JPMorgan to double infosec spending to $570m after hack

US investment bank JPMorgan will double its spending in cyber security following a data breach which affected approximately 84 million account holders.

Speaking at the Institute of International Finance conference in Washington late on Friday, JPMorgan CEO Jamie Dimon said the firm would increase its investment in cyber security from US$250 million (A$285 million) annually in 2014 to US$500 million (A$570 million) in five years time.

“We had a little problem recently,” said Dimon, referencing the data breach.

“We have to be vigilant. We need help and [need to continue] working together with the government. The government knows more than we do.”

JPMorgan was breached in late August across its Chase.com and JPMorganOnline websites as well as its Chase and JPMorgan mobile applications.

Hackers managed to obtain names, phone numbers, emails and postal addresses of 76 million individual customers and seven million SMEs after compromising an employee's credentials using a phishing email attack.

Investigators have since said that at least 13 other companies were targeted by unknown hackers.

However Solarwinds cyber security expert Patrick Hubbard said it was difficult to know how and where the money might be used, and while he expressed scepticism about the amount – “spend does not equal security” – he said it could be used to restore faith in a brand since its damaging data breach.

“It's about making the other executives feel comfortable,” he said, adding that people in the financial services industry would be happy with the money as ‘something they could quantify'.

Scott MacKenzie, CISO at cyber-security solutions provider Logical Step, said JPMorgan was making a proactive step.

“[The doubling of cyber security spend] is despite there being no evidence that any customer accounts or passwords were compromised. I feel this will go a long way to mitigate any reputational damage suffered by JPMorgan following the recent hack,” he said.

Tenable's EMEA technical director Gavin Millard said the move could be seen as a 'PR stunt' but believes the investment is a promising sign, not least for how security is increasingly being entwined in the business.

"Whether this is a PR stunt or a measured approach to a breach could be hotly debated by cynical security professionals, but I would see this as a positive move," he said.

"Having the CEO stand up publicly and state that the problems need to be fixed will set the right tone to enable the staff at the bank to implement any control they deem necessary to protect customer data and the business as a whole.

"Security can't be fixed by money alone though, it takes effort, education and awareness at all levels but with the focus they are placing on security, this shouldn't be a problem for JP Morgan."