Analysis
The Next Banking Crisis Won’t Come From Bad Loans. JPMorgan Says It Will Come From Hackers.
For decades, banking analysts have built crisis models around the same variables: non-performing loan ratios, capital adequacy buffers, liquidity coverage ratios, and contagion through interbank lending. JPMorgan has now argued, in terms that are difficult to dismiss, that all of those frameworks may be measuring the wrong risk.
In a research note published in late June 2026, JPMorgan analyst Kian Abouhossein declared that cybersecurity risk is “currently one of the biggest undiscounted risks not reflected in bank valuations” — and made the case that an AI-enabled cyberattack could trigger a liquidity crisis more dangerous than any traditional credit event the industry has faced in modern history.
AI Compresses the Timeline for Catastrophe
The mechanism Abouhossein identified is not subtle. Frontier AI models — he cited specifically Anthropic’s Mythos and OpenAI’s GPT-5.5 — have been shown to “significantly reduce the timeline for discovering previously unknown zero-day vulnerabilities from months and years to hours.” That compression is not an incremental improvement in the threat landscape. It is a structural transformation.
For banks, the significance is operational. A vulnerability that might previously have remained unexploited for six months while security teams patched exposed systems can now be weaponised within hours of discovery. The window between identification and remediation — which banks have historically relied on to contain damage — has effectively closed.
The Wrong Risk Framework
JPMorgan’s core argument is that regulators and investors are examining bank risk through an inappropriate lens. “Looking at cybersecurity risk through the lens of the capital framework is not the best approach,” Abouhossein wrote, arguing instead for infrastructure resilience testing and deposit-run liquidity haircut stress tests as the relevant metrics.
The distinction matters. A capital framework asks whether a bank has sufficient equity buffer to absorb credit losses. A cyber-crisis framework asks a different question: whether a bank can maintain operations, preserve customer access, and prevent panic-driven deposit outflows if its systems are compromised or publicly reported to have been breached.
JPMorgan’s note pointed to Credit Suisse as a precedent, arguing that social media could trigger “unprecedented volatility in deposit flows” in a cyber-driven crisis. The Credit Suisse collapse in 2023 was driven primarily by confidence dynamics rather than technical insolvency — a preview of how quickly narrative can overwhelm fundamentals. In a scenario where a major bank’s cyber breach is reported in real time across social platforms, the speed of a potential bank run could exceed anything regulators have stress-tested.
A Tiered Vulnerability Landscape
The report assigned a differentiated risk profile across banking systems. US global systemically important banks were assessed as better positioned, given higher absolute technology spending and earlier access to frontier AI models for defensive purposes. Technology costs averaged approximately 17 percent of global bank operating expenses in 2025, but that average conceals wide dispersion.
European banks were explicitly flagged as more vulnerable: lower technology budgets, delayed access to the most advanced models, and a more fragmented regulatory environment across jurisdictions. JPMorgan suggested that a valuation premium for US GSIBs over European and Japanese peers “could be justified due to lower cost of equity as the market factors in better cyber risk preparedness” — an argument that, if adopted by broader market consensus, would represent a significant repricing of European bank equities.
The Supply Chain Vector
The vulnerability is not confined to banks’ direct systems. Black Kite’s 2026 Financial Services Cybersecurity Report documented that confirmed breaches among the top 140 financial services vendors climbed from six to 39 in a twelve-month period. Among the top 20 most systemically significant vendors, the number with a confirmed breach rose from one to seven — a sevenfold increase in the most exposure-sensitive segment.
Direct attacks on financial institutions also rebounded sharply after a brief law enforcement-driven reprieve. Ransomware incidents in the finance sector climbed from 156 in 2024 to 202 in 2025. Q1 2026 alone recorded 65 incidents, a 76 percent increase over the same period in 2025. AI-assisted discovery tools entering the market in 2026 are expected to accelerate the volume of published vulnerabilities further, with over 48,000 CVEs published globally in 2025 already representing an 18 percent increase over the prior year.
Deposit Stickiness as a Strategic Moat
JPMorgan’s note concluded with a recommendation that reframes a traditional banking metric in a new context. The analyst suggested assigning a higher valuation multiple to banks with sticky, excess deposit bases — not because those deposits indicate lending capacity or net interest margin, but because a bank with low deposit velocity has a structural buffer against the confidence-driven outflows that a cyber crisis would produce.
The argument inverts conventional wisdom. In a normal credit crisis, floating-rate deposit franchises can be liabilities. In a cyber-driven confidence crisis, they become the most important form of institutional resilience.
The banking industry has spent the post-2008 era stress-testing for scenarios it already understands. JPMorgan’s note is an argument that the next crisis will arrive through a door the industry has not yet learned to guard — and that the market has not yet priced the risk.