and talent and the desire to further the business and get things done as an enablement organization – that drives a lot of the necessary changes to ensure the culture is in the right place.
We educate at every level of the organization. There’s a phrase ‘let’s never waste an incident’, whether it’s a public event or otherwise. We diagnose failures – technological and cybersecurity – and we educate everybody in the company on how those failures happened and why so that people understand it.
However, we’ve found that while we push requirements to the developer teams, they are often viewed as check-the-box requirements and they don’t understand “why” it’s required.
For a time, we had a red team podcast series that helped teams understand the rationale behind some of the requirements. It helped bring to life the value of the requirement and potential impact.
Another area we’re exploring right now is the automation of threat modelling. Threat modelling allows you to elaborate the threats to a system and the controls that are necessary to defend it. However, it’s hard to scale, because it depends on architects being embedded in all the places that you need to be to perform threat modelling.
"The burden is on us to have a talented security team and to meet the technology community shoulder to shoulder"
We recently used our generative AI tooling to redesign and automate our threat modelling process that allows us to look at a diagram of a system or a description of a system, turn that set of structure prompts into a model and allow the model to inference against our threat and control catalog.
With a level of efficacy that shocked us, we produced threat models in three to five minutes using this approach, which helped to illustrate the importance of the control requirements. People were able to understand “why.”
IM: What are your biggest concerns in cybersecurity today?
PO: One is I’m concerned with the methods for authorization that are being used for systems interaction in the expanding the software-as-a-service (SaaS) and platform-as-a-service perimeter. This means system-to-system interactions are becoming far more common in this distributed ecosystem that we’re building, with identity, authentication and authorization essentially becoming the new perimeter.
There’s going to be a desire to have AI agents and other services interact with cloud and SaaS platforms natively. OAuth is a sound mechanism for modern authentication, but it doesn’t address authorization. Just because system A can talk to system B, it doesn’t mean that in the future system A’s interaction with system B is always going to be appropriate because things can change, including a compromise on one end of those connections.
The way it is commonly used today doesn’t interrogate the connection at the time at which it is made for the appropriate authorization. We have essentially designed single factor explicit trust in the modern architecture of the future for system-to-system interactions. With the advent of AI agents, we must have a richer method for authorization.
The other concern is that the conversation around concentration risk needs to grow. Most software is delivered by way of platforms or SaaS and the best providers are going to have the most customers. So we are essentially structurally creating mechanisms for concentration risk in cloud and SaaS providers, we already have it in web application firewall (WAF) providers and other places.
I think that the part that needs more attention is the response and recovery to disruptive events, whether they’re technology failures or malicious disruptions. As an ecosystem we need to more gracefully handle disruptions so that they do not pose more operational risk to entities that are leveraging the best suppliers.
IM: What are the biggest successes the cybersecurity industry is experiencing today?
PO: Information sharing. We are a self-organized community, there’s no structural requirement to do it, but professionals willingly share detailed threat information across the ecosystem. This is because we are altruistic and believe that collectively we can do better working together than individually.
It is fascinating to me that it works as well as it does. It is the single biggest thing in cybersecurity that is working well.
I do worry that reporting obligations, such as the US Securities and Exchange Commission (SEC)’s disclosure rules, have to some degree burdened intelligence sharing because there’s questions around whether it’s a material investor event that someone’s sharing information about.
Policymakers need to be careful that as they bring in appropriately transparent reporting obligations, they don’t disrupt the thing that is working better than anything else in this ecosystem, which is the sharing of information.
IM: If you could give one piece of advice to fellow CISOs, what would it be?
PO: You must live in the details. We view cybersecurity as essentially the study of failure. You can’t detect, prevent or recover from failure without ultimately understanding at a deep level the systems and the software that you’re running and operating.
I do also think this burden of provability which we carry is really important and part of those details. The small stuff matters.
Image credit: testing / Shutterstock.com