Cybersecurity and Fraud Protection
Evolving With the Emerging Tech and Cybersecurity Landscapes
Lori Beer, JPMorgan Chase’s Global Chief Information Officer (CIO), discusses technology startups, machine learning and the firm’s cybersecurity countermeasures.
This article was originally published in Commercial Banking’s magazine, Cybersecurity: Technology and Tactics.
As Global CIO, Lori Beer is responsible for JPMorgan Chase’s technology systems and infrastructure worldwide. She manages a budget of more than $11 billion and a staff of over 50,000 technologists supporting the firm’s retail, wholesale, and asset and wealth management businesses.
Q: As you think about the evolution of cybersecurity, how has JPMorgan Chase developed and what is our cybersecurity strategy?
A: As our clients’ needs evolve, we’re focused on delivering market-leading technology at speed. Cybersecurity plays a critical role in that technology strategy, because cyberattacks get more sophisticated every day. Criminals are targeting high- and low-value payment channels (e.g., SWIFT and direct file transmission systems), as well as other financial products. To combat these attacks, we continue to make substantial cybersecurity investments in areas such as detection and identification and mitigation of threats, and we use multiple layers of defense.
We collaborate and partner with other financial services firms, emerging technology companies, government regulators and agencies. Our work together is critical to protecting our clients and advancing our cybersecurity capabilities. Our Global Chief Information Security Officer serves as the chair of the Financial Services Information Sharing and Analysis Center (FS-ISAC), while our Consumer & Community Banking’s CIO is the chair of the board for the Financial Systemic Analysis & Resilience Center (FSARC).
Q: As the firm’s CIO, you’ve discussed the firm's support of technology startups. How does that figure in your overall approach to cybersecurity?
A: We are very focused on working with the emerging tech and fintech ecosystems so that we stay close to the leading edge of innovation. Startups are generally first to market with new solutions in this space. Across the firm, we test over 100 new solutions every year and typically move forward with more than half of them.
While our appetite for working with emerging tech is high, we maintain a very high bar of cybersecurity and controls requirements for all of our third-party suppliers. To do business with us, any new company we engage must demonstrate that they can meet our control requirements. Currently, our focus is on browser isolation, data protection, malware analysis and digital identity and authentication solutions.
Q: What role does machine learning play in your cybersecurity strategy?
A: For us, the potential in machine learning is to identify suspicious client account activity, identify vulnerabilities, and predict and defend against cyberattacks. It can help humans discern between benign “incidents,” such as a client mistyping a password, and actual cyberattacks. But it can also be used by cybercriminals against the firm. We see machine learning as an opportunity to augment our current controls mechanisms.
Q: You mentioned the sophisticated evolution of the threat landscape. What are JPMorgan Chase's countermeasures?
A: We maintain a relentless focus on protecting the firm and its clients, so cybersecurity is always a priority. Successfully maintaining our program involves creating innovative cybersecurity approaches, developing strong threat intelligence, strict risk management, operational integrity and a security-first culture. Across the firm, we enforce comprehensive controls for every line of business at every level.
Detection is a tactical area of focus for us. We invest in leading fraud-detection capabilities. New threats appear every day, and we fight them by quickly detecting, identifying and mitigating them.
We maintain significant investment in our cybersecurity defenses, and focus our cybersecurity strategy on securing our technology platforms, applications and services. We have also developed an extensive client education program that includes webinar training, one-on-one meetings, seminars, calling campaigns, and cybersecurity awareness and fraud-prevention materials. And because employees are our first line of defense, we provide them with a robust cybersecurity education and awareness program.
Q: What can other companies do to help protect themselves?
A: If you’re a smaller company, developing a cybersecurity program can seem overwhelming. But it’s very important to take the first step, launch a program and keep moving it forward. The firm offers a variety of educational services—whether it’s for our online platforms, such as J.P. Morgan Access® or Chase Connect®, or through individual client meetings or industry conferences.
Education is the key, so at the very least you need to require employee training and implement cyber drills and tabletop exercises to evaluate next steps.