J.P. Morgan Perspectives
AI and Cybersecurity: New Tech, New Threats
Executive summary
- AI's potential for transformation is the story of 2023 and the future as seen in the tech-heavy Nasdaq Composite which is up 36% YTD…
- …however, AI-driven advancements in cyber warfare pose an emerging geopolitical threat, with cyberattacks supercharged through AI-enhanced surveillance as well as disinformation campaigns.
- In this note, we explore the implications to cybersecurity through various domains, from civilian applications to national security, in our annual survey of cybersecurity trends and threats.
- Military use of AI-enhanced surveillance and drone-based hacking techniques in Israel's war on Gaza has spurred discussion on the interplay between technological advancements, foreign policy and human rights with regulatory bodies debating how best to adapt to AI.
- The tactics of nation-state cyber actors are pivoting away from high-volume destructive attacks toward cyber espionage, threatening the integrity of government, private industry and critical sector networks.
- Ukraine, followed by the US and Israel, were the most targeted countries by nation-state threat actors in 2023, while critical infrastructure remains a popular target.
- According to the World Economic Forum's annual survey of business leader perspectives, 91% of respondents believe that global geopolitical instability makes a catastrophic cyber event "moderately likely" or "very likely" in the next two years.
- Business leaders are most concerned about disruption and reputational risk with 50% of business leaders indicating that geopolitical instability is causing them to re-evaluate the countries with whom they do business.
- Cybercrime is a daily reality and global spending on cybersecurity is topping $188bn in 2023 and on pace to surpass $260bn by 2026; nevertheless, cybercrime is estimated to cost the world $8trn this year and reach $10.5trn a year by 2025.
- The cybersecurity workforce gap has reached a record high of 4mn while the average cost of a data breach has also climbed to a new high of $4.45mn.
- Our US software equity analysts see Palo Alto Networks (OW), CrowdStrike (OW), SentinelOne (OW) and Zscaler (Neutral) best positioned to make an impact in AI/ML and GenAI and are also OW CyberArk.
- In Europe, our Tech Software & IT Services analysts see Value Added Resellers and cyber channel partners, such as Exclusive Networks (Neutral), as well placed given that they have already proven themselves in a Software-as-a-Service (SaaS)-heavy space through emphasis on customized, high value-add service.
- Our European insurance analysts also suggest that the best way to play cyber insurance is through Beazley (OW) and Munich Re (OW), which is the largest reinsurance player in the market.
J.P. Morgan Perspectives brings together thematic and strategic views across J.P. Morgan’s Global Research franchise. In this report, we explore the impact of the rise of AI to cybersecurity and how nation-state actors increasingly see cyber operations as a tool to achieve geopolitical goals. We hope this series will both inform and foster debate on evolving economic, investment and social trends.
– Joyce Chang, Chair of Global Research
From ChatGPT to AttackGPT: How AI is changing the geopolitical cyber threat landscape
Geopolitical instability, alongside rapidly maturing and emerging technology, has raised concerns about the weaponization of Artificial Intelligence (AI) as the next battlefield. It has been five or six decades since the global landscape has been confronted with active wars in Europe and in the Middle East along with elevated military tensions in Asia. Business leaders’ perspectives on cyber issues are evolving. According to the World Economic Forum’s annual survey of business leader perspectives, 91% of respondents believe that global geopolitical instability makes a catastrophic cyber event “moderately likely” or “very likely” in the next two years. As geopolitical risks intensify with the Israel-Hamas war and the ongoing geoeconomic strains between the US and China and Russia’s war on Ukraine, 50% of business leaders indicate that geopolitical instability is causing them to re-evaluate the countries with whom they do business.
Rising cyber competition is a reality in a multipolar world and cyberattacks are increasingly categorized as national security threats. AI-driven advancements in autonomous driving, cyberwarfare, intelligence, and autonomous weapon systems are being used to enhance military capabilities. Technological risks are not solely limited to rogue actors. Even before the outbreak of the Israel-Hamas war, high-ranking Israeli Defense Forces (IDF) officers informed the press that Israel is deploying AI tools as part of its military arsenal.1 Israel’s use of AI is receiving greater attention for its “double feeding” elements, with focus on the transfer of human resources between the Israel Defense Forces (IDF) and the security industry.2 Israel’s many startup companies in new technology give it a strong AI foundation, while the mandatory military service model has contributed to investment in the military technology units in the IDF.3
Cyber events, especially cyberattacks, are among the top cited risks to financial stability by central banks, and there is a growing fear that the adoption of AI could increase the pace, scale and effectiveness of attacks. The ransomware attacks on ION Trading UK, which affected the global derivatives market at the start of the year, and more recently on the US subsidiary of the Industrial & Commercial Bank of China (ICBC), which is the world’s largest lender by assets, highlights how malicious actors could expose vulnerabilities in the financial system and set off a cascade of disruption to financial stability. The ION attack forced brokers to manually record trades and delayed the weekly publication of trading stats from the US regulator CFTC. The most recent attack on ICBC’s US subsidiary, ICBC FS, prevented them from settling Treasury transactions, forced the rerouting of transactions and required a $9bn capital injection by ICBC into its US unit.4 Some Treasury market participants also reported that liquidity was affected. The attacks, along with threats made by Russian-affiliated actors against the SWIFT payment system, serves as a wake-up call for both financial authorities and policymakers to address the risks of larger and more frequent cyberattacks as the financial system and other critical infrastructure sectors become increasingly digitized.
As the world prepares for a series of notable elections in 2024, the prolific use of AI in generating deepfake images and spreading misinformation is expected to rise. The recent election in Argentina had quickly become a testing ground for AI in campaigns, with the two candidates and their supporters employing the technology to doctor existing images and videos and create others from scratch. This could portend what is to come in 2024.
In this J.P. Morgan Perspectives, we explore the impact of the rise of AI to cybersecurity and how nation-state actors increasingly see cyber operations as a tool to achieve geopolitical goals. We also provide an update on business priorities and spending to build cyber resilience as well as regulatory developments. For more detailed background on why cyber competition and geopolitical tensions are inextricably linked see J.P. Morgan Perspectives: Cyber: The new frontline of geopolitics, 21 Nov 2022, and what the heightened cyber security threats are since the pandemic, see J.P. Morgan Perspectives: Cyber Epidemic, Joyce Chang et al., 10 Aug 2021.
Cyber increasingly being used by nation states to achieve geopolitical goals
Widespread cybercrime and cyber insecurity is a new entrant to the top 10 rankings of severe risks over the next decade in the 18th edition of the World Economic Forum’s annual Global Risks Report 2023. The findings are based on the annual Global Risks Perception Survey, which brings together 1,200 experts across diverse networks that include business, policymakers, academia, think tanks and other civic organizations.
Figure 1 shows the global risks ranked by severity over the longer-term (10 years). It is noteworthy that when the list is expanded to the top 32 risks, widespread cybercrime and cyber insecurity is seen as a greater risk than macro variables, including debt crises, failure to stabilize price trajectories and asset bubbles over the short and long term (Figure 2).
Cybercrime is almost always a cross-border event as criminals target foreign countries to reduce the risk of arrest. Institutional risks to political systems will intensify as the technology becomes more sophisticated as the proliferation of synthetic media risks erode public trust in the institutions of government. Physical security risks will likely rise as generative AI becomes embedded in more physical systems, including critical infrastructure. The military is also beginning to use AI models in the maintenance of complex weapons systems, using sensors to maximize readiness. AI can enable a single human operator to control swarms of drones in the air, on the water or undersea.
Figure 1: Global risks ranked by severity over 10 years
Global Risks | Risk Category | |
1 | Failure to mitigate climate change | Environmental |
2 | Failure of climate-change adaptation | Environmental |
3 | Natural disasters and extreme weather events | Environmental |
4 | Biodiversity loss and ecosystem collapse | Environmental |
5 | Large-scale involuntary migration | Societal |
6 | Natural resource crises | Environmental |
7 | Erosion of social cohesion and societal polarization | Societal |
8 | Widespread cybercrime and cyber insecurity | Technological |
9 | Geoeconomic confrontation | Geopolitical |
10 | Large-scale environmental damage incidents | Environmental |
Source: World Economic Forum Global Risks Perception Survey 2022-2023
Source: World Economic Forum Global Risks Perception Survey 2022-2023
Note: Severity was assessed on a 1-7 Likert scale [1 – Low severity, 7 – High severity].
The capabilities of cyber warfare to transcend geographical boundaries has led nation-state actors to increase their cyber investments and weaponize cyber operations to achieve geopolitical goals. Cyber-enabled influence campaigns have so far been the tool of choice by nation-state threat actors given its low-cost but potentially high-impact capability to sway public opinion at home and abroad. The rise in generative AI presents an emerging threat as it enables groups with limited resources to supercharge online disinformation campaigns, and this is a trend that is likely to persist. In the latest Microsoft Digital Defense Report 2023, cyber operations have expanded globally, with increased activity in LatAm, sub-Saharan Africa and the Middle East but remain most pronounced against the US, Ukraine and Israel (Figure 3). According to Freedom House, at least 47 governments deployed commentators to manipulate online discussions in their favor over the last year, double the number from a decade ago and at least 16 countries used AI to sow doubt, smear opponents, or influence public debate. Authoritarian governments have also used AI to enhance and refine online censorship as legal frameworks in at least 22 countries mandate or incentivize digital platforms to deploy machine learning to remove disfavored political, social, and religious speech.
Figure 3: Ukraine, followed by the United States and Israel, were the most targeted countries by nation-state threat actors in 2023
Source: Microsoft Digital Defense Report 2023
Note: Microsoft Threat Intelligence observed state-sponsored cyber threat activity against organizations in more than 120 countries and territories this year. Data destruction represented a small fraction of the observed activity, which was predominantly reconnaissance, initial access and various other actions on network, and data exfiltration.
Cultural disruption, election controversy, macroeconomic volatility, and the war in Ukraine are examples of events that enable adversaries to take advantage of stress to accelerate cyberattacks and malicious activity. The recent unrest in Israel is no exception. According to Cloudflare, there was a spike in DDoS (distributed denial-of-service) attacks after Hamas’ October 7th attack in Israel (see State of Security: Key Cybersecurity Topics and Metrics, Brian Essex, CFA, 5 Nov). Microsoft highlighted that US entities are typically the primary targets for DDoS attacks, bearing the brunt of 54% of all attacks. However, the past year has seen Europe climb to the second highest with 14% of DDoS attacks, overtaking East Asia. The change is tied to geopolitical conflicts, with pro-Russian hacktivist groups intensifying their onslaught against Europe and the US. India, the second most attacked country last year, is now fifth (Figure 5).
Figure 4: Israeli websites were heavily targeted by DDoS attacks following the Oct 7 attack
Application-layer DDoS attacks targeting Israel overtime
Source: Cloudflare blog
Figure 5: Two-year comparison of top 10 most attacked regions
Source: Microsoft Global DDoS Mitigation Operations.
Over the past year, nation-state cyber actors have pivoted away from high-volume destructive attacks toward cyber espionage, which pose long-term threats to the integrity of government, private industry, and critical sector networks. At the regional level, Ukraine is the top European target per volume of observed activity, driven by Russian state actors’ invasion-related operations, while Israel remains the most targeted country in the MENA region as a result of Iran’s intense focus in the region. South Korea and Taiwan are the first and second most targeted countries in the Asia-Pacific due to the focus of North Korean and Chinese state actors (Figure 6).
Figure 6: Ukraine is the top target in European, Israel in the MENA region and South Korea and Taiwan in the Asia-Pacific
Source: Microsoft Threat Intelligence events data, J.P. Morgan Strategic Research.
At the sector level, critical infrastructure remains a popular target and comprised 41% of all nation-state notifications Microsoft sent in 2023 (Figure 7). Data breach costs for critical infrastructure industries are 28.6% higher than the average cost of a breach in organizations in other industries and exceed $5mn according to IBM’s latest 2023 Cost of a Data Breach Report.
Figure 7: Critical infrastructure sectors comprised 41% of the nation-state notifications (NSN) Microsoft has sent in 2023
Most targeted sectors globally
Source: Microsoft Threat Intelligence NSN data, J.P. Morgan Strategic Research.
US-China cyber competition and a growing divide with AI chip supply to China facing restrictions
To understand China’s cyber strategy, it is important to note that in 2014, President Xi stressed that “without cyber [network] security, there will be no national security.” According to a Brookings paper, the cyber great power concept has since become widespread in Chinese official discourse and appears in the title of almost every major Xi speech on China’s telecommunications and network strategy directed at domestic audiences since 2014. Xi also noted that China had missed the Industrial Revolution but would seize the information revolution.
The Biden administration’s National Cybersecurity Strategy and the US Department of Defense (DoD) has highlighted China as posing the most significant challenge to the US in the global cyber landscape. In its 2023 Cyber Strategy report, China’s and Russia’s use of malicious cyber activity is cited “as a means to counter US conventional military power and degrade the combat capability of the Joint Force.” This new strategy supersedes the Pentagon’s 2018 cyber strategy. The latest strategy draws from lessons learned from how cyber has been used in the Russia-Ukraine war. It also emphasizes the importance of building cyber capabilities with allies and partners and prioritizes the integration of cyber capabilities into traditional warfighting capabilities. The US’ National Security Strategy highlights that China is the only competent competitor that the US faces as it has both the intent and capability to redesign international rules. As we highlighted in past reports, China is the only state currently on a trajectory to join the US in the first tier of cyber powers (Figure 8). The DoD maintains that China poses a broad and pervasive cyber espionage threat and has routinely conducted malicious cyber activity against US critical infrastructure including the Defense Industrial Base (DIB).
Figure 8: China is the only state currently on a trajectory to join the US in the first tier of cyber powers
Source: IISS, J.P. Morgan Strategic Research
Note: IISS methodology for assessing cyber power analyses the cyber ecosystem of each country and how it intersects with international security. The countries are assessed in seven categories: (1) Strategy and doctrine, (2) Governance, command and control, (3) Core cyber-intelligence capability, (4) Cyber empowerment and dependence, (5) Cyber security and resilience, (6) Global leadership in cyberspace affairs, (7) Offensive cyber capability economic competition and military affairs. The 15 countries are divided into three tiers of cyber power and within each tier alphabetically and are detailed as follows:
Tier I: World-leading strengths across all categories in the methodology
Tier II: World-leading strengths in some of the categories
Tier III: Strengths or potential strengths in some of the categories but significant weaknesses in others.
While US cyber strategy emphasizes the importance of partnering with allies, China’s strategic partners are not spared from its cyber operations, according to Microsoft. As China has expanded its global influence through the Belt and Road Initiative (BRI), Chinese cyber threat actors have simultaneously levied cyber operations against private and public entities globally. They often target countries aligned with the CCP’s BRI strategy—including Malaysia, Indonesia, and Kazakhstan—and foreign ministries across Europe, LatAm and Asia to pursue economic espionage or intelligence collection. The Office of the Director of National Intelligence’s 2023 Annual Threat Assessment Report declared that China “probably currently represents the broadest, most active, and persistent cyber espionage threat to [the] US”.
China’s cybersecurity regulations emphasize government sovereignty on cyberspace and data and are focused on formulating national standards for cybersecurity and data protection. The four pillars are: the Cybersecurity Law (CSL), Data Security Law (DSL), Personal Information Protection Law (PIPL) and Critical Information Infrastructure Security Protection Regulation. The government also issued a series of documents such as “Cybersecurity review measures”, “Cloud computing service security assessment measures”, “Automotive data security management rule (trial)” and established a National Cybersecurity Emergency Office and an emergency coordination and reporting mechanism on cybersecurity. With the rapid development in AI technology, the “Interim measures for the management of generative AI services” was implemented on August 15, 2023. At the recent APEC summit, Presidents Biden and Xi established an intergovernmental dialogue on AI, citing the need for cooperation and robust regulation.
Yet, nation states such as China will likely leverage AI as a weapon through more intense and frequent cyber operations, while the intensification of US export restrictions on the technology and semiconductor industry has only slowed, not stopped China’s great cyber power ambitions. China’s policy of “civil military fusion” incentivizes cooperation between the civilian and military sectors. China also possesses a deeper pool of talent with twice as many PhD candidates in science, technology, engineering and mathematics as the US.5 The announcement of an advanced 5G phone by Huawei during Commerce Secretary Raimondo’s visit to China demonstrates that existing US export controls are not stopping China’s pursuit of critical technologies. Hence, the US Department of Commerce has placed further restrictions on supplying AI semiconductor chips and semiconductor capital equipment to China, with the supply of AI chips to Chinese corporates from the US facing suspension starting from November 16, 2023 (see China generative AI: Thoughts on impact from gen AI development in China from further US AI chip restrictions, 20 Oct and China Generative AI: Thoughts on industry development and outlook after JPM China AI tour, Alex Yao, 8 Aug).
The new “Interim Final Rule” was released on October 17 and includes:
- Expansion of restricted semiconductor types: The new directive widens the scope of AI semiconductor chip supply restriction by eliminating the “interconnect bandwidth” parameter. Notably, chips like A800/H800 now fall under the restriction list, pivoting the focus towards performance/density thresholds. This also brings mid-tier AI chips like L40/L40S into the restriction ambit.
- Notification mandate for advanced computing chips: A notification prerequisite has been introduced for advanced computing chips with AI capabilities destined for the consumer IC market, including high-end gaming chips.
- Broader licensing requisites across geographies: Expanding license requirements for semiconductor manufacturing equipment to apply beyond the PRC and Macau to 21 other countries for which the US maintains an arms embargo. The licensing protocols stretch across ~45 countries.
Our internet analyst, Alex Yao, sees China’s AI developers becoming increasingly less time efficient in their algorithm and model development over the next few years. It will take increasingly more time for LLM (large language model) development in China as larger data sets and more model parameters are required for model training, while computing power growth is handicapped. Our analysts believe that AI chip supply restriction and potential restrictions on Chinese companies’ access to cloud-computing services will accelerate China’s LLM market consolidation as computing power becomes scarce and potentially cost prohibitive. The price of cloud-based GPU computing power could increase significantly in the near future, which will make model training difficult to afford for small LLM developers. They favor large domestic LLM operators who already possess large amount of AI chips and see Baidu, Tencent, and Alibaba as better positioned due to their substantial reserves of AI chips which provide necessary computing power for model training. In addition to model training, their AI chip reserve could be monetized with increasing margin as GPU computing power become scarce, in their view.
Businesses re-thinking business models in areas with high geopolitical tensions
Cybersecurity and data protection concerns emanating from geopolitical tensions are influencing investment decisions, with business continuity (67%) and reputational damage (65%) cited as the key concerns. Nearly 50% of business leaders indicate that geopolitical instability is causing them to re-evaluate the countries with which they do business according to the World Economic Forum’s Global Cybersecurity Outlook 2023. Respondents indicate that AI and machine learning (20%), greater adoption of cloud technology (19%) and advances in user identity and access management (15%) will have the greatest influence on their cyber risk strategies over the next two years.
Figure 9: How geopolitical risk has influenced organizations’ cybersecurity strategy
Source: World Economic Forum Global Cybersecurity Outlook 2023
Only 36% of those surveyed are confident that their organization is cyber resilient according to the World Economic Forum (WEF) cybersecurity outlook. Moody’s 2023 cyber survey covers 71 global sectors with $80trn in outstanding debt. Twenty-three sectors, or 28% of the $80trn in collective Moody’s-rated debt, have high or very high cyber risk exposure.6 The Moody’s survey highlights that cybersecurity spending as a share of technology budget has increased by 70% across all sectors between 2019 and 2023 (Figure 10).
Figure 10: Cybersecurity spending as a share of technology budget, 2019 to 2023
Light purple = 2019; Dark purple = 2023; Bars on right hand side is the % change in cyber spending from 2019-2023
Source: Moody’s
PwC’s 2023 CEO Survey, which surveyed over 4,400 CEOs from 105 countries and territories, in the short term (next 12 months) found that most CEOs remain unprepared for the evolving cyber landscape. Cybersecurity researchers have demonstrated numerous ways AI could be used maliciously, such as creating polymorphic malware or writing highly convincing phishing emails at scale.7 Over the next year, CEOs feel most exposed financially to inflation, macroeconomic volatility and geopolitical risk followed by cyber risks, but in the medium-term (five-year) outlook, cyber risks tied with geopolitical risks in third place as the most exposed risk (Figure 11), similar to the WEF results. Nearly half of CEOs who say they are exposed to geopolitical risk are increasing their investments in cybersecurity or data privacy, adapting supply chains or adjusting their geographic footprint (Figure 12). However, generative AI presents an emerging threat, with 64% of CEOs acknowledging its potential misuse of malicious activities like phishing scams and automated hacks. Digital innovation, such as generative AI, will likely introduce new forms of complexity that could expose and create cyber vulnerabilities.
Figure 11: Cyber risks join top tier of risk exposure in CEOs’ medium-term (five-year) outlook
Question: How exposed do you believe your company will be to the following key threats in the next 12 months and the next five years? (Showing only ‘highly exposed’ and ‘extremely exposed’ responses)
Source: PwC's 26th Annual Global CEO Survey
Figure 12: CEOs increasing cyber investments, adjusting supply chains and changing physical footprint due to geopolitical conflict
Question: Which of the following actions, if any, is your company considering to mitigate against exposure to geopolitical conflict in the next 12 months?
Source: PwC's 26th Annual Global CEO Survey
Cybersecurity is a particular area of emphasis for larger companies exposed to geopolitical conflict, but smaller ones experience greater costs after a cyberattack given the lack of cyber insurance. It is not a coincidence that around 70% of organizations encountering human-operated ransomware had fewer than 500 employees.8 In the WEF survey, smaller organizations were more likely to report they did not have cyber insurance (48%) than larger organizations (16%). Figure 13 shows that 46% of companies with fewer than 1,000 employees did not have cyber insurance compared to 15% with more than 1,000 employees. According to Munich Re, the cyber insurance market is projected to grow to $33bn in premiums in 2027 from the current level of ~$12bn. The industry has seen an increase in settlement amounts following class action lawsuits. In late 2022, the industry saw a $392mn settlement in a large multi-state privacy case against Google.
Figure 13: Has your organization submitted a claim using your cyber insurance policy in the past two years?
Source: World Economic Forum Global Cybersecurity Outlook 2023
Insurance premiums have increased by a median of 50% between 2020 and 2022 according to the Moody’s survey, in response to losses cyber insurers suffered in 2020 after a steep increase in ransomware attacks during COVID-19. Some US issuers in education, healthcare, construction and manufacturing experienced hikes of 300% or more in 2021. Despite the higher cost of cyber insurance, only 3% of issuers indicated that they would buy less cyber coverage in 2023 compared to 2022.
Figure 14: Growth in cyber insurance pricing for insurer Marsh customers in the US & UK
Source: Marsh
Yet, despite the pick-up in ransomware frequency following a slowdown in 2022, our European insurance analysts remain positive on cyber insurance for the strong growth potential and high margins. The team suggests the best way to play cyber insurance in European insurance is Beazley (OW) with >20% of revenues in 2022 from this class of business and Munich Re (OW) which is the largest reinsurance player in the market (See Love Actuary: #73 - Cyber insurance remains attractive despite small reduction in prices, Kamran M Hossain, 9 Nov).
According to another survey by Accenture, which involved 1,000 global CEO respondents from 15 countries across 19 industries, while a majority (96%) of CEOs acknowledge the critical role of cybersecurity in organizational growth and stability, only 33% have deep knowledge of the evolving cyber threat landscape. 74% of CEOs have expressed concern about their organizations’ capability to mitigate damage from a cyberattack. Many CEOs also have a reactive approach to cybersecurity, with 60% of CEOs admitting that their organizations do not initially integrate cybersecurity into their business strategies, services or products. For example, 54% of CEOs believe that implementing cybersecurity measures is costlier than enduring a cyberattack, contrary to historical evidence. While 90% of CEOs recognize cybersecurity as a key differentiator for their offerings, only 15% allocate board meetings to discuss cybersecurity issues.
Cyber events, especially cyberattacks, are already among the top and most frequently cited risks in financial stability surveys in the US and globally. The recent ransomware attack on the Industrial & Commercial Bank of China (ICBC), the world’s largest lender by assets, temporarily disrupted trades and liquidity in the US Treasury market. This event highlights how malicious actors could expose vulnerabilities in the financial system and set off a cascade of disruption to financial stability. In DTCC’s Systemic Risk Barometer Survey, cyber risk consistently ranks as the top risk since the survey was launched in 2013 with exceptions in 2021, when it was outranked by pandemic risks and in 2023, when it was outranked by geopolitical risks and inflation concerns (Figure 15).
Figure 15: Cyber risk ranked amongst top global financial stability risks in DTCC’s Systemic Risk Barometer Survey
Respondents (%)
Source: DTCC, J.P. Morgan Strategic Research
Bank of England's 2023 H2 Systemic Risk Survey also lists cyberattack along with geopolitical risks as the most frequently cited risks among participants with cyber risk at its highest level recorded in the survey this year (Figure 16).
Figure 16: Proportion of respondents citing cyber risk is at its highest level recorded in the BoE’s Systemic Risk Survey
Respondents (%)
Source: Bank of England Systemic Risk Surveys and Bank calculations.
AI in the civilian world and the escalating costs of cyber threats: A dark side to productivity gains
The rise of generative AI and large language models has opened a Pandora’s box of unprecedented technological possibilities across industries but has also raised significant concerns surrounding cybersecurity given the propensity of AI to be used to amplify existing cyber threats. With ChatGPT going mainstream in November 2022, investors have since bought into generative AI’s transformative potential, rewarding AI-chipmakers such as Nvidia, which has seen a more than 200% increase in its share price YTD. However, the rise in generative AI has also brought with it discussions of the dangers that are apparent especially through the lens of cybersecurity as AI can enhance threat-actor capabilities, increase effectiveness of attacks, and lower barriers to entry for cybercriminals.
As the cyber threat landscape evolves rapidly, the potential for disruptions to business as usual remain significant as the creation and spread of disinformation becomes easier, faster, cheaper and more effective with the rise of AI. What seemed like a scene out of a popular American heist film, customers at the popular MGM Resorts in Las Vegas and other US regions found themselves facing a chaotic scene in mid-September ranging from downed slot machines to malfunctioning digital room keys to handwritten receipts for casino winnings. It was quickly revealed that MGM suffered a widespread cyber security breach that led to a forced shutdown of its internal networks which took 10 days to fully resolve. The cost of the disruption to operations is an estimated $100mn hit to MGM’s third-quarter results along with a nearly $10mn one-time expense for technology, consulting, legal and other advisor costs. While MGM believes its cybersecurity insurance will be sufficient to cover the expenses, the full scope of costs has not been determined (see MGM Resorts International: 3Q23/September Cyber Impact Likely More Modest Than Feared, Joseph Greff, et al., 5 Oct). The incident at MGM serves as just one example in the broader trend of escalating cyber threats impacting the daily operations of companies, not just national security attacks that target the critical infrastructure sector. Our Gaming & Lodging equity analysts remain OW MGM as they see the business, particularly in Las Vegas, on solid footing despite the impact from the one-time cyberattack (see MGM Resorts International: Adjusting Estimates for Cyber Attack Impact, Joseph Greff et al., 20 Oct).
We are also not entirely pessimistic as AI may drive faster productivity growth. At the macro level, greater use of AI could lift productivity growth from its recent dismal run rate. If the labor-saving promise of AI is realized, this should have a depressing effect on inflation (see US: AI and interest rates, Michael Feroli, 13 July). There is an argument to be made that generative AI has the potential to fill critical gaps in cyber defense especially as the cybersecurity workforce gap has reached a record high of 4mn, despite 440,000 people joining the cybersecurity profession between 2022 and 2023. 86% of Chief Information Security Officers (CISOs) believe that generative AI will alleviate skills gaps and talent shortages on their security teams.9 With the use of security AI and automation in the detection and investigation of threats on the rise, the implications of a data breach or cyber event has been shown to be successfully reduced or mitigated. According to IBM, organizations with extensive use of security AI and automation identified and contained a data breach 108 days faster than organizations with no use. Additionally, 61% of organizations now employ some level of security AI and automation, of which 28% of organizations extensively used security AI and automation tools which helped deliver cost savings of nearly $1.8mn in the event of a data breach compared to $5.36mn for organizations with no use of security AI and automation. This is 18.6% more than the 2023 average cost of a data breach of $4.45mn. AI could also help by automating and augmenting many aspects of cybersecurity, such as threat detection, response, analysis, and prediction which could address the 4mn worker cybersecurity workforce gap and could also enable new capabilities and opportunities, such as using LLMs to generate natural language insights and recommendations from complex data, helping make junior analysts more effective and giving them new opportunities to learn.10
See Figure 17 and Figure 18 for a description of the types of cyberattacks that could be amplified by AI and potential ways AI could be leveraged for cyber defense.
Figure 17: Types of cyberattacks and how AI can amplify risks
Type of risk | Description and how AI can be used to amplify cyber risks |
Social engineering attacks | Typically involves the psychological manipulation of individuals into performing actions or divulging confidential or sensitive information and data (e.g., passwords or credit card numbers). Amplified AI risk: GenAI's (e.g., ChatGPT) ability to understand context, impressive fluency, and mimic human-like text generation could be leveraged by malicious actors to generate persuasive and context-specific messages to use in these attacks. |
Phishing attacks | Malicious actors pose as trustworthy entities to extract sensitive information from unsuspecting victims. Amplified AI risk: GenAI's (e.g., ChatGPT) ability to learn patterns in regular communications to craft highly convincing and personalized phishing emails, effectively imitating legitimate communication from trusted entities can be utilized in a technique, known as ‘‘spear phishing’’. |
Automated hacking | A practice involving the exploitation of system vulnerabilities to gain unauthorized access or control. Amplified AI risk: Malicious actors armed with appropriate programming knowledge can potentially utilize AI models, such as ChatGPT, to automate certain hacking procedures. Additionally, with a large enough dataset of known software vulnerabilities, an AI model could be used to scan new code for similar weaknesses, identifying potential points of attack. |
Attack payload generation | Portions of malicious code that execute unauthorized actions, such as deleting files, harvesting data, or launching further attacks. Amplified AI risk: Attacker could leverage GenAI text generation capabilities to create attack payloads and generate payloads designed to bypass Web Application Firewalls (WAFs). |
Malware and ransomware creation | Malware is software that is installed on a computer without the user’s consent and that performs malicious actions, such as stealing passwords or money. Ransomware is a malware designed to deny a user or organization access to files on their computer which is then encrypted and used to demand a ransom payment for the decryption key. Amplified AI risk: A powerful AI model like ChatGPT could automate the process and shorten the time in writing malicious software pieces which typically requires significant skill and a considerable amount of time. |
Polymorphic malware | Represents a sophisticated class of malicious software designed to alter its code with each execution, thus undermining antivirus software’s detection and eradication capabilities. Amplified AI risk: Leveraging GenAI's generative prowess, potential misuse could facilitate polymorphic malware generation. |
Disinformation and propaganda campaigns | Content deliberately created to mislead, harm, or manipulate a person, social group, organization, or country. Amplified AI risk: Malicious actors can use GenAI to construct realistic photos, audios or videos (i.e., deepfakes) to convincingly portray actions or events that did not in fact occur to spread false information. |
Source: IEEE, J.P. Morgan Strategic Research
Figure 18: How AI can be leveraged to benefit cyber defense
Task | Description of how AI can benefit cyber defense |
Cyber defense automation | Intelligent algorithms can be used to keep an eye on network anomalies, spot emerging dangers without established signatures, and detect them. Additionally, it can be used to correlate data from silos to evaluate network risks and vulnerabilities as well as comprehend the nature of attacks. By cross-checking the accuracy of data across numerous dispersed databases, AI and ML may be able to assist identity management. |
Threat intelligence | By analyzing data and files to identify illegal connections, unwanted communication attempts, odd or malicious credential use, brute force login attempts, anomalous data transfer, and data exfiltration, AI can monitor network activity in real-time. This makes it possible for companies who provide cyber defense to make statistical deductions and guard against anomalies before they are discovered and fixed. |
Cybersecurity reporting | Ability to generate natural language reports based on data and events to make informed decisions on cybersecurity strategies and investments. AI helps in analyzing large volumes of data to identify potential threats, assess risk, suggest mitigation strategies and can generate accurate, comprehensive and easy-to-understand reports. |
Secure code generation and detection | AI models enhance code review by detecting security bugs, automating the process, and generating secure code, improving software integrity, confidentiality and availability. |
ID'ing cyber attacks | Helps in identifying cyberattacks by analyzing security-related data, such as network logs and security event alerts. By processing and analyzing this data, it can generate natural language descriptions of the attack vectors, techniques, and motivations used by attackers. AI can also provide suggestions and identify potential security risks to assist developers in writing secure code. |
Training and Education | GenAI can help aggregate security data, suggest next steps to make enhancements and even take automated actions if configured to do so. It can also piggyback on analytics engines to aid security analysts in areas such as alert triage and security investigations. GenAI could also be leveraged to increase the knowledge and work rate of inexperienced people by completing repetitive tasks and revealing knowledge blind spots. |
Source: IEEE, J.P. Morgan Strategic Research
Global spending on cybersecurity has topped $188bn in 2023 while cybercrime is estimated to cost the global economy $8trn this year, which surpasses the annual GDP of every country except for the US and China. According to Gartner, global cybersecurity spend is estimated to reach $215bn next year and is on pace to surpass $260bn by 2026 but, as we noted in our previous report, costs related to cybercrime are estimated to hit $10.5trn a year by 2025 (see J.P. Morgan Perspectives: Cyber: The new frontline of geopolitics, Joyce Chang, Amy Ho et al., 22 Nov 2022). The number of cyber breaches soared between 2014 and 2020 and has plateaued with the overwhelming majority of reported cyberattacks occurring in the Americas (Figure 19).
Figure 19: Reported cyberattacks, by region
Source: Bitsight
The average cost of a data breach has also climbed to a new high of $4.45mn (Figure 20) with 82% of breaches involving data stored in the cloud—public, private or multiple environments. For the 13th consecutive year, the US has held the title for the highest average cost of a data breach at $9.5mn, followed by the Middle East at $8.1mn, Canada $5.1mn, Germany $4.7mn and Japan at $4.5mn according to IBM’s 2023 Cost of a Data Breach Report (Figure 21).
Figure 20: Average cost of a data breach has climbed to a new high of $4.45mn
$mn
Source: IBM Security, Cost of a Data Breach Report 2023
Figure 21: The US has held the title for the highest average data breach costs for the 13th consecutive year
$mn
Source: IBM Security, Cost of a Data Breach Report 2023, J.P. Morgan Strategic Research
According to our ESG colleagues, organizations that collect a large volume of customer data are at higher risk of experiencing data breaches and bearing the associated costs. In their examination of constituents within the MSCI World Index, nearly all companies in the Financial and Communication sectors have a high or medium level of exposure to data privacy risk (Figure 22) and rank amongst the top 10 highest in average costs of a data breach across sectors (Figure 23). 78 US companies have experienced data breaches or data privacy controversies in the past three years, representing 13% of the US constituents of the MSCI World Index. Notably, companies most frequently involved in these types of controversies are tech giants including Meta and Amazon. In APAC, companies logged the second-highest number of cases, but these involved only 3% of constituents, suggesting a higher concentration of risk (see ESG - The Long View: ChatESG 2.0 - Data security and privacy in the age of AI, Hugo Dubourg et al., 4 Jul).
Figure 22: Financials, communication services and healthcare are the top three sectors most exposed to data privacy risk…
% of companies with different level of exposure
Source: J.P. Morgan, MSCI ESG Research.
Figure 23: … and rank amongst the top 10 highest in average costs of a data breach across sectors
$mn, average cost of a data breach
Source: J.P. Morgan, MSCI ESG Research
Cyber regulation is advancing in larger economies but lags in EM
The CSIS Strategic Technologies Program has compiled an index of existing cyber strategies and laws by country and territory. The index includes national strategies addressing civilian and military national cyber defense, digital content, data privacy, critical infrastructure protection, e-commerce, and cybercrime. This provides policymakers and diplomatic officials a unified, at-a-glance database of global legal and policy frameworks to help the global community understand, track, and harmonize regulations internationally. In the US, the National Conference of State Legislature tracks significant legislation from all 50 states related to cybersecurity, data privacy and artificial intelligence.
There appears to be no political momentum for implementing federal privacy legislation although the FTC has highlighted that self-regulation around digital privacy is not working, particularly with advances in generative AI. Only five out of 50 US states—California, Colorado, Connecticut, Utah and Virginia—have adopted comprehensive data legislation. Current regulatory proposals are focused on improving disclosure and providing more transparency to investors so that they assess the strength of cyber risk governance. The US Securities and Exchange Commission voted in July to adopt rules requiring SEC registrants and foreign private issuers to disclose material cyber incidents they experience and to report annually on their cybersecurity risk management, strategy, and governance. Legislators and regulators in Canada, the EU and other countries have introduced similar measures.
The US Federal Trade Commission (FTC) recently released a report detailing its work to combat ransomware and other cyberattacks.11 The FTC reports that it has brought more than 80 enforcement actions involving data security, typically based on allegations concerning deceptive company promises involving security or a company’s failure to implement reasonable security practices. The report highlights the FTC’s efforts to implement robust data security enforcement programs to prioritize safeguarding consumer and recommends that the US Congress enact privacy and data security legislation that is enforceable by the FTC. The FTC has proposed market-wide rules to help prevent what the Commission views to be some of the more harmful uses of AI, including proposed rules regarding impersonators and fake reviews. We note that the FTC has no law enforcement powers over cybercriminals although it has previously pushed for comprehensive legislation that would expand the FTC’s civil penalty authority, rule-making authority, and jurisdiction over non-profits and common carriers.
According to the China Cybersecurity Industry Alliance (CCIA), cybersecurity regulation has been implemented in practice. For instance, about a dozen regional banks have been named and required rectification for infringing on user rights and illegally obtaining personal information. CCIA estimated that the cybersecurity industry in China reached 63.3 billion yuan in 2022 and will likely exceed 80 billion yuan in 2025.
Among emerging markets, most central banks or supervisory authorities have not introduced cybersecurity regulations or built resources to enforce them according to a recent IMF survey of 51 countries, putting them at a substantial disadvantage in their ability to respond to major cyberattacks. 56% of the central banks or supervisory authorities do not have a national cyber strategy for the financial sector while 42% lack a dedicated cybersecurity or technology risk-management regulation, and 68% lack a specialized risk unit as part of their supervision department. 64% do not mandate testing and exercising cyber security measures or provide further guidance and 54% lack a dedicated cyber incident reporting regime. 48% do not have cybercrime regulations.
Figure 24: State of cyber risk oversight at supervisory authorities
Share of surveyed countries
Source: IMF staff survey, state of play at supervisory authorities. Note: IMF staff surveyed 51 emerging markets and developing economies between Dec 2021 and March 2022. The classification of the practices is based solely on survey responses and does not include qualitative evaluation by IMF staff.
Global race to regulate AI is on with Europe and China in the lead
The geopolitics of AI have given rise to digital sovereignty, which refers to a nation’s ability to control its digital destiny and may include control over the entire AI supply chain, from data to hardware and software. 12 Industrial policies are designed explicitly to protect the supply chain and maintain sovereign technological leadership. Indeed, the US National Security Commission on Artificial Intelligence (NSCAI) report issued in March 2021 recommended creating “choke points” that limit Chinese access to semiconductors to stall progress in some areas of technological development. The rapid development of generative AI will make regulation even more complex and difficult. In DM economies, private sector AI firms are the key actors in generative AI research and frontier models, making regulation much more difficult as funding, hardware, compute and data will continue to be concentrated in the private domain.
Figure 25: Affiliation of research teams building notable AI Systems
Number of research teams
Source: Our World in Data. Data accessed on Nov 21, 2023.
The Biden administration has attempted to regulate and harness AI’s potentially game-changing cyber capabilities to make software and networks more secure through its latest Executive Order and the launch of the AI Cyber Challenge. On October 30, President Biden issued an Executive Order (EO) that establishes new standards for AI safety and security. The EO establishes an advanced cybersecurity program to develop AI tools to find and fix vulnerabilities in critical software that builds on the administration’s ongoing AI Cyber Challenge launched back in August which is a two-year competition aimed at creating state-of-the-art AI-powered cybersecurity systems designed to secure the nation’s critical infrastructure. Major AI-leaders such as OpenAI, Google and Microsoft having signed on to take part in the competition. Our US software equity analysts view IBM among those best positioned to benefit from the EO as it targets establishing governance and control over AI development as more enterprises attempt to adopt the technology. Our analysts see other vendors in the process of emerging as well positioned, including those with technology to protect code used to develop models and platforms used to control and govern data that could be exposed by AI.
In contrast, China’s approach to AI is heavily based on central government control and guidance that puts responsibility on private companies to moderate, ban or promote certain types of content.13 Government agencies also own minority stakes in private companies through state-run private equity funds. China has signaled that it will diminish its reliance on foreign-developed open-source software. In October, China announced its Global AI Governance Initiative (GAIGI) which focuses on several issues: ensuring AI is beneficial to human progress, opposing exclusive groups that obstruct AI development in certain countries, establishing a testing and assessment system for AI risk levels, establishing an international institution to govern AI, and ensuring that assistance is provided to developing countries. The GAIGI is expected to bring together all 155 countries which make up the Belt and Road Initiative, making it one of the largest AI governance forums created.14 China has taken additional number of steps to govern AI, including issuing interim measures for the management of generative AI services which went into effect in August and gave China a “first-mover advantage in AI regulation.”15
Europe has taken the most comprehensive steps to regulate AI through the AI Act.16 This is the first comprehensive law on AI proposed by a major authority worldwide. The law assigns applications of AI to three risk categories. First, applications and systems that create an unacceptable risk, such as government-run social scoring of the type used in China, are banned. Second, high-risk applications, such as a CV-scanning tool that ranks job applicants, are subject to specific legal requirements. Lastly, applications not explicitly banned or listed as high-risk are largely left unregulated. It remains to be seen whether the EU AI Act will gain traction. Similar to the EU’s General Data Protection Regulation (GDPR) in 2018, the EU AI Act focuses on measures to address individual damage from AI rather than systemic risk. However, the EU has drafted regulations that would consider the liability of software producers through the Cyber Resilience Act (CRA),17 published in September 2022.
The UK held the first Global AI Safety Summit, where 28 governments signed the Bletchley Declaration, including the US and China. The US and UK both announced plans to launch their own AI safety institutes while two more summits were announced to take place in South Korea and France next year. While some consensus was reached on the need to regulate AI at the summit, disagreements remain over exactly how that should happen along with who will lead such efforts.
Market views
Going into 2024, the strength of AI services, across the universe of hardware, software and data, could continue. Cybersecurity companies stand to benefit from sustained demand as ongoing geopolitical risks could trigger increased cyber warfare. We highlight companies that seem best positioned across regions:
Our US software equity analysts believe we will continue to see a growing focus on AI/ML and GenAI as scalability of labor resources remains an issue across the global IT landscape and see Palo Alto Networks (PANW), CrowdStrike (CRWD), SentinelOne (S) and Zscaler (ZS) best positioned to make an impact. The team also upgraded CyberArk to Overweight given they see opportunity for upside in the wake of accelerating demand as CyberArk has some of the most favorable exposure to high priority security spending within their coverage (see State of Security: Key Cybersecurity Topics and Metrics, Brian Essex, CFA, 5 Nov).
In Europe, our Tech Software & IT Services analysts see Value Added Resellers (VARs) and cyber channel partners as well placed given that they have already proven themselves in a Software-as-a-service (SaaS)-heavy space through emphasis on customized, high value-add services. They offer a more technology-agnostic exposure to secular growth trends than investment into individual software and hardware vendors and also generally offer a degree of diversification, while also offering exposure to mission-critical and high-growth areas of IT budgets. Leading cyber distributors, like Exclusive Networks (EXN), have navigated the SaaS-dominated space well, separating themselves vs peers through offering specialized services such as security assessments, customized integration and security operations centers as a service, as well as their own cloud sales platform (see First Principles – Value Added Resellers (VARs): Capital-light beneficiaries of secular tech trends, Joseph George et al., 18 Jul).
Despite the pick-up in ransomware frequency following a slowdown in 2022, our European Insurance analysts see the cyber market as an attractive area with strong profitability and good exposure in the coming years. Outside of claims trends, the team has begun to see small reductions in pricing following a period of very rapid price improvements. The latest pricing data from Beazley showed a 4% reduction in cyber pricing at the 9M23 statement. However, prices are more than 2.5x times higher than they were in 2020, which is more than adequately reflects the risk of ransomware claims frequency. The analysts see the best way to play cyber insurance in European insurance through Beazley (OW) with >20% of revenues in 2022 from this class of business and Munich Re (OW) which is the largest reinsurance player in the market (See Love Actuary: #73 - Cyber insurance remains attractive despite small reduction in prices, Kamran M Hossain, 9 Nov 2023).
Our China internet analysts see Baidu (OW) as the best investment proxy for generative AI development in China and view Baidu as better positioned than peers as the company just accomplished a technical leapfrog of LLM quality. AI chip restrictions introduce new uncertainties to Chinese LLMs’ model development and training. While Alibaba and Tencent might have sufficient AI chips and talent for development of a ChatGPT 4.0 equivalent, it’s unclear that they will achieve a ChatGPT 4.0 equivalent with their existing resources. On the other hand, Baidu is the only Chinese LLM developer to have already launched a ChatGPT 4.0 equivalent so far. Our analysts believe Baidu has first-mover advantage in the LLM industry, considering that: 1) its gen-AI commercialization and launch of various products will attract key customers earlier than peers, and 2) increasing adoption of Baidu’s gen-AI in early development stage could lead to the establishment of industry standards by Baidu. The team remains confident in its capability to build a comprehensive AI industry ecosystem, leveraging its technology and first-mover advantage.
Our Asia equity research team highlights that cyber risk is coming to the fore across APAC banks after reports that account details of 15mn customers of Indonesia’s largest Islamic lender, Bank Syariah Indonesia (BSI), were published online. Our analysts highlight the potential costs of cybersecurity incidents, including financial losses from unauthorized debits, which can be in cash, digitized assets, loss of confidence in the banks’ systems, penalties from regulators, damages from lawsuits and identity theft and phishing for customers who details have been compromised (see APAC Banks: A primer on IT/Cyber risks, Harsh Wardhan Modi et al., 18 May).
For more resources on the developments in the AI market, see J.P. Morgan Research’s “Investable AI” page on J.P. Morgan Markets which is updated regularly with the latest research, tools and recommendations on this theme from our broader research teams.
Appendix
J.P. Morgan Research
Americas Economic Research
US: AI and interest rates, Michael Feroli, 13 July 2023
US Equity Research
MGM Resorts International: Adjusting Estimates for Cyber Attack Impact, Joseph Greff et al., 20 October 2023
MGM Resorts International: 3Q23/September Cyber Impact Likely More Modest Than Feared, Joseph Greff, et al., 5 October 2023
Europe Equity Research
Love Actuary: #73 - Cyber insurance remains attractive despite small reduction in prices, Kamran M Hossain, 9 November 2023
State of Security: Key Cybersecurity Topics and Metrics, Brian Essex, CFA, 5 November 2023
ESG - The Long View: ChatESG 1.1 - Update on global AI policies, Hugo Dubourg, 31 October 2023
First Principles – Value Added Resellers (VARs): Capital-light beneficiaries of secular tech trends, Joseph George et al., 18 July 2023
Asia Pacific Equity Research
FW: Baidu.com (BIDU US & 9888 HK) : Expecting sizable financial contribution from gen AI monetization in 2024, Alex Yao et al., 22 November 2023
China generative AI: Thoughts on impact from gen AI development in China from further US AI chip restrictions, Alex Yao et al., 20 October 2023
China Generative AI: Thoughts on industry development and outlook after JPM China AI tour, Alex Yao et al., 8 August 2023
APAC Banks: A primer on IT/Cyber risks, Harsh Wardhan Modi et al., 18 May 2023
Reference Materials
ICBC Tells Clients to Reroute Some Trades After Cyber Issue, Bloomberg, 9 November 2023
Israel's AI Revolution: From Innovation to Occupation, Anwar Mhajne, Carnegie Endowment for International Peace, 2 November 2023
Policy Paper: The Bletchley Declaration by Countries Attending the AI Safety Summit, GOV.UK, 1 November 2023
Microsoft Digital Defense Report 2023, Microsoft Threat Intelligence, October 2023
NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations, Cybersecurity & Infrastructure Security Agency, October 2023
ISC2 Reveals Growth in Global Cybersecurity Workforce, But Record-Breaking Gap of 4 Million Cybersecurity Professionals Looms, ISC2, 31 October 2023
The FTC’s Efforts in the Greater Fight Against Ransomware and Cyber-Related Attacks, The US Federal Trade Commission, 20 October 2023
President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence, The White House, 30 October 2023
Nvidia 8-K filing, Securities and Exchange Commission, 17 October 2023
Cyber budgets increase, executive overview improves, but challenges lurk under the surface, Moody’s, 28 September 2023
Gartner Forecasts Global Security and Risk Management Spending to Grow 14% in 2024, Gartner, 28 September 2023
Biden-Harris Administration Launches Artificial Intelligence Cyber Challenge to Protect America’s Critical Software, The White House, 9 August 2023
The IDF introduces Artificial Intelligence to the Battlefield – A new frontier?, Tal Mimran and Lior Weinstein, Lieber Institute West Point, Mar 2023
Mounting Cyber Threats Mean Financial Firms Urgently Need Better Safeguards, Tobias Adrian and Caio Ferreira, IMF Blog, 2 March 2023
Global Cybersecurity Outlook 2023, World Economic Forum, January 2023
Global Risks Report 2023, World Economic Forum, 11 January 2023
Freedom on the Net 2023: The Repressive Power of Artificial Intelligence, Shahbaz, Funk, Brody, Vesteinsson, Baker, Grothe, Barak, Masinsin, Modi, Sutterlin eds, Freedom House, 2023
Cost of a Data Breach Report 2023, IBM, 2023
2023 Identity Security Threat Landscape Report, CyberArk, 2023
Systemic Risk Barometer Survey: 2023 Risk Forecast, DTCC, 2023
The Cyber-Resilient CEO, Accenture, 2023
A comparison of cybersecurity regulations: China, Asia Business Law Journal, 19 October 2022
Cyber Resilience Act, European Commission, September 2022
The AI Act, European Commission, April 2021
The CISO Report, Ryan Kovar and Kirsty Paine, Splunk, 2023
Artificial Intelligence in Israel, Liran Antebi, INSS, 2021
Cyber Strategy 2018, Department of Defense
Websites
Center for Strategic and International Studies Global Cyber Strategies Index
National Conference of State Legislatures Cybersecurity Legislation 2022
Strategic Research
J.P. Morgan Perspectives
J.P. Morgan Perspectives: Navigating China’s financial markets, Joyce Chang et al., 6 September 2023
J.P. Morgan Perspectives: Food Security and Climate Change: The Makings of a Perfect Storm, Joyce Chang et al., 10 August 2023
J.P. Morgan Perspectives: The great supply chain disruption: ASEAN’s rise, India’s potential, USMCA and Chino-Latino flows, Joyce Chang et al., 23 June 2023
J.P. Morgan Perspectives: ESG and Supply Chain Risks: Putting the Spotlight on the “S” and “G” in ESG, Joyce Chang et al., 2 May 2023
J.P. Morgan Perspectives: The state of global gender balance in 2023, Joyce Chang et al., 7 March 2023
J.P. Morgan Perspectives: Japan’s Big Exit: Ten Questions about Japan’s Regime Change, Joyce Chang et al., 31 January 2023
J.P. Morgan Perspectives: ESG in the USA: The Disunited States, Joyce Chang et al., 22 November 2022
J.P. Morgan Perspectives: Cyber: The new frontline of geopolitics, Joyce Chang et al., 21 November 2022
J.P. Morgan Perspectives: Food Insecurity: A New Normal, Joyce Chang et al., 20 September 2022
J.P. Morgan Perspectives: Goodbye to Negative Yields, Joyce Chang et al., 15 June 2022
J.P. Morgan Perspectives: China’s Financial Markets: Long-term opportunities meet near-term challenges, Joyce Chang et al., 7 June 2022
J.P. Morgan Perspectives: Mind the gap: The pandemic’s scar on gender parity, Joyce Chang et al., 2 March 2022
J.P. Morgan Perspectives: ESG Outlook: Advancing Climate Innovation – The Road to 2050, Joyce Chang et al., 22 Feb. 2022
J.P. Morgan Perspectives: ESG 2022: Energy crunch challenges Net Zero transition, Joyce Chang et al., 16 December 2021
J.P. Morgan Perspectives: Post-Pandemic Regime Change: The Great Acceleration, Joyce Chang et al., 14 December 2021
J.P. Morgan Perspectives: Red Flags on Asia Housing, Joyce Chang et al., 18 November 2021
J.P. Morgan Perspectives: Is the housing market due for a correction?, Joyce Chang et al., 21 September 2021
J.P. Morgan Perspectives: Cyber Epidemic, Joyce Chang et al., 10 August 2021
J.P. Morgan Perspectives: The return of Commodities, Joyce Chang et al., 19 July 2021
J.P. Morgan Perspectives: ESG investing 2021: Going faster, deeper, broader, Joyce Chang et al., 13 May 2021
J.P. Morgan Perspectives: The widening gender gap: COVID-19 takes a toll, Joyce Chang et al., 5 March 2021
J.P. Morgan Perspectives: Digital transformation and the rise of fintech: Blockchain, Bitcoin and digital finance 2021, Joyce Chang et al., 18 February 2021
J.P. Morgan Perspectives: Build Back Better to Boost ESG, Joyce Chang et al., 16 December 2020
J.P. Morgan Perspectives: Can EM Save 60/40?, Joyce Chang et al., 2 December 2020
J.P. Morgan Perspectives: Not Business as Usual: The Rise of Stakeholderism, Joyce Chang et al., 5 October 2020
J.P. Morgan Perspectives: The Credit Crisis that Wasn’t: The Returns Crisis that Looms, Joyce Chang et al., 21 September 2020
J.P. Morgan Perspectives: Pandemic Accelerates Paradigm Shifts, Joyce Chang et al., 8 July 2020
J.P. Morgan Perspectives: ESG and COVID-19: Friends or Foes?, Joyce Chang et al., 18 May 2020
J.P. Morgan Perspectives: Achieving Gender Balance 2020: Why the Disparity?, Joyce Chang et al., 6 March 2020
J.P. Morgan Perspectives: Blockchain, digital currency and cryptocurrency: Moving into the mainstream?, Joyce Chang et al., 21 February 2020
The State of ESG in 2020, Joyce Chang, 5 February 2020
J.P. Morgan Perspectives: What if US yields go to zero?, Joyce Chang et al., 23 January 2020
J.P. Morgan Perspectives: Climate Changes ESG Investing, Part II, Joyce Chang et al., 10 December 2019
J.P. Morgan Perspectives: The rise of the corporates: Is a triple-B cliff on the horizon?, Joyce Chang et al., 1 October 2019
J.P. Morgan Perspectives: China’s index inclusion: A milestone for EM as an asset class, Joyce Chang et al., 12 September 2019
J.P. Morgan Perspectives: The rise of the corporates: Buybacks at an inflection point?, Joyce Chang et al., 17 July 2019
J.P. Morgan Perspectives: ESG Investing 2019: Climate changes everything, Joyce Chang et al., 30 May 2019
J.P. Morgan Perspectives: Leaving LIBOR: The Long Road Ahead, Joyce Chang et al., 30 April 2019
J.P. Morgan Perspectives: Paradigm Shifts: What Lies Ahead, Joyce Chang et al., 5 April 2019
J.P. Morgan Perspectives: Achieving Gender Balance 2019: Progress, Opportunities and Challenges, Joyce Chang et al., 1 March 2019
J.P. Morgan Perspectives: Made in China 2025: A New World Order?, Joyce Chang et al., 31 January 2019
J.P. Morgan Perspectives: Geopolitics and Markets: Risks on the Rise, Joyce Chang et al., 1 November 2018
J.P. Morgan Perspectives: 20 Years After the Asia Financial Crisis: How Is EM Faring?, Joyce Chang et al., 4 October 2018
J.P. Morgan Perspectives: Ten Years After the Global Financial Crisis: A Changed World, Joyce Chang et al., 10 September 2018
J.P. Morgan Perspectives: Investing in gender balance: Opportunities and challenges, Joyce Chang et al., 25 May 2018
J.P. Morgan Perspectives: ESG Investing Goes Mainstream, Joyce Chang et al., 9 May 2018
J.P. Morgan Perspectives: Decrypting Cryptocurrencies: Technology, Applications and Challenges, Jan Loeys et al., 9 February 2018
Click here for more Strategic Research
Long-term Strategy
The Long-term Strategist: Ten more strategic questions, Jan Loeys and Alexander Wise, 9 November 2023
The Long-term Strategist: US-China de-risking, long-term inflation and interest rates, Alexander Wise and Jan Loeys, 23 October 2023
The Long-term Strategist: Building Strategic Asset Allocation 2023, Alexander Wise and Jan Loeys, 10 October 2023
The Long-term Strategist: Strategic investing questions, by the dozen, Jan Loeys and Alexander Wise, 26 September 2023
The Long-term Strategist: The debate on the long-term outlook for real interest rates, Alexander Wise and Jan Loeys, 2 August 2023
The Long-term Strategist: Top long-term risks and what to do about them, Jan Loeys, 18 July 2023
The Long-term Strategist: The de-dollarization risk scenario, Alexander Wise and Jan Loeys, 16 June 2023
The Long-term Strategist: Real yields along the US curve: Long-term forecasts, Alexander Wise and Jan Loeys, 13 March 2023
The Long-term Strategist: Real bond yields in DM: Long-term projections, Alexander Wise and Jan Loeys, 21 February 2023
The Long-term Strategist: Long- vs short-term risk, Alexander Wise and Jan Loeys, 1 February 2023
The Long-term Strategist: Industrial policy, deglobalization and strategic asset allocation, Alexander Wise and Jan Loeys, 27 January 2023
The Long-term Strategist: Long-term forecasts: Update January 2023, Alexander Wise and Jan Loeys, 6 January 2023
The Long-term Strategist: Forecasting long-term US equity returns with a neural network, Alexander Wise and Jan Loeys, 20 November 2022
The Long-term Strategist: Where are we in Regime Change? Macro volatility, deglobalization, and secular rise in yields, Jan Loeys and Alex Wise, 8 November 2022
The Long-term Strategist: Long-run economic growth forecasts, Jan Loeys and Alex Wise, 10 October 2022
The Long-term Strategist: Bigger questions, shorter answers, Jan Loeys and Alex Wise, 21 June 2022
The Long-term Strategist: What to do with 60/40?, Jan Loeys and Alex Wise, 16 June 2022
The Long-term Strategist: How good are long-term forecasts?, Alex Wise and Jan Loeys, 14 June 2022
The Long-term Strategist: Long-term forces point to higher US bond yields, Alex Wise and Jan Loeys, 4 April 2022
The Long-term Strategist: A demographic reversal to start pushing real interest rates up, Jan Loeys and Alex Wise, 2 March 2022
The Long-term Strategist: Eight clips on strategic questions, Jan Loeys, Shiny Kundu and Alex Wise, 17 February 2022
The Long-term Strategist: Is thematic investing worth it?, Jan Loeys, Shiny Kundu and Alex Wise, 18 January 2022
The Long-Term Strategist: Long-Term FX Forecasts, Alex Wise and Jan Loeys, 14 December 2021
The Long-term Strategist: Democracy metrics and equity markets, Alex Wise and Jan Loeys, 21 October 2021
The Long-term Strategist: Inflation, markets and the end of the Great Moderation, Jan Loeys and Shiny Kundu, 27 September 2021
The Long-Term Strategist: Democracy metrics and equity markets, Jan Loeys et al., 21 October 2021
The Long-Term Strategist: Commodity-linked assets as a long-run inflation hedge, Jan Loeys and Shiny Kundu, 28 July 2021
The Long-term Strategist: Will US market exceptionalism last?, Jan Loeys and Shiny Kundu, 24 June 2021
The Long-term Strategist: Short As on long-term Qs, Jan Loeys and Shiny Kundu, 19 April 2021
The Long-term Strategist: Our Strategic Portfolio, Jan Loeys and Shiny Kundu, 5 March 2021
The Long-term Strategist: Empirical models of long-term US equity returns, Shiny Kundu and Jan Loeys, 1 March 2021
The Long-term Strategist: Can EM solve the 60/40 problem?, Jan Loeys and Shiny Kundu, 2 December 2020
The Long-term Strategist: Business concentration, Jan Loeys and Shiny Kundu, 30 September 2020
The Long-term Strategist: The international 60/40 problem and US Hybrids, Jan Loeys and Shiny Kundu, 29 September 2020
The Long-term Strategist: Fallen Angel and Buybacks: Strategy Update 2020, Jan Loeys and Shiny Kundu, 28 September 2020
The Long-term Strategist: 60/40 in a zero-yield world, Jan Loeys, 30 June 2020
The Long-term Strategist: De-globalization Update 2020, Jan Loeys and Shiny Kundu, 23 April 2020
The Long-term Strategist: Some Longer-term Consequences of Covid-19 Crisis, Jan Loeys and Shiny Kundu, 9 April 2020
The Long-term Strategist: Zero US yields, almost there, Jan Loeys and Shiny Kundu, 11 March 2020
The Long-term Strategist: Why long term?, Jan Loeys and Shiny Kundu, 25 February 2020
The Long-term Strategist: Bonds time diversify much better than you think, Jan Loeys and Shiny Kundu, 14 February 2020
The Long-term Strategist: Financial repression, risk aversion and zero yields, Jan Loeys and Shiny Kundu, 24 January 2020
The Long-term Strategist: Why invest on Climate Change?,
Jan Loeys, Shiny Kundu and Mika Inkinen, 10 December 2019
The Long-term Strategist: Do BBs still offer better returns?,
Jan Loeys and Shiny Kundu, 3 October 2019
The Long-term Strategist: Buybacks and the investor, Jan Loeys and Shiny Kundu, 18 July 2019
The Long-term Strategist: What if the US joins the Zero Yield world?, Jan Loeys and Shiny Kundu, 12 July 2019
The Long-term Strategist: Climate change investing, Jan Loeys and Shiny Kundu, 30 May 2019
The Long-term Strategist: De-globalization, Jan Loeys, Shiny Kundu, and Joseph Lupton, 5 April 2019
The Long-term Strategist: Small Caps: A Strategic Overweight, Jan Loeys, Shiny Kundu and Eduardo Lecubarri, 15 February 2019
Click here for more Long-term Strategy Research
- 1 The IDF introduces Artificial Intelligence to the Battlefield – A new frontier?, Lieber Institute West Point, Mar 2023
- 2 Artificial Intelligence in Israel, Liran Antebi
- 3 Israel’s AI Revolution: From Innovation to Occupation, Carnegie Endowment for International Peace, Nov 2023
- 4 ICBC Tells Clients to Reroute Some Trades After Cyber Issue, Bloomberg, 9 Nov 2023
- 5 See AI is already at War, Foreign Affairs, November/December 2023.
- 6 The Moody’s survey included more than 1,700 respondents gauging cybersecurity practices among global debt issuers. The survey was sent to ~9,000 issuers globally in May and responses were collected through July 18, 2023.
- 7 2023 Identity Security Threat Landscape Report, CyberArk, 2023
- 8 See Microsoft Digital Defense Report 2023
- 9 See The CISO Report, Splunk, 2023
- 10 See Microsoft Digital Defense Report 2023
- 11 The FTC’s Efforts in the Greater Fight Against Ransomware and Cyber-Related Attacks, Federal Trade Commission, October 2023
- 12 See The geopolitics of AI and the rise of digital sovereignty, Benjamin Cedric Larsen, Brookings, 8 Dec 2022
- 13 Ibid
- 14 Cyber Week in Review: October 20, 2023, CFR
- 15 The US and its allies should engage with China on AI law and policy, Mark MacCarthy, Brookings, 19 Oct
- 16 The AI Act, European Commission, April 2021
- 17 Cyber Resilience Act, European Commission, September 2022