A Safer Way to Use New Financial Technology

Opening scenario

You open your bank app on a Friday night to move money, and a new popup asks you to “reconfirm” identity with a photo and an SMS code. It looks routine, so you comply. Monday: a few small test charges, then a larger transfer you never authorized. Convenience became exposure — and now you’re untangling the fallout.

Sourced lesson

Large financial firms treat cyber risk and resiliency as board-level priorities and build formal programs to prevent, detect, and respond to incidents. The JPMorgan Chase 2022 Form 10‑K describes cybersecurity risk as a core exposure the firm manages with a dedicated Information Security Program and an Incident Response Plan (IRP) designed to coordinate responses, work with law enforcement and notify clients when needed (JPMorgan Chase & Co./2022 Form 10‑K, p.164). That filing also details the Firm’s efforts to maintain and improve security, and to report updates to its Board (JPMorgan Chase & Co./2022 Form 10‑K, p.164).

Older JPMorgan Chase annual materials illustrate how corporate governance — boards, councils, and formal reporting lines — is part of that risk-management architecture (JPMorgan Chase & Co./2008 Annual Report, p.236). You won’t replicate a bank’s IT team or boardroom procedures at home, but you can borrow the principle: formalize simple oversight, create checklists, and rehearse an incident plan for your household accounts. The household application below is a SwitchWize interpretation of those corporate practices applied to personal finance.

Short excerpt from the source “Cybersecurity risk is the risk of the Firm’s exposure to harm.” (JPMorgan Chase & Co./2022 Form 10‑K, p.164)

Household example

Ana uses a bank app, two fintech payment apps, and an investment platform. She relied on one password and SMS codes — until she read a notice about phishing and treated her accounts like a small institution.

What she did:

• Inventory: She listed every financial login in an encrypted note.
• Authentication: She switched SMS to app-based multi-factor authentication (MFA) where possible and enabled hardware-key backup on the investment platform.
• Incident plan: She created a one-page “If compromised” sheet with three immediate actions: freeze cards, change critical passwords, and call fraud hotlines (numbers stored in the same encrypted note).

A week later, an unfamiliar device tried to access her investment account. The app-based MFA blocked the attempt. Because she knew who to call and what to do, she resolved the issue quickly and avoided loss.

Actionable checklist — Review your safeguards now

(Do these steps in order; plan 30–90 minutes depending on how many accounts you manage.)

1. Inventory your accounts

• List every financial login: banks, credit cards, retirement, brokerage, payment apps, bill-pay portals, and any account that can move money or change payees.
• Where to store: use an encrypted notes app or a locked physical notebook.

2. Record recovery info and fraud contacts

• For each account note the secure phone number, fraud email, and how to reach support.
• Put these contacts with your inventory so you’re not hunting when stressed.

3. Strengthen authentication

• Prefer app-based MFA (authenticator apps) or hardware security keys to SMS when available.
• If an account only offers SMS, treat it as temporary and watch for upgrade options.
• Editorial guidance: prioritize app-based MFA first, hardware keys second.

4. Use a password manager and unique passphrases

• Create unique passwords for each account; don’t reuse.
• Editorial guidance: consider passphrases of 12+ characters for critical accounts (this is SwitchWize editorial guidance, not a regulatory requirement).

5. Harden your devices

• Keep phone and computer OS and apps updated; use screen locks and biometric protection.
• Remove old devices from account access lists and sign out of services on devices you no longer own.

6. Audit third-party access

• Review connected apps and services (budgeting apps, aggregators, accountant access) and revoke permissions you don’t use.
• Limit long-term token grants; reauthorize only when needed.

7. Set alerts and limits

• Turn on transaction alerts for credits, debits, and new payees.
• Use available daily transfer or payment limits where possible to reduce exposure.

8. Write a simple incident plan

• Your three immediate steps if you suspect compromise: (1) freeze relevant cards/accounts, (2) change the highest-risk passwords/MFA, (3) call the fraud contact listed in your inventory.
• Store recovery codes, backup MFA options, and the fraud hotline in the same secure place.

9. Test recovery annually

• Simulate a lost-phone scenario once a year to confirm you can restore accounts and access recovery codes.
• Editorial guidance: schedule a yearly test; adjust frequency if you add new services.

10. Monitor statements and follow up

• Review transactions weekly for the first month after any security change, then monthly.
• If you see suspicious activity, report it immediately to the institution — documented response plans reduce resolution time.

Meaningful visual / chart brief Digital-Security Posture: Three Layers (sketchable on one page)

• Layer 1: Accounts & Access — list accounts and who can access them.
• Layer 2: Authentication & Devices — MFA type (none / SMS / app / hardware), device update status.
• Layer 3: Response & Recovery — incident plan, fraud contacts, recovery codes.

Map each account into the three layers and color-code: Red = high risk (no MFA, outdated device), Yellow = partial (SMS MFA or shared access), Green = low risk (hardware MFA, unique passwords, up-to-date devices). Prioritize moving reds to green — the visual helps you see the biggest wins.

Why bother The large-firm disclosures show the real-world costs of cyber incidents and why boards demand formal programs and IRPs (JPMorgan Chase & Co./2022 Form 10‑K, p.164). Households don’t need a board or a full security team, but adopting a few formal steps — an inventory, stronger MFA, and a short incident plan — measurably reduces the chance that convenience becomes loss.

SwitchWize next step

Tonight: spend 30 minutes creating your account inventory, enable app-based MFA on your primary bank, and save the fraud hotline for that bank in your encrypted notes. If you want a template to follow, use SwitchWize’s free “financial-security inventory” worksheet to run the checklist step-by-step.

Source note

• JPMorgan Chase & Co., 2022 Form 10‑K — discussion of cybersecurity risk, Information Security Program, and Incident Response Plan. (JPMorgan Chase & Co./2022 Form 10‑K, p.164)
• JPMorgan Chase & Co., 2008 Annual Report — governance, boards, and committees as part of risk management. (JPMorgan Chase & Co./2008 Annual Report, p.236) Note on sources and interpretation These source materials are filings and annual materials from JPMorgan Chase & Co. They do not concern Berkshire Hathaway or one of its businesses. The household practices above are SwitchWize interpretations of corporate descriptions of cybersecurity and governance; they are practical steps inspired by — not required by — those filings.