Why Cybersecurity
Needs to Be
Embedded in
Treasury Culture

Technology has provided tremendous opportunities for treasury professionals harnessing it to achieve core objectives such as optimizing capital, boosting operational efficiency and mitigating risk.

However, despite the many benefits it brings, the risks surrounding technology continue to rise, with hacktivists, criminals, insiders, state actors and terrorists increasingly targeting organizations around the world.

Treasury departments – the nexus where money flows in and out of an organization – need to be especially vigilant. According to PwC’s 2018 comprehensive Global State of Information Security Survey, financial losses rank amongst the biggest impacts businesses face when their cyber defences are breached.¹

Regardless, 44% of companies say they don’t have an overall security strategy, while 48% lack effective cybersecurity training and awareness programs, according to PwC.
Group 7 Created with Sketch. 44% companies don’t have an overall security strategy companies lack cybersecurity training programs 48%

In order to reduce risk, organizations need to tackle the cyber threat across multiple fronts. For example, while direct spend on cybersecurity is important, it is also essential to invest in broader controls such as meeting Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements.



J.P. Morgan invests a sizeable portion of its firm-wide annual technology spend of around US$10 billion on cybersecurity. However, it should be viewed as a partnership between J.P. Morgan, the bank’s clients, as well as both their suppliers, where all parties play a part in cybersecurity.


Email remains a common attack vector, in particular the prevalent scam known as business email compromise (BEC) by which criminals impersonate executives or vendors in an effort to deceive victims into sending wire transfers to fraudulent beneficiaries. The U.S. Federal Bureau of Investigation estimates that attacks of this nature will result in annual reported losses of US$5.3 billion globally.²



Identifying and Addressing Cyber Attacks

Cyber attackers may know more about an organization’s systems than its own employees. Criminals do a lot of reconnaissance by researching the personal information of an organisation’s employees on social media.

A “cyber kill chain” reveals the different stages that attackers take to launch a cyber attack. Reconnaissance is the first stage; the company is then probed for vulnerabilities. In practice, attackers often mimic legitimate business processes between parties over email. This includes sending new payment instructions from a hacked or similar-looking email, or embedding malicious code in attached Word or Excel reports – all iterations of classic confidence tricks that have played out for years via older technologies like phone and fax.

As attacks are generally sophisticated, it is not unusual for a company to identify an incursion only several months after systems have been compromised.

The 7 stages of a cyber kill chain³:

(select icon to learn more)

Group 10 Created with Sketch. Reconnaissance 1

Cyber attackers probe for a weakness by gathering information on intended targets through phishing, spear phishing or social engineering to infiltrate the target environment.

Group 12 Created with Sketch. Weaponization 2

Cyber attackers create their attacks by pairing remote access malware with techniques that will lure the intended target to execute it, such as creating an infected Microsoft Office file.

Group 18 Created with Sketch. Delivery 3

The weaponized bundle is sent to the intended victim, which could be a malicious file via a phishing email.

Group 17 Created with Sketch. Exploitation 4

Cyber attackers exploit a vulnerability to execute code on the victim’s system.

Group 16 Created with Sketch. Installation 5

The malware is installed unknowingly on the victim.

Group 19 Created with Sketch. Command & Control 6

When the system is compromised or infected, it creates a channel for cyber attackers to gain access to the victim’s information and control their systems remotely.

Group 20 Created with Sketch. Actions on objectivesj 7

Once cyber attackers establish access to an organization, they can execute actions to achieve their intended goals.


There are a number of key ways to reduce cyber risk:


First, it’s essential that staff be mindful of cybersecurity threats given that employees are often the weakest link in an organization’s defense. At J.P. Morgan, employees undergo mandatory cyber training bolstered by regular testing.


Reducing the volume of manual business conducted over email is another crucial defense. Straight-through processing via secure platforms like J.P. Morgan Access® Host-to-HostSM is preferable.


If payment platforms are hacked or compromised and an attacker sends a payment request with new bank account details, how will your accounts payable team respond? It’s vital to have controls in place to appropriately verify such requests and ideally move future requests to more secure channels.

Multiple controls need to be applied across people, process and technology throughout the cyber kill chain to reduce the risk of endpoint compromise via email and web attack vectors.

Group 11 Created with Sketch. Awareness Education & Training Team Support Code of Conduct Policies & Standards Standard Operating Procedures Governance Identify & Access Management PEOPLE PROCESS TECHNOLOGY Secure Web Browsing Email Security

An array of other defenses can be implemented to help reduce cyber risk, including using fraud analytics and machine learning to identify attacks and monitor domains that attempt to impersonate a company. ‘Lookalike’ domains are often precursors to attempted BEC attacks so they should be proactively addressed via take-down notices or blocking. J.P. Morgan has developed a process that is designed to potentially detect the registration of some client lookalike domains, mitigate risks of unauthorized payments, and engage clients via service teams.

The battle against cyber attackers needs to permeate an organization’s entire operations and culture; it’s no longer appropriate to leave sole ownership with the IT department. New technology solutions such as virtual account management, predictive analytics and faster payments are reshaping finance and treasury management. But cybersecurity remains the foundation.

To learn more, please reach out to your J.P. Morgan representative.

1. The Global State of Information Security® Survey 2018, PwC
2. Public Service Announcement, Federal Bureau of Investigation
3. The Cyber Kill Chain, Lockheed Martin
Back to Top
Back to top Created with Sketch.

Technology is Transforming the Customer Experience

Digital payment transformation is sweeping the industry. Alongside this, expectations for B2B payments are evolving rapidly, driven by consumer payment trends. Learn how new technologies and partnerships can be harness to navigate change and help enable success.

Read more about Technology is Transforming the Customer Experience

Technology at Our Firm

Using Machine Learning and Artificial Intelligence

Explore about Technology at Our Firm

Rationalization Revisited: An Integrated Solution to Manage Global Liquidity

From Excess Working Capital to Efficient Funding Management. Advancements in technology have created new tools which are becoming available globally to help treasurers improve efficiency amid complexity. Knowing how to connect both new and existing liquidity management tools in an integrated manner will help you extract the most value from your working capital.

Find out how about Rationalization Revisited: An Integrated Solution to Manage Global Liquidity

J.P. Morgan and Chase are marketing names for certain businesses of JPMorgan Chase & Co. and its subsidiaries worldwide (JPMC). Any example of cyber or other fraud or loss in this material is for illustrative purposes only; any similarity to any actual event or person is unintended and unfounded. This document was prepared exclusively for the benefit and internal use of the party to whom it is delivered (each, a “Recipient”). The content is not intended as, nor shall be deemed to constitute or contain, advice on which the Recipient may rely; does not constitute in any way JPMC research, and should not be treated as such; and is confidential and proprietary to JPMC. The content may not be copied, published, disclosed or used, in whole or in part, for any purpose other than as expressly authorized by JPMC. This document is not intended, nor should it be relied upon, to address every aspect of the subject discussed herein. The Recipient is responsible for determining how to best protect itself against cyber threats and for selecting the cybersecurity best practices that are most appropriate to its needs. JPMC assumes no responsibility or liability whatsoever to any person in respect of such matters, and nothing within this document shall amend or override the terms and conditions in the agreement(s) between JPMC and the Recipient.


Copyright © 2020 JPMorgan Chase & Co. All rights reserved.