JPMorgan Spends Billions to Counter Cyber Threats, Fed Research Explores Banking System Contagion RiskJan18

Please note that we are SUSPENDING our LONG Uranium Theme, effective today

See the Active Thematic Ideas Section below for details

THEME ALERT: AN ACTIVE MRP THEME

I. Today’s Thematic Investment Idea

A deep dive into a market driver with alpha generating potential.

JPMorgan Spends Billions to Counter Cyber Threats, Fed Research Explores Banking System Contagion Risk

Summary: America’s largest bank is now spending billions of Dollars per year to defend itself against unrelenting waves of cyberattacks. Fed researchers have found that the interlinked nature of the banking system makes multiple institutions vulnerable to digital risks if just one firm’s systems are compromised. A preview of this played out just two months ago when ICBC Financial Services was slammed by a ransomware attack that effectively froze all of the broker’s operations and racked up a $9 billion bill with BNY Mellon. 

Though ICBC Financial had a sprawling parent bank that helped to backstop the firm with capital injections, containment may be more difficult in future scenarios. The SEC is currently rolling out new cybersecurity-focused rules on reporting and governance for publicly traded companies, but the recent breach of an official SEC social media account has shown the commission itself has neglected to implement basic protections against hackers at some levels.

Related ETF: First Trust NASDAQ Cybersecurity ETF (CIBR)

Financial markets and institutions face some of the most constant cyber risks. JPMorgan has disclosed that the bank now invests $15 billion per year and employs 62,000 technologists to counter about 45 billion potential attacks monitored on a daily basis. Mary Callahan Erdoes, head of JPMorgan Chase’s asset and wealth management division, said that the bank now has “more engineers than Google or Amazon”. On the same day, the Federal Reserve’s Vice Chair for Supervision, Michael Barr, addressed the second annual Conference on Measuring Cyber Risk in the Financial Services Sector and highlighted the impact of digital vulnerabilities in the banking system. Barr stated that researchers at the New York Fed recently found that “the impairment of a single large bank, a group of smaller banks, or a common service provider could be transmitted through the payments system and result in significant spillovers to other banks.” In essence, the weakest link puts the integrity of the entire chain at risk. Researchers also estimated that the potential impact of a cyberattack is systematically greater during stressed financial conditions, which is a very relevant point, considering three of the four largest bank failures in US history occurred last year and the underlying causes of those events remain a present threat in the banking system today.

It was just over two months ago that hacker group Lockbit hit the US brokerage unit of the Industrial and Commercial Bank of China (ICBC) with a crippling ransomware attack that froze automated trading and disrupted the exchange of US Treasuries. Reuters reports ICBC Financial Services was the sole settlement agent for BNY Mellon’s Treasury securities trading and, in the wake of the hack, ended up owing as much as $9 billion to the bank at one point, an amount many times larger than ICBC Financial Services’ net capital. A cash injection from its parent bank helped ICBC Financial Services cover the payment owed to BNY Mellon and a ransom of an undisclosed amount was ultimately paid to Lockbit to unlock the broker’s systems. The Lockbit hackers have successfully extorted $91 million across 1,700 attacks since 2020, according to the US Cybersecurity and Infrastructure Security Agency.

While the attack on ICBC’s US arm was contained, financial sector customers were impacted and could have faced significant losses if a larger parent company hadn’t been present or well-capitalized enough to act as a backstop. Moreover, the ripple effect went far beyond just the two aforementioned institutions, as more than $62 billion of US Treasuries failed to deliver on the day of the hack, DTCC data showed. The number of ransomware attacks in the finance industry surged by 64% last year, and was nearly double the 2021 level, according to data from Sophos.

Securities regulators in the US are getting more serious about combatting cybercrime that could disrupt or distort financial market activity. McKinsey notes the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed into law in March 2022, requires critical infrastructure companies to report all cybersecurity incidents, such as ransomware attacks, to the Cybersecurity and Infrastructure Security Agency (CISA). In addition, the US Securities and Exchange Commission (SEC) in March 2022 proposed a rule requiring publicly listed companies to report cybersecurity incidents, their cybersecurity capabilities, and their board’s cybersecurity expertise and oversight. New rules regarding incident reporting and governance disclosure requirements took effect on December 15, 2023 and impact not only publicly-traded companies registered with the SEC, but third-party software and supply chain companies that could be implicated in cybercrimes. Noncompliance, negligence, and violations of the new framework could result in costly legal action from the SEC, making proactive investments in cybersecurity solutions ever more essential.

The SEC itself, however, has had its own run-ins with cybersecurity fumbles. Earlier this month, the SEC’s official account on X.com (formerly known as Twitter) was compromised by a hacker that used the @SECGov handle to falsely announce that new Bitcoin-backed ETFs had been approved for launch in the US one day before any official decision had been made on this issue. This caused a material shift in market prices of cryptocurrencies and the share prices of associated companies. An investigation by X Safety found that @SECGov was indeed accessed by an unauthorized user who acquired the phone number associated with the account. X noted that “the account did not have multi-factor authentication enabled”, a very basic first line of defense against hackers. Ironically, @SECGov had highlighted the need for multi-factor authentication in previous posts on the same platform. By not following this advice themselves, SEC officials might have also violated a 2021 executive order that required all Federal Civilian Executive Branch agencies to “adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.”

THEME ALERT – LONG Cybersecurity

MRP added LONG Cybersecurity to our list of themes on March 11, 2022, as it became clear the threat of cyber warfare following the Russian invasion of Ukraine significantly increased. Ongoing warnings from US officials regarding cyber vulnerabilities in industry have further highlighted the need for increased cyber defenses in the near future. Just as energy and telecommunications infrastructure has recently been slammed with cyberattacks around the globe, likely engineered by quasi-state actors, the financial system is another key pillar of a functioning nation-state that will be targeted by hackers continually.

The US has not been immune to wide-reaching cyberattacks against critical infrastructure and government agencies. As MRP covered in 2021, state-backed hackers (likely of Russian origin) were able to insert malicious code into an update of Orion, one of SolarWinds’ platforms. It initially became clear that the Departments of Commerce, the Treasury, and State – which used SolarWinds’ IT infrastructure – were breached at some level, but that was only the beginning. More than 18,000 SolarWinds private and public sector customers installed the malicious updates, including at least nine federal agencies were confirmed compromised. The SolarWinds breach had a significant financial impact on affected organizations, with the attack costing affected companies an average of 11% of annual revenue. That slice of revenue comes out to about $12 million per company. The SolarWinds spyware breach was disclosed to the public not long before a high-profile ransomware attack on Colonial Pipeline Co. that forced the shutdown of 5,500 miles of US pipeline carrying nearly half of all fuel supplies on the East Coast. This was only relieved after the pipeline firm paid a $5 million ransom to Russian hacker group DarkSide.

Since adding LONG Cybersecurity to our list of themes, the First Trust Nasdaq Cybersecurity ETF (CIBR) has gained 13%, outperforming an S&P 500 return of 12% over that same period.

CHARTS

There is much more to this report! McAlinden Research Partners is offering a complimentary 60 day subscription to receive the full Daily Intelligence Briefing to Hedge Connection clients/friends.

Activate yours by signing up today!