JPMorgan has flagged cybersecurity as a major, underpriced risk for banks, saying that AI-enabled attacks could precipitate a liquidity crisis that is more dangerous than a conventional credit event. In a note authored by analyst Kian Abouhossein, the bank highlighted how new frontier AI models can dramatically shorten the timeframe for identifying previously unknown vulnerabilities.
Specifically, Abouhossein pointed to models such as Mythos and GPT-5.5, which he says can reduce the timeline for discovering zero-day vulnerabilities from months or years to mere hours. That compression of discovery time narrows the window banks have to identify and patch exposed systems, increasing operational and liquidity risk.
JPMorgan argued that current supervisory and investor attention is focused on capital metrics that may not capture this form of cyber risk. The note recommends shifting emphasis away from the capital framework as the primary lens for cybersecurity risk, and instead calls for more robust infrastructure resilience testing. It also proposes running deposit-run liquidity haircut stress tests to better capture the types of sudden outflows that could accompany a cyber-driven event.
The bank warned that social media could act as an accelerant in such a scenario, producing "unprecedented volatility in deposit flows" and amplifying a run on funds. JPMorgan referenced Credit Suisse as a precedent for how swift deposit shifts can compound a crisis.
On a regional basis, Abouhossein identified U.S. banks as relatively better positioned to withstand these pressures, citing higher absolute technology spending and earlier access to frontier AI models. By contrast, European banks were described as more vulnerable because they generally operate with smaller technology budgets and may face delayed access to the latest AI developments. JPMorgan noted that tech costs averaged approximately 17% of global bank operating expenses in 2025.
Given these dynamics, the bank suggested that investors assign a higher valuation multiple to institutions with sticky, excess deposit bases, which would be better placed to weather a liquidity shock. It also argued that a premium for U.S. global systemically important banks over European and Japanese counterparts could be defensible if the market prices in a lower cost of equity tied to stronger cyber risk preparedness.
The note underscores a call for changing how cyber risk is measured and stress-tested across the industry, while highlighting regional disparities in preparedness and technology investment.