"AI Has Made It Worse": Jamie Dimon, JPMorgan and What It Means for European Companies
In JPMorgan Chase's Q1 2026 earnings call, CEO Jamie Dimon named cyber risk as the firm's single greatest threat – and AI as its primary amplifier. An emergency meeting convened by US Treasury Secretary Bessent and Fed Chair Powell with America's largest banks adds weight to that assessment. What DACH companies need to take from this.
"AI has made it worse. It's made it harder." These were the words of Jamie Dimon, CEO of JPMorgan Chase, on the Q1 2026 earnings call – not as a footnote, but as the central assessment of the greatest threat facing his organisation.
JPMorgan reported a Q1 2026 net income of $16.5 billion, up 13% year over year. EPS came in at $5.94 – well above the analyst consensus of $5.46. The bank is in excellent operational health. And yet cyber risk was the issue Dimon addressed most sharply.
That is not coincidence. It is a signal.
What Happened in the Days Before the Earnings Call
Between 7 and 10 April 2026, a meeting took place in Washington that is rare in this form: US Treasury Secretary Scott Bessent and Fed Chair Jerome Powell invited the CEOs of America's most systemically important banks to an urgent, short-notice session. The occasion was Anthropic's Mythos model – an AI system that, according to the developer's own security disclosures, is capable of autonomously identifying browser vulnerabilities, chaining multiple flaws together, and thereby opening attack vectors that human hackers could rarely replicate manually.
Dimon confirmed on the earnings call that JPMorgan is actively testing Mythos: "It shows a lot more vulnerabilities need to be fixed."
CFO Jeremy Barnum added: "These tools can make it easier to find vulnerabilities, but then also potentially be deployed by bad actors in attack mode."
On 13 April, a second meeting followed – this time jointly with British regulators: the Bank of England, the Financial Conduct Authority and HM Treasury. UK authorities indicated they would issue formal warnings to major banks within two weeks. Bloomberg covered it live: "Regulators Warn of New Era of Cyber Risk From AI".
This is the context in which Dimon's statements sit. They are not corporate boilerplate. They are the operational threat assessment of one of the best-informed financial institutions in the world.
Three Core Takeaways from the Earnings Call
1. AI structurally shifts the threat level
Dimon was not alarmist. He was precise: "Of course, we read about Mythos, which we're testing now. It does create additional vulnerabilities." At the same time: "Maybe down the road, better ways to strengthen yourself too."
This is the dual structure of AI in cybersecurity: the same capabilities available to defenders are equally available to attackers. And the barrier to entry for attackers is falling faster than defensive capacity can scale – particularly in organisations that lack dedicated security leadership.
2. Cyber risk is not confined to banks
Dimon explicitly: "The cyber risk isn't isolated to banks. You can look at almost any industry." And further: "That doesn't mean everything that banks rely on is that well protected." He named stock exchanges, clearing systems and third-party vendors as weak points in the wider system.
This is directly relevant to European mid-market companies and PE portfolio businesses. Anyone embedded in a supply chain, an ecosystem, or a financing structure connected to institutional actors carries systemic risk – regardless of the size of their own security budget.
3. The overall risk picture has deteriorated
Dimon warned explicitly in the earnings statement about an "increasingly complex set of risks" – geopolitical tensions, energy price volatility, trade uncertainty, large global fiscal deficits and elevated asset prices. His well-known framing of the "skunk at the party": inflation could quietly rise in 2026 rather than falling – and that would upset every calculation.
In this overall picture, cyber risk is not an isolated factor. It is an amplifier of every other risk. An organisation that suffers an operational attack in the worst case of a geopolitical or economic shock simultaneously loses financial resilience and the ability to act.
What This Means Concretely for DACH Companies
JPMorgan spends roughly $17 billion annually on technology, including a substantial share on cybersecurity. The firm employs hundreds of security experts, maintains direct access to government agencies, and actively tests the most dangerous AI models available – and yet Dimon says: we are well protected, but not everything we depend on is.
What conclusion follows for a German industrial company with 200 employees? For an Austrian technology firm in a PE portfolio? For a Swiss financial infrastructure services provider?
Build a foundation before AI-powered attacks scale
The capabilities described with Mythos – autonomous vulnerability identification, multi-flaw chaining – are today still in the testing phase of regulated actors. Within 12 to 24 months, comparable capabilities will become accessible to poorly resourced attackers.
The window to build a documented, auditable security baseline is limited. NIS2 already requires companies in critical and important sectors to demonstrate a credible security architecture – the AI trajectory makes that requirement strategically more urgent.
A structured Compliance Sprint – designed to build an ISMS foundation aligned with ISO 27001 or NIS2 within four weeks – is not a regulatory box-tick in this environment. It is operational preparation.
Install security leadership before the incident occurs
Dimon's reference to constant coordination with government agencies and deployment of top experts sounds like self-promotion. But it is actually an implicit definition of minimum standard: any organisation without a continuous security programme in 2026 is structurally under-resourced.
A vCISO mandate – strategic security leadership without a full-time CISO – gives organisations exactly that: a person who understands the threat picture, maintains the relevant connections, and structures internal processes to withstand an attack. At a fraction of the cost of a full-time CISO.
Reassess M&A transactions
Dimon warned explicitly about systemic risks in the banking infrastructure – exchanges, clearing, third-party vendors. Anyone currently reviewing an acquisition or preparing for an exit must ask: how exposed is the target company in the current environment?
A Cyber Due Diligence Audit does not only identify technical debt. It assesses whether a company is equipped against the changed AI threat level – and in doing so provides a valid foundation for the valuation discussion.
The Real Message Behind the Earnings Call
Dimon did not create panic. On the contrary – he described JPMorgan as well-positioned. But he did something more important: on one of the most closely watched corporate platforms in the world, he confirmed that AI has structurally changed the cyber risk environment – and that this change affects the entire economy, not just financial services.
When the CEO of the most profitable bank in the Western world, in the same breath as record earnings, names cyber risk as the greatest single threat – that is not an obligatory acknowledgement. That is a situation report.
DACH companies that categorise this as a banking problem are underestimating the situation. The question is not whether AI-powered attacks will scale. The question is whether their own security infrastructure will be ready when it does.
Woodlands Advisory helps DACH companies address AI-related cyber risks operationally – through structured compliance programmes, strategic security leadership and M&A-grade due diligence processes. If you would like to understand the current threat landscape for your organisation – speak with us.
Let us discuss your specific situation.
30 minutes. Confidential. Non-binding.
Schedule initial consultation →← Back to all articles