J.P. Morgan Perspectives brings together thematic and strategic views across J.P. Morgan’s Global Research franchise. In this report, we explore the impact of the rise of AI to cybersecurity and how nation-state actors increasingly see cyber operations as a tool to achieve geopolitical goals. We hope this series will both inform and foster debate on evolving economic, investment and social trends.

– Joyce Chang, Chair of Global Research

From ChatGPT to AttackGPT: How AI is changing the geopolitical cyber threat landscape

Geopolitical instability, alongside rapidly maturing and emerging technology, has raised concerns about the weaponization of Artificial Intelligence (AI) as the next battlefield. It has been five or six decades since the global landscape has been confronted with active wars in Europe and in the Middle East along with elevated military tensions in Asia. Business leaders’ perspectives on cyber issues are evolving. According to the World Economic Forum’s annual survey of business leader perspectives, 91% of respondents believe that global geopolitical instability makes a catastrophic cyber event “moderately likely” or “very likely” in the next two years. As geopolitical risks intensify with the Israel-Hamas war and the ongoing geoeconomic strains between the US and China and Russia’s war on Ukraine, 50% of business leaders indicate that geopolitical instability is causing them to re-evaluate the countries with whom they do business.

Rising cyber competition is a reality in a multipolar world and cyberattacks are increasingly categorized as national security threats. AI-driven advancements in autonomous driving, cyberwarfare, intelligence, and autonomous weapon systems are being used to enhance military capabilities. Technological risks are not solely limited to rogue actors. Even before the outbreak of the Israel-Hamas war, high-ranking Israeli Defense Forces (IDF) officers informed the press that Israel is deploying AI tools as part of its military arsenal.¹ Israel’s use of AI is receiving greater attention for its “double feeding” elements, with focus on the transfer of human resources between the Israel Defense Forces (IDF) and the security industry.² Israel’s many startup companies in new technology give it a strong AI foundation, while the mandatory military service model has contributed to investment in the military technology units in the IDF.³

Cyber events, especially cyberattacks, are among the top cited risks to financial stability by central banks, and there is a growing fear that the adoption of AI could increase the pace, scale and effectiveness of attacks. The ransomware attacks on ION Trading UK, which affected the global derivatives market at the start of the year, and more recently on the US subsidiary of the Industrial & Commercial Bank of China (ICBC), which is the world’s largest lender by assets, highlights how malicious actors could expose vulnerabilities in the financial system and set off a cascade of disruption to financial stability. The ION attack forced brokers to manually record trades and delayed the weekly publication of trading stats from the US regulator CFTC. The most recent attack on ICBC’s US subsidiary, ICBC FS, prevented them from settling Treasury transactions, forced the rerouting of transactions and required a $9bn capital injection by ICBC into its US unit.⁴ Some Treasury market participants also reported that liquidity was affected. The attacks, along with threats made by Russian-affiliated actors against the SWIFT payment system, serves as a wake-up call for both financial authorities and policymakers to address the risks of larger and more frequent cyberattacks as the financial system and other critical infrastructure sectors become increasingly digitized.

As the world prepares for a series of notable elections in 2024, the prolific use of AI in generating deepfake images and spreading misinformation is expected to rise. The recent election in Argentina had quickly become a testing ground for AI in campaigns, with the two candidates and their supporters employing the technology to doctor existing images and videos and create others from scratch. This could portend what is to come in 2024.

In this J.P. Morgan Perspectives, we explore the impact of the rise of AI to cybersecurity and how nation-state actors increasingly see cyber operations as a tool to achieve geopolitical goals. We also provide an update on business priorities and spending to build cyber resilience as well as regulatory developments. For more detailed background on why cyber competition and geopolitical tensions are inextricably linked see J.P. Morgan Perspectives: Cyber: The new frontline of geopolitics, 21 Nov 2022, and what the heightened cyber security threats are since the pandemic, see J.P. Morgan Perspectives: Cyber Epidemic, Joyce Chang et al., 10 Aug 2021.

Cyber increasingly being used by nation states to achieve geopolitical goals

Widespread cybercrime and cyber insecurity is a new entrant to the top 10 rankings of severe risks over the next decade in the 18^th edition of the World Economic Forum’s annual Global Risks Report 2023. The findings are based on the annual Global Risks Perception Survey, which brings together 1,200 experts across diverse networks that include business, policymakers, academia, think tanks and other civic organizations.

Figure 1 shows the global risks ranked by severity over the longer-term (10 years). It is noteworthy that when the list is expanded to the top 32 risks, widespread cybercrime and cyber insecurity is seen as a greater risk than macro variables, including debt crises, failure to stabilize price trajectories and asset bubbles over the short and long term (Figure 2).

Cybercrime is almost always a cross-border event as criminals target foreign countries to reduce the risk of arrest. Institutional risks to political systems will intensify as the technology becomes more sophisticated as the proliferation of synthetic media risks erode public trust in the institutions of government. Physical security risks will likely rise as generative AI becomes embedded in more physical systems, including critical infrastructure. The military is also beginning to use AI models in the maintenance of complex weapons systems, using sensors to maximize readiness. AI can enable a single human operator to control swarms of drones in the air, on the water or undersea.

Figure 1: Global risks ranked by severity over 10 years

Source: World Economic Forum Global Risks Perception Survey 2022-2023

Figure 2: Relative severity of risks over a 2- and 10-year period

Source: World Economic Forum Global Risks Perception Survey 2022-2023
Note: Severity was assessed on a 1-7 Likert scale [1 – Low severity, 7 – High severity].

The capabilities of cyber warfare to transcend geographical boundaries has led nation-state actors to increase their cyber investments and weaponize cyber operations to achieve geopolitical goals. Cyber-enabled influence campaigns have so far been the tool of choice by nation-state threat actors given its low-cost but potentially high-impact capability to sway public opinion at home and abroad. The rise in generative AI presents an emerging threat as it enables groups with limited resources to supercharge online disinformation campaigns, and this is a trend that is likely to persist. In the latest Microsoft Digital Defense Report 2023, cyber operations have expanded globally, with increased activity in LatAm, sub-Saharan Africa and the Middle East but remain most pronounced against the US, Ukraine and Israel (Figure 3). According to Freedom House, at least 47 governments deployed commentators to manipulate online discussions in their favor over the last year, double the number from a decade ago and at least 16 countries used AI to sow doubt, smear opponents, or influence public debate. Authoritarian governments have also used AI to enhance and refine online censorship as legal frameworks in at least 22 countries mandate or incentivize digital platforms to deploy machine learning to remove disfavored political, social, and religious speech.

Figure 3: Ukraine, followed by the United States and Israel, were the most targeted countries by nation-state threat actors in 2023

Source: Microsoft Digital Defense Report 2023
Note: Microsoft Threat Intelligence observed state-sponsored cyber threat activity against organizations in more than 120 countries and territories this year. Data destruction represented a small fraction of the observed activity, which was predominantly reconnaissance, initial access and various other actions on network, and data exfiltration.

Cultural disruption, election controversy, macroeconomic volatility, and the war in Ukraine are examples of events that enable adversaries to take advantage of stress to accelerate cyberattacks and malicious activity. The recent unrest in Israel is no exception. According to Cloudflare, there was a spike in DDoS (distributed denial-of-service) attacks after Hamas’ October 7^th attack in Israel (see State of Security: Key Cybersecurity Topics and Metrics, Brian Essex, CFA, 5 Nov). Microsoft highlighted that US entities are typically the primary targets for DDoS attacks, bearing the brunt of 54% of all attacks. However, the past year has seen Europe climb to the second highest with 14% of DDoS attacks, overtaking East Asia. The change is tied to geopolitical conflicts, with pro-Russian hacktivist groups intensifying their onslaught against Europe and the US. India, the second most attacked country last year, is now fifth (Figure 5).

Figure 4: Israeli websites were heavily targeted by DDoS attacks following the Oct 7 attack

Application-layer DDoS attacks targeting Israel overtime

Source: Cloudflare blog

Figure 5: Two-year comparison of top 10 most attacked regions

Source: Microsoft Global DDoS Mitigation Operations.

Over the past year, nation-state cyber actors have pivoted away from high-volume destructive attacks toward cyber espionage, which pose long-term threats to the integrity of government, private industry, and critical sector networks. At the regional level, Ukraine is the top European target per volume of observed activity, driven by Russian state actors’ invasion-related operations, while Israel remains the most targeted country in the MENA region as a result of Iran’s intense focus in the region. South Korea and Taiwan are the first and second most targeted countries in the Asia-Pacific due to the focus of North Korean and Chinese state actors (Figure 6).

Figure 6: Ukraine is the top target in European, Israel in the MENA region and South Korea and Taiwan in the Asia-Pacific

Source: Microsoft Threat Intelligence events data, J.P. Morgan Strategic Research.

At the sector level, critical infrastructure remains a popular target and comprised 41% of all nation-state notifications Microsoft sent in 2023 (Figure 7). Data breach costs for critical infrastructure industries are 28.6% higher than the average cost of a breach in organizations in other industries and exceed $5mn according to IBM’s latest 2023 Cost of a Data Breach Report.

Figure 7: Critical infrastructure sectors comprised 41% of the nation-state notifications (NSN) Microsoft has sent in 2023

Most targeted sectors globally

Source: Microsoft Threat Intelligence NSN data, J.P. Morgan Strategic Research.

US-China cyber competition and a growing divide with AI chip supply to China facing restrictions

To understand China’s cyber strategy, it is important to note that in 2014, President Xi stressed that “without cyber [network] security, there will be no national security.” According to a Brookings paper, the cyber great power concept has since become widespread in Chinese official discourse and appears in the title of almost every major Xi speech on China’s telecommunications and network strategy directed at domestic audiences since 2014. Xi also noted that China had missed the Industrial Revolution but would seize the information revolution.

The Biden administration’s National Cybersecurity Strategy and the US Department of Defense (DoD) has highlighted China as posing the most significant challenge to the US in the global cyber landscape. In its 2023 Cyber Strategy report, China’s and Russia’s use of malicious cyber activity is cited “as a means to counter US conventional military power and degrade the combat capability of the Joint Force.” This new strategy supersedes the Pentagon’s 2018 cyber strategy. The latest strategy draws from lessons learned from how cyber has been used in the Russia-Ukraine war. It also emphasizes the importance of building cyber capabilities with allies and partners and prioritizes the integration of cyber capabilities into traditional warfighting capabilities. The US’ National Security Strategy highlights that China is the only competent competitor that the US faces as it has both the intent and capability to redesign international rules. As we highlighted in past reports, China is the only state currently on a trajectory to join the US in the first tier of cyber powers (Figure 8). The DoD maintains that China poses a broad and pervasive cyber espionage threat and has routinely conducted malicious cyber activity against US critical infrastructure including the Defense Industrial Base (DIB).

Figure 8: China is the only state currently on a trajectory to join the US in the first tier of cyber powers

Source: IISS, J.P. Morgan Strategic Research

Note: IISS methodology for assessing cyber power analyses the cyber ecosystem of each country and how it intersects with international security. The countries are assessed in seven categories: (1) Strategy and doctrine, (2) Governance, command and control, (3) Core cyber-intelligence capability, (4) Cyber empowerment and dependence, (5) Cyber security and resilience, (6) Global leadership in cyberspace affairs, (7) Offensive cyber capability economic competition and military affairs. The 15 countries are divided into three tiers of cyber power and within each tier alphabetically and are detailed as follows:

Tier I: World-leading strengths across all categories in the methodology

Tier II: World-leading strengths in some of the categories

Tier III: Strengths or potential strengths in some of the categories but significant weaknesses in others.

While US cyber strategy emphasizes the importance of partnering with allies, China’s strategic partners are not spared from its cyber operations, according to Microsoft. As China has expanded its global influence through the Belt and Road Initiative (BRI), Chinese cyber threat actors have simultaneously levied cyber operations against private and public entities globally. They often target countries aligned with the CCP’s BRI strategy—including Malaysia, Indonesia, and Kazakhstan—and foreign ministries across Europe, LatAm and Asia to pursue economic espionage or intelligence collection. The Office of the Director of National Intelligence’s 2023 Annual Threat Assessment Report declared that China “probably currently represents the broadest, most active, and persistent cyber espionage threat to [the] US”.

China’s cybersecurity regulations emphasize government sovereignty on cyberspace and data and are focused on formulating national standards for cybersecurity and data protection. The four pillars are: the Cybersecurity Law (CSL), Data Security Law (DSL), Personal Information Protection Law (PIPL) and Critical Information Infrastructure Security Protection Regulation. The government also issued a series of documents such as “Cybersecurity review measures”, “Cloud computing service security assessment measures”, “Automotive data security management rule (trial)” and established a National Cybersecurity Emergency Office and an emergency coordination and reporting mechanism on cybersecurity. With the rapid development in AI technology, the “Interim measures for the management of generative AI services” was implemented on August 15, 2023. At the recent APEC summit, Presidents Biden and Xi established an intergovernmental dialogue on AI, citing the need for cooperation and robust regulation.

Yet, nation states such as China will likely leverage AI as a weapon through more intense and frequent cyber operations, while the intensification of US export restrictions on the technology and semiconductor industry has only slowed, not stopped China’s great cyber power ambitions. China’s policy of “civil military fusion” incentivizes cooperation between the civilian and military sectors. China also possesses a deeper pool of talent with twice as many PhD candidates in science, technology, engineering and mathematics as the US.⁵ The announcement of an advanced 5G phone by Huawei during Commerce Secretary Raimondo’s visit to China demonstrates that existing US export controls are not stopping China’s pursuit of critical technologies. Hence, the US Department of Commerce has placed further restrictions on supplying AI semiconductor chips and semiconductor capital equipment to China, with the supply of AI chips to Chinese corporates from the US facing suspension starting from November 16, 2023 (see China generative AI: Thoughts on impact from gen AI development in China from further US AI chip restrictions, 20 Oct and China Generative AI: Thoughts on industry development and outlook after JPM China AI tour, Alex Yao, 8 Aug).

The new “Interim Final Rule” was released on October 17 and includes:

• Expansion of restricted semiconductor types: The new directive widens the scope of AI semiconductor chip supply restriction by eliminating the “interconnect bandwidth” parameter. Notably, chips like A800/H800 now fall under the restriction list, pivoting the focus towards performance/density thresholds. This also brings mid-tier AI chips like L40/L40S into the restriction ambit.
• Notification mandate for advanced computing chips: A notification prerequisite has been introduced for advanced computing chips with AI capabilities destined for the consumer IC market, including high-end gaming chips.
• Broader licensing requisites across geographies: Expanding license requirements for semiconductor manufacturing equipment to apply beyond the PRC and Macau to 21 other countries for which the US maintains an arms embargo. The licensing protocols stretch across ~45 countries.

Our internet analyst, Alex Yao, sees China’s AI developers becoming increasingly less time efficient in their algorithm and model development over the next few years. It will take increasingly more time for LLM (large language model) development in China as larger data sets and more model parameters are required for model training, while computing power growth is handicapped. Our analysts believe that AI chip supply restriction and potential restrictions on Chinese companies’ access to cloud-computing services will accelerate China’s LLM market consolidation as computing power becomes scarce and potentially cost prohibitive. The price of cloud-based GPU computing power could increase significantly in the near future, which will make model training difficult to afford for small LLM developers. They favor large domestic LLM operators who already possess large amount of AI chips and see Baidu, Tencent, and Alibaba as better positioned due to their substantial reserves of AI chips which provide necessary computing power for model training. In addition to model training, their AI chip reserve could be monetized with increasing margin as GPU computing power become scarce, in their view.

Businesses re-thinking business models in areas with high geopolitical tensions

Cybersecurity and data protection concerns emanating from geopolitical tensions are influencing investment decisions, with business continuity (67%) and reputational damage (65%) cited as the key concerns. Nearly 50% of business leaders indicate that geopolitical instability is causing them to re-evaluate the countries with which they do business according to the World Economic Forum’s Global Cybersecurity Outlook 2023. Respondents indicate that AI and machine learning (20%), greater adoption of cloud technology (19%) and advances in user identity and access management (15%) will have the greatest influence on their cyber risk strategies over the next two years.

Figure 9: How geopolitical risk has influenced organizations’ cybersecurity strategy

Source: World Economic Forum Global Cybersecurity Outlook 2023

Only 36% of those surveyed are confident that their organization is cyber resilient according to the World Economic Forum (WEF) cybersecurity outlook. Moody’s 2023 cyber survey covers 71 global sectors with $80trn in outstanding debt. Twenty-three sectors, or 28% of the $80trn in collective Moody’s-rated debt, have high or very high cyber risk exposure.⁶ The Moody’s survey highlights that cybersecurity spending as a share of technology budget has increased by 70% across all sectors between 2019 and 2023 (Figure 10).

Figure 10: Cybersecurity spending as a share of technology budget, 2019 to 2023

Light purple = 2019; Dark purple = 2023; Bars on right hand side is the % change in cyber spending from 2019-2023

Source: Moody’s

PwC’s 2023 CEO Survey, which surveyed over 4,400 CEOs from 105 countries and territories, in the short term (next 12 months) found that most CEOs remain unprepared for the evolving cyber landscape. Cybersecurity researchers have demonstrated numerous ways AI could be used maliciously, such as creating polymorphic malware or writing highly convincing phishing emails at scale.⁷ Over the next year, CEOs feel most exposed financially to inflation, macroeconomic volatility and geopolitical risk followed by cyber risks, but in the medium-term (five-year) outlook, cyber risks tied with geopolitical risks in third place as the most exposed risk (Figure 11), similar to the WEF results. Nearly half of CEOs who say they are exposed to geopolitical risk are increasing their investments in cybersecurity or data privacy, adapting supply chains or adjusting their geographic footprint (Figure 12). However, generative AI presents an emerging threat, with 64% of CEOs acknowledging its potential misuse of malicious activities like phishing scams and automated hacks. Digital innovation, such as generative AI, will likely introduce new forms of complexity that could expose and create cyber vulnerabilities.

Figure 11: Cyber risks join top tier of risk exposure in CEOs’ medium-term (five-year) outlook

Question: How exposed do you believe your company will be to the following key threats in the next 12 months and the next five years? (Showing only ‘highly exposed’ and ‘extremely exposed’ responses)

Source: PwC's 26th Annual Global CEO Survey

Figure 12: CEOs increasing cyber investments, adjusting supply chains and changing physical footprint due to geopolitical conflict

Question: Which of the following actions, if any, is your company considering to mitigate against exposure to geopolitical conflict in the next 12 months?

Source: PwC's 26th Annual Global CEO Survey

Cybersecurity is a particular area of emphasis for larger companies exposed to geopolitical conflict, but smaller ones experience greater costs after a cyberattack given the lack of cyber insurance. It is not a coincidence that around 70% of organizations encountering human-operated ransomware had fewer than 500 employees.⁸ In the WEF survey, smaller organizations were more likely to report they did not have cyber insurance (48%) than larger organizations (16%). Figure 13 shows that 46% of companies with fewer than 1,000 employees did not have cyber insurance compared to 15% with more than 1,000 employees. According to Munich Re, the cyber insurance market is projected to grow to $33bn in premiums in 2027 from the current level of ~$12bn. The industry has seen an increase in settlement amounts following class action lawsuits. In late 2022, the industry saw a $392mn settlement in a large multi-state privacy case against Google.

Figure 13: Has your organization submitted a claim using your cyber insurance policy in the past two years?

Source: World Economic Forum Global Cybersecurity Outlook 2023

Insurance premiums have increased by a median of 50% between 2020 and 2022 according to the Moody’s survey, in response to losses cyber insurers suffered in 2020 after a steep increase in ransomware attacks during COVID-19. Some US issuers in education, healthcare, construction and manufacturing experienced hikes of 300% or more in 2021. Despite the higher cost of cyber insurance, only 3% of issuers indicated that they would buy less cyber coverage in 2023 compared to 2022.

Figure 14: Growth in cyber insurance pricing for insurer Marsh customers in the US & UK

Source: Marsh

Yet, despite the pick-up in ransomware frequency following a slowdown in 2022, our European insurance analysts remain positive on cyber insurance for the strong growth potential and high margins. The team suggests the best way to play cyber insurance in European insurance is Beazley (OW) with >20% of revenues in 2022 from this class of business and Munich Re (OW) which is the largest reinsurance player in the market (See Love Actuary: #73 - Cyber insurance remains attractive despite small reduction in prices, Kamran M Hossain, 9 Nov).

According to another survey by Accenture, which involved 1,000 global CEO respondents from 15 countries across 19 industries, while a majority (96%) of CEOs acknowledge the critical role of cybersecurity in organizational growth and stability, only 33% have deep knowledge of the evolving cyber threat landscape. 74% of CEOs have expressed concern about their organizations’ capability to mitigate damage from a cyberattack. Many CEOs also have a reactive approach to cybersecurity, with 60% of CEOs admitting that their organizations do not initially integrate cybersecurity into their business strategies, services or products. For example, 54% of CEOs believe that implementing cybersecurity measures is costlier than enduring a cyberattack, contrary to historical evidence. While 90% of CEOs recognize cybersecurity as a key differentiator for their offerings, only 15% allocate board meetings to discuss cybersecurity issues.

Cyber events, especially cyberattacks, are already among the top and most frequently cited risks in financial stability surveys in the US and globally. The recent ransomware attack on the Industrial & Commercial Bank of China (ICBC), the world’s largest lender by assets, temporarily disrupted trades and liquidity in the US Treasury market. This event highlights how malicious actors could expose vulnerabilities in the financial system and set off a cascade of disruption to financial stability. In DTCC’s Systemic Risk Barometer Survey, cyber risk consistently ranks as the top risk since the survey was launched in 2013 with exceptions in 2021, when it was outranked by pandemic risks and in 2023, when it was outranked by geopolitical risks and inflation concerns (Figure 15).

Figure 15: Cyber risk ranked amongst top global financial stability risks in DTCC’s Systemic Risk Barometer Survey

Respondents (%)

Source: DTCC, J.P. Morgan Strategic Research

Bank of England's 2023 H2 Systemic Risk Survey also lists cyberattack along with geopolitical risks as the most frequently cited risks among participants with cyber risk at its highest level recorded in the survey this year (Figure 16).

Figure 16: Proportion of respondents citing cyber risk is at its highest level recorded in the BoE’s Systemic Risk Survey

Respondents (%)

Source: Bank of England Systemic Risk Surveys and Bank calculations.

AI in the civilian world and the escalating costs of cyber threats: A dark side to productivity gains

The rise of generative AI and large language models has opened a Pandora’s box of unprecedented technological possibilities across industries but has also raised significant concerns surrounding cybersecurity given the propensity of AI to be used to amplify existing cyber threats. With ChatGPT going mainstream in November 2022, investors have since bought into generative AI’s transformative potential, rewarding AI-chipmakers such as Nvidia, which has seen a more than 200% increase in its share price YTD. However, the rise in generative AI has also brought with it discussions of the dangers that are apparent especially through the lens of cybersecurity as AI can enhance threat-actor capabilities, increase effectiveness of attacks, and lower barriers to entry for cybercriminals.

As the cyber threat landscape evolves rapidly, the potential for disruptions to business as usual remain significant as the creation and spread of disinformation becomes easier, faster, cheaper and more effective with the rise of AI. What seemed like a scene out of a popular American heist film, customers at the popular MGM Resorts in Las Vegas and other US regions found themselves facing a chaotic scene in mid-September ranging from downed slot machines to malfunctioning digital room keys to handwritten receipts for casino winnings. It was quickly revealed that MGM suffered a widespread cyber security breach that led to a forced shutdown of its internal networks which took 10 days to fully resolve. The cost of the disruption to operations is an estimated $100mn hit to MGM’s third-quarter results along with a nearly $10mn one-time expense for technology, consulting, legal and other advisor costs. While MGM believes its cybersecurity insurance will be sufficient to cover the expenses, the full scope of costs has not been determined (see MGM Resorts International: 3Q23/September Cyber Impact Likely More Modest Than Feared, Joseph Greff, et al., 5 Oct). The incident at MGM serves as just one example in the broader trend of escalating cyber threats impacting the daily operations of companies, not just national security attacks that target the critical infrastructure sector. Our Gaming & Lodging equity analysts remain OW MGM as they see the business, particularly in Las Vegas, on solid footing despite the impact from the one-time cyberattack (see MGM Resorts International: Adjusting Estimates for Cyber Attack Impact, Joseph Greff et al., 20 Oct).

We are also not entirely pessimistic as AI may drive faster productivity growth. At the macro level, greater use of AI could lift productivity growth from its recent dismal run rate. If the labor-saving promise of AI is realized, this should have a depressing effect on inflation (see US: AI and interest rates, Michael Feroli, 13 July). There is an argument to be made that generative AI has the potential to fill critical gaps in cyber defense especially as the cybersecurity workforce gap has reached a record high of 4mn, despite 440,000 people joining the cybersecurity profession between 2022 and 2023. 86% of Chief Information Security Officers (CISOs) believe that generative AI will alleviate skills gaps and talent shortages on their security teams.⁹ With the use of security AI and automation in the detection and investigation of threats on the rise, the implications of a data breach or cyber event has been shown to be successfully reduced or mitigated. According to IBM, organizations with extensive use of security AI and automation identified and contained a data breach 108 days faster than organizations with no use. Additionally, 61% of organizations now employ some level of security AI and automation, of which 28% of organizations extensively used security AI and automation tools which helped deliver cost savings of nearly $1.8mn in the event of a data breach compared to $5.36mn for organizations with no use of security AI and automation. This is 18.6% more than the 2023 average cost of a data breach of $4.45mn. AI could also help by automating and augmenting many aspects of cybersecurity, such as threat detection, response, analysis, and prediction which could address the 4mn worker cybersecurity workforce gap and could also enable new capabilities and opportunities, such as using LLMs to generate natural language insights and recommendations from complex data, helping make junior analysts more effective and giving them new opportunities to learn.¹⁰

See Figure 17 and Figure 18 for a description of the types of cyberattacks that could be amplified by AI and potential ways AI could be leveraged for cyber defense.

Figure 17: Types of cyberattacks and how AI can amplify risks

Source: IEEE, J.P. Morgan Strategic Research

Figure 18: How AI can be leveraged to benefit cyber defense

Source: IEEE, J.P. Morgan Strategic Research

Global spending on cybersecurity has topped $188bn in 2023 while cybercrime is estimated to cost the global economy $8trn this year, which surpasses the annual GDP of every country except for the US and China. According to Gartner, global cybersecurity spend is estimated to reach $215bn next year and is on pace to surpass $260bn by 2026 but, as we noted in our previous report, costs related to cybercrime are estimated to hit $10.5trn a year by 2025 (see J.P. Morgan Perspectives: Cyber: The new frontline of geopolitics, Joyce Chang, Amy Ho et al., 22 Nov 2022). The number of cyber breaches soared between 2014 and 2020 and has plateaued with the overwhelming majority of reported cyberattacks occurring in the Americas (Figure 19).

Figure 19: Reported cyberattacks, by region

Source: Bitsight

The average cost of a data breach has also climbed to a new high of $4.45mn (Figure 20) with 82% of breaches involving data stored in the cloud—public, private or multiple environments. For the 13^th consecutive year, the US has held the title for the highest average cost of a data breach at $9.5mn, followed by the Middle East at $8.1mn, Canada $5.1mn, Germany $4.7mn and Japan at $4.5mn according to IBM’s 2023 Cost of a Data Breach Report (Figure 21).

Figure 20: Average cost of a data breach has climbed to a new high of $4.45mn

$mn

Source: IBM Security, Cost of a Data Breach Report 2023

Figure 21: The US has held the title for the highest average data breach costs for the 13^th consecutive year

$mn

Source: IBM Security, Cost of a Data Breach Report 2023, J.P. Morgan Strategic Research

According to our ESG colleagues, organizations that collect a large volume of customer data are at higher risk of experiencing data breaches and bearing the associated costs. In their examination of constituents within the MSCI World Index, nearly all companies in the Financial and Communication sectors have a high or medium level of exposure to data privacy risk (Figure 22) and rank amongst the top 10 highest in average costs of a data breach across sectors (Figure 23). 78 US companies have experienced data breaches or data privacy controversies in the past three years, representing 13% of the US constituents of the MSCI World Index. Notably, companies most frequently involved in these types of controversies are tech giants including Meta and Amazon. In APAC, companies logged the second-highest number of cases, but these involved only 3% of constituents, suggesting a higher concentration of risk (see ESG - The Long View: ChatESG 2.0 - Data security and privacy in the age of AI, Hugo Dubourg et al., 4 Jul).

Figure 22: Financials, communication services and healthcare are the top three sectors most exposed to data privacy risk…

% of companies with different level of exposure

Source: J.P. Morgan, MSCI ESG Research.

Figure 23: … and rank amongst the top 10 highest in average costs of a data breach across sectors

$mn, average cost of a data breach

Source: J.P. Morgan, MSCI ESG Research

Cyber regulation is advancing in larger economies but lags in EM

The CSIS Strategic Technologies Program has compiled an index of existing cyber strategies and laws by country and territory. The index includes national strategies addressing civilian and military national cyber defense, digital content, data privacy, critical infrastructure protection, e-commerce, and cybercrime. This provides policymakers and diplomatic officials a unified, at-a-glance database of global legal and policy frameworks to help the global community understand, track, and harmonize regulations internationally. In the US, the National Conference of State Legislature tracks significant legislation from all 50 states related to cybersecurity, data privacy and artificial intelligence.

There appears to be no political momentum for implementing federal privacy legislation although the FTC has highlighted that self-regulation around digital privacy is not working, particularly with advances in generative AI. Only five out of 50 US states—California, Colorado, Connecticut, Utah and Virginia—have adopted comprehensive data legislation. Current regulatory proposals are focused on improving disclosure and providing more transparency to investors so that they assess the strength of cyber risk governance. The US Securities and Exchange Commission voted in July to adopt rules requiring SEC registrants and foreign private issuers to disclose material cyber incidents they experience and to report annually on their cybersecurity risk management, strategy, and governance. Legislators and regulators in Canada, the EU and other countries have introduced similar measures.

The US Federal Trade Commission (FTC) recently released a report detailing its work to combat ransomware and other cyberattacks.¹¹ The FTC reports that it has brought more than 80 enforcement actions involving data security, typically based on allegations concerning deceptive company promises involving security or a company’s failure to implement reasonable security practices. The report highlights the FTC’s efforts to implement robust data security enforcement programs to prioritize safeguarding consumer and recommends that the US Congress enact privacy and data security legislation that is enforceable by the FTC. The FTC has proposed market-wide rules to help prevent what the Commission views to be some of the more harmful uses of AI, including proposed rules regarding impersonators and fake reviews. We note that the FTC has no law enforcement powers over cybercriminals although it has previously pushed for comprehensive legislation that would expand the FTC’s civil penalty authority, rule-making authority, and jurisdiction over non-profits and common carriers.

According to the China Cybersecurity Industry Alliance (CCIA), cybersecurity regulation has been implemented in practice. For instance, about a dozen regional banks have been named and required rectification for infringing on user rights and illegally obtaining personal information. CCIA estimated that the cybersecurity industry in China reached 63.3 billion yuan in 2022 and will likely exceed 80 billion yuan in 2025.

Among emerging markets, most central banks or supervisory authorities have not introduced cybersecurity regulations or built resources to enforce them according to a recent IMF survey of 51 countries, putting them at a substantial disadvantage in their ability to respond to major cyberattacks. 56% of the central banks or supervisory authorities do not have a national cyber strategy for the financial sector while 42% lack a dedicated cybersecurity or technology risk-management regulation, and 68% lack a specialized risk unit as part of their supervision department. 64% do not mandate testing and exercising cyber security measures or provide further guidance and 54% lack a dedicated cyber incident reporting regime. 48% do not have cybercrime regulations.

Figure 24: State of cyber risk oversight at supervisory authorities

Share of surveyed countries

Source: IMF staff survey, state of play at supervisory authorities. Note: IMF staff surveyed 51 emerging markets and developing economies between Dec 2021 and March 2022. The classification of the practices is based solely on survey responses and does not include qualitative evaluation by IMF staff.

Global race to regulate AI is on with Europe and China in the lead

The geopolitics of AI have given rise to digital sovereignty, which refers to a nation’s ability to control its digital destiny and may include control over the entire AI supply chain, from data to hardware and software. ¹² Industrial policies are designed explicitly to protect the supply chain and maintain sovereign technological leadership. Indeed, the US National Security Commission on Artificial Intelligence (NSCAI) report issued in March 2021 recommended creating “choke points” that limit Chinese access to semiconductors to stall progress in some areas of technological development. The rapid development of generative AI will make regulation even more complex and difficult. In DM economies, private sector AI firms are the key actors in generative AI research and frontier models, making regulation much more difficult as funding, hardware, compute and data will continue to be concentrated in the private domain.

Figure 25: Affiliation of research teams building notable AI Systems

Number of research teams

Source: Our World in Data. Data accessed on Nov 21, 2023.

The Biden administration has attempted to regulate and harness AI’s potentially game-changing cyber capabilities to make software and networks more secure through its latest Executive Order and the launch of the AI Cyber Challenge. On October 30, President Biden issued an Executive Order (EO) that establishes new standards for AI safety and security. The EO establishes an advanced cybersecurity program to develop AI tools to find and fix vulnerabilities in critical software that builds on the administration’s ongoing AI Cyber Challenge launched back in August which is a two-year competition aimed at creating state-of-the-art AI-powered cybersecurity systems designed to secure the nation’s critical infrastructure. Major AI-leaders such as OpenAI, Google and Microsoft having signed on to take part in the competition. Our US software equity analysts view IBM among those best positioned to benefit from the EO as it targets establishing governance and control over AI development as more enterprises attempt to adopt the technology. Our analysts see other vendors in the process of emerging as well positioned, including those with technology to protect code used to develop models and platforms used to control and govern data that could be exposed by AI.

In contrast, China’s approach to AI is heavily based on central government control and guidance that puts responsibility on private companies to moderate, ban or promote certain types of content.¹³ Government agencies also own minority stakes in private companies through state-run private equity funds. China has signaled that it will diminish its reliance on foreign-developed open-source software. In October, China announced its Global AI Governance Initiative (GAIGI) which focuses on several issues: ensuring AI is beneficial to human progress, opposing exclusive groups that obstruct AI development in certain countries, establishing a testing and assessment system for AI risk levels, establishing an international institution to govern AI, and ensuring that assistance is provided to developing countries. The GAIGI is expected to bring together all 155 countries which make up the Belt and Road Initiative, making it one of the largest AI governance forums created.¹⁴ China has taken additional number of steps to govern AI, including issuing interim measures for the management of generative AI services which went into effect in August and gave China a “first-mover advantage in AI regulation.”¹⁵

Europe has taken the most comprehensive steps to regulate AI through the AI Act.¹⁶ This is the first comprehensive law on AI proposed by a major authority worldwide. The law assigns applications of AI to three risk categories. First, applications and systems that create an unacceptable risk, such as government-run social scoring of the type used in China, are banned. Second, high-risk applications, such as a CV-scanning tool that ranks job applicants, are subject to specific legal requirements. Lastly, applications not explicitly banned or listed as high-risk are largely left unregulated. It remains to be seen whether the EU AI Act will gain traction. Similar to the EU’s General Data Protection Regulation (GDPR) in 2018, the EU AI Act focuses on measures to address individual damage from AI rather than systemic risk. However, the EU has drafted regulations that would consider the liability of software producers through the Cyber Resilience Act (CRA),¹⁷ published in September 2022.

The UK held the first Global AI Safety Summit, where 28 governments signed the Bletchley Declaration, including the US and China. The US and UK both announced plans to launch their own AI safety institutes while two more summits were announced to take place in South Korea and France next year. While some consensus was reached on the need to regulate AI at the summit, disagreements remain over exactly how that should happen along with who will lead such efforts.

Market views

Going into 2024, the strength of AI services, across the universe of hardware, software and data, could continue. Cybersecurity companies stand to benefit from sustained demand as ongoing geopolitical risks could trigger increased cyber warfare. We highlight companies that seem best positioned across regions:

Our US software equity analysts believe we will continue to see a growing focus on AI/ML and GenAI as scalability of labor resources remains an issue across the global IT landscape and see Palo Alto Networks (PANW), CrowdStrike (CRWD), SentinelOne (S) and Zscaler (ZS) best positioned to make an impact. The team also upgraded CyberArk to Overweight given they see opportunity for upside in the wake of accelerating demand as CyberArk has some of the most favorable exposure to high priority security spending within their coverage (see State of Security: Key Cybersecurity Topics and Metrics, Brian Essex, CFA, 5 Nov).

In Europe, our Tech Software & IT Services analysts see Value Added Resellers (VARs) and cyber channel partners as well placed given that they have already proven themselves in a Software-as-a-service (SaaS)-heavy space through emphasis on customized, high value-add services. They offer a more technology-agnostic exposure to secular growth trends than investment into individual software and hardware vendors and also generally offer a degree of diversification, while also offering exposure to mission-critical and high-growth areas of IT budgets. Leading cyber distributors, like Exclusive Networks (EXN), have navigated the SaaS-dominated space well, separating themselves vs peers through offering specialized services such as security assessments, customized integration and security operations centers as a service, as well as their own cloud sales platform (see First Principles – Value Added Resellers (VARs): Capital-light beneficiaries of secular tech trends, Joseph George et al., 18 Jul).

Despite the pick-up in ransomware frequency following a slowdown in 2022, our European Insurance analysts see the cyber market as an attractive area with strong profitability and good exposure in the coming years. Outside of claims trends, the team has begun to see small reductions in pricing following a period of very rapid price improvements. The latest pricing data from Beazley showed a 4% reduction in cyber pricing at the 9M23 statement. However, prices are more than 2.5x times higher than they were in 2020, which is more than adequately reflects the risk of ransomware claims frequency. The analysts see the best way to play cyber insurance in European insurance through Beazley (OW) with >20% of revenues in 2022 from this class of business and Munich Re (OW) which is the largest reinsurance player in the market (See Love Actuary: #73 - Cyber insurance remains attractive despite small reduction in prices, Kamran M Hossain, 9 Nov 2023).

Our China internet analysts see Baidu (OW) as the best investment proxy for generative AI development in China and view Baidu as better positioned than peers as the company just accomplished a technical leapfrog of LLM quality. AI chip restrictions introduce new uncertainties to Chinese LLMs’ model development and training. While Alibaba and Tencent might have sufficient AI chips and talent for development of a ChatGPT 4.0 equivalent, it’s unclear that they will achieve a ChatGPT 4.0 equivalent with their existing resources. On the other hand, Baidu is the only Chinese LLM developer to have already launched a ChatGPT 4.0 equivalent so far. Our analysts believe Baidu has first-mover advantage in the LLM industry, considering that: 1) its gen-AI commercialization and launch of various products will attract key customers earlier than peers, and 2) increasing adoption of Baidu’s gen-AI in early development stage could lead to the establishment of industry standards by Baidu. The team remains confident in its capability to build a comprehensive AI industry ecosystem, leveraging its technology and first-mover advantage.

Our Asia equity research team highlights that cyber risk is coming to the fore across APAC banks after reports that account details of 15mn customers of Indonesia’s largest Islamic lender, Bank Syariah Indonesia (BSI), were published online. Our analysts highlight the potential costs of cybersecurity incidents, including financial losses from unauthorized debits, which can be in cash, digitized assets, loss of confidence in the banks’ systems, penalties from regulators, damages from lawsuits and identity theft and phishing for customers who details have been compromised (see APAC Banks: A primer on IT/Cyber risks, Harsh Wardhan Modi et al., 18 May).

For more resources on the developments in the AI market, see J.P. Morgan Research’s “Investable AI” page on J.P. Morgan Markets which is updated regularly with the latest research, tools and recommendations on this theme from our broader research teams.