Staying secure in an AI landscape with Claude Mythos and other Frontier AI models  

DESCRIPTION)

Logo: JP Morgan. Disclaimer. Text: PLEASE NOTE: This session is closed to the press. The views and strategies described herein may not be suitable for all clients and are subject to investment risks. Certain opinions, estimates, investment strategies and views expressed in this document constitute our judgment based on current market conditions and are subject to change without notice. This material should not be regarded as research or as a J.P. Morgan research report. The information contained herein should not be relied upon in isolation for the purpose of making an investment decision. More complete information is available, including product profiles, which discuss risks, benefits, liquidity and other matters of interest. For more information on any of the investment ideas and products illustrated herein, please contact your J.P. Morgan representative. Investors may get back less than they invested, and past performance is not a reliable indicator of future results. This information is provided for informational purposes only. We believe the information contained in this video to be reliable; however we do not represent or warrant its accuracy, reliability or completeness, or accept any liability for any loss or damage arising out of the use of any information in this video. The views expressed herein are those of the speakers and may differ from those of other J.P. Morgan employees and are subject to change without notice. Nothing in this video is intended to constitute a representation that any product or strategy is suitable for you. Nothing in this document shall be regarded as an offer, solicitation, recommendation or advice (whether financial, accounting, legal, tax or other) given by J.P. Morgan and/or its officers or employees to you. You should consult your independent professional advisors concerning accounting, legal or tax matters. Contact your J.P. Morgan representative for additional information and guidance concerning your personal investment goals. J.P. Morgan is not responsible for information provided by guest speakers (unaffiliated with J.P. Morgan) or the use by attendees of such information. J.P. Morgan cannot verify the accuracy of guest speaker content, views of statements, and accepts no responsibility for any direct or consequential losses arising from its use. Any discussion of companies/markets by guest speakers should not be interpreted as a recommendation to buy or sell or is an endorsement by J.P. Morgan. INVESTMENT AND INSURANCE PRODUCTS: NOT A DEPOSIT, NOT FDIC INSURED, NOT INSURED BY ANY FEDERAL GOVERNMENT AGENCY, NO BANK GUARANTEE, MAY LOSE VALUE

(SPEECH)

This session is closed to the press. Welcome to the JPMorgan webcast. This is intended for informational purposes only. Opinions expressed herein are those of the speakers and may differ from those of other JPMorgan employees and affiliates. Historical information and outlooks are not guarantees of future results. Any views and strategies described may not be appropriate for all participants and should not be intended as personal investment, financial, or other advice. As a reminder, investment products are not FDIC insured, do not have bank guarantee, and they may lose value. The webcast may now begin.

[MUSIC PLAYING]

(DESCRIPTION)

A shimmering strip of gold-plated handwriting swirls elegantly across a dark surface. It spells JP Morgan. Text: Ideas and Insights. A woman with shoulder-length blond hair wears a green blazer over a black scoop-neck top, gold drop earrings, and a small clip-on microphone attached to her lapel. She holds papers in front of her, and a clear glass sits at the lower right edge. Behind her is a dark gray ribbed acoustic panel wall. A label reads BJ Goergen, Global Head of J.P. Morgan Private Advisory.

(SPEECH)

Thank you so much for joining us today. My name is BJ Goergen. I'm the head of Morgan Private Advisory here at JP Morgan's Private Bank. You have heard a lot about AI in the news, and today, we're going to spend some time talking about how AI is impacting cybersecurity. We're going to talk about frontier AI models and how they are different than prior models. We're going to talk about the impact of what we're doing here at JP Morgan at an enterprise level, but also what might be relevant for small business owners, and then we're going to talk about some of the things that you need to be thinking about personally.

Today, I'm joined by two experts at our firm-- one, Ileana van der Linde, who is the head of cyber advisory for the Private Bank, and Joe Padoan, who is the chief technology officer for asset and wealth management technology. They are advising clients and advising our business owners here every day in a great resource for everyone. So Joe and Ileana, I want to start with understanding how AI is impacting the fields of cybersecurity and business resiliency.

(DESCRIPTION)

The three people sit at a long curved white desk. To the left of BJ sits a woman with long brown hair, wearing a navy collared shirt with a black floral-patterned scarf, drop earrings, a thin necklace, and a small clip-on microphone. A tablet screen and a glass of water sit on the table in front of her. A label reads Ileana van der Linde, Head of Cyber Advisory.

(SPEECH)

Great question. I think certainly in the field of cybersecurity, machine learning has been already used for a long time. This is an area where we've done a lot of fraud detection. We're able to process large amounts of data and look for patterns of concern.

In the last few years, as generative AI has come in and the AI tools have become more powerful, it has also helped us upgrade and also process large amounts of data and look for new patterns of egress that could be coming in across an institution. And I'm sure Joe will talk a little bit about this. But it also means that cyber criminals are also using artificial intelligence to also facilitate their attacks. So it's not just one side. Offense and defense are using the same tools.

What was interesting is that recently in the Verizon DBIR, which is an industry report about how vulnerabilities occur, this is the first time in 19 years that vulnerabilities were the point of the largest amount of breaches versus previously credentials.

Oh, interesting. So before, people would try to get a credential to get in.

To get in.

Now it's a vulnerability on the back end.

Yes. And that means that AI is boosting their attacks. So I'm sure going forward, that is only going to increase. But that is a very, very important shift in the industry.

What about you from a business resiliency perspective?

Yeah,

(DESCRIPTION)

A man with short dark hair and a beard wears a dark navy blazer over a white open-collar shirt with a clip-on microphone. A tablet edge sits on the table in front of him. A label reads Joe Padone titled CTO, Global Head of Production Management and Infrastructure.

(SPEECH)

so from a business resiliency perspective, AI has had a profound impact on from technology, the way we defend our systems, the way we build our systems, many of it for good. So we're able to build software much faster, much more secure, much more resilient using the AI tools.

Of course, because threats are increasing due to AI-- gives access and to vulnerabilities and the ability to find new and exploit new vulnerabilities-- that's made our focus on cyber defense a higher priority. It's always been a priority, but it's made it a higher priority.

It also has been information for our business to understand it's not just a technology challenge, cybersecurity. They really need to be involved and understand what the impact could be to their business and how should a business be able to react, recover, and manage through any kind of cybersecurity incidents.

In a minute, I want to talk to you about what are some of the things that we're doing at JP Morgan. But will you both talk about frontier AI models and how they are different than other models that have existed before?

Yeah, well, I think first, we often talk about the foundational models. And those would be OpenAI's ChatGPT, Anthropic's Claude, Perplexity, Gemini Copilot. Those are the ones that are foundational and really across many different industries. Frontier AI are also foundational, but they are very advanced and usually very specific. They have expert-- execute on multitask, deep reasoning, and things like that.

One of the most recent ones that came out that got a lot of press attention was Claude Mythos. And Mythos specifically was able to identify vulnerabilities in very short order. Typically, a cybercriminal might find an exploit or a vulnerability in a system and then need several weeks or months before they decided how to exploit that and then create ransomware, for example. What is happening now is you have an autonomous system that is all of a sudden making its way in and can find multiple vulnerabilities at a time, and the time to exploit is immensely condensed.

So it's leaving-- to what Joe was recently talking about, is the speed to which you can exploit a system is causing everybody to say, we now really have to harden a lot of our systems and get back to some core fundamentals on cybersecurity going forward. But Joe--

Yeah, talk about what we're doing here at the firm and some of the work your team has been doing, how that might be applicable to some of our clients and their businesses.

Yeah, so I think Mythos, as one of those frontier models from Anthropic, has really been a wake-up call for many organizations. The ability of those frontier models to find vulnerabilities and create exploits, again, from a speed perspective and from a volume perspective, as well as finding new and novel vulnerabilities-- so how does a large organization like JPMorgan-- a lot of it is back to basics. A lot of what we've been doing has helped us prepare for this, having a very rigorous and strong cybersecurity program.

We have one of the industry's leading cybersecurity teams under our CISO, Pat Opet. And we follow all the industry best practices such as NIST and a lot of those basic and fundamentals around vulnerability like aggressive vulnerability management, keeping up to date with your hygiene, getting rid of old or legacy technical debt. Those are the things that, even in a post-Mythos world, are very important. And really, every organization, large and small, should be following those best practices.

JPMorgan recently published a set of 10 actions that every company should take right now in response to emerging AI cyber threats, and that's something you can find on our internet public-facing website.

Will you walk through what some of those best practices are? I know that you wear an enterprise hat, and I know, Ileana, you spend time with clients around the country. And we have unbelievable resources and capabilities at an enterprise level. But what does the small business owner think about doing, or what does a family office think about doing to protect themselves?

So I think a lot of the practices that are applicable to large enterprises are also applicable to smaller. The threats are similar, and you should be taking some of the similar acts. So, for example, a good one is upgrading your software to the latest version.

It seems 101.

Yeah, seems 101, but a lot of people don't do it. So we call that patching. And patching isn't something you shouldn't be doing annually or monthly. It's something that has to be done frequently. And it takes time. It takes resources. It takes expertise in understanding what patches are important, which are not.

So there is a habit, a reflex that needs to be built into large and small organizations around patching to fix these vulnerabilities. Vulnerabilities are just defects or bugs in software that create security loopholes, and the patches help remediate and resolve those. So it's very important to understand what things you need to upgrade and patch.

You have desktop servers. You have servers. You have laptops. You have desktops. You have software. So understanding your inventory of things that can be vulnerable-- if you have video cameras in your office for security reasons, those can be hacked and vulnerable. So understand your inventory of technology and make sure all that is up to date with the freshest versions of software and hardware and firmware. I think that's a very important takeaway.

Also, understanding your third-party risk-- who are the vendors that you work with? Who does your payroll? A lot of companies outsource HR. They outsource-- you might have a legal firm that you have services with. How are they managing your data? How are they managing your systems?

There are risks there in the third party, and I think every business should assess that and understand and ask tough questions of your service providers and third parties around how they're managing their security, because the breach could happen at one of those partners that work with you and impact your business or your organization.

Well, and I can see a new framework where it becomes even more important to select a vendor based on the security measures that they have in place across your entire business.

I was going to also add to what Joe just said. For every client we meet-- in particular, family offices and smaller firms-- we suggest doing a cyber assessment. This is not an assessment that just says my network is fine on Mondays and Tuesdays at 4:30 PM. That is a one-time network test.

A full cyber and risk assessment does an analysis of, am I physically vulnerable? Are there people who can get into the building and be able to access my systems and networks? It is also a physical assessment, but it is also a third-party risk assessment. It is really understanding where am I vulnerable and not just going, I think I'm fine.

This, at this rate, should be done every 12 to 18 months. This is no longer something you do every couple of years. But with the acceleration of a lot of these threats, it has to be done on a regular basis. There are firms that specialize in small business and family offices that do that kind of work, but they're also really going to look at-- and I would say once you have that list and prioritization from them, then you know exactly where you need to focus first. It's not a, I think I need to do this.

The second part of what Joe said is it's so critical to no longer just rely on the IT guy you've had in the back room for forever. What was maybe fine five years ago is no longer sufficient for at this rate of accelerated software updates and AI vulnerabilities. You have to get professional services in place.

That means also getting a managed service provider. That's the group that is going to make sure that you can patch 24/7, 365. Just relying on a single person who is a single point of failure, if you will-- if there's--

A lot of vulnerability to your business doing that.

Yeah, if you just rely on one person that works Monday to Friday, they need a weekend as well. If a vulnerability or a big patch, something comes in, a managed service provider has a test bed an entire area where they can test the software, make sure it's ready to go, and can push that out and support you. This is, again, where small businesses just have to make sure that they are fully prepared for the new environment that we're all living in. We can't just say, oh, I'm small. Nobody's going to notice.

So we've talked a lot about threats, and we've talked a lot about risks. But there are some great opportunities for leveraging AI to automate functions in your business and to enhance so many elements. We're doing it up and down and across our firm in a really thoughtful and methodical way. Can you talk about what versions of these frontier models people are using and what some of the surprising things are that you have found?

So I think the frontier models are probably going to be in the hands of large organizations, or they're also going to be in the hands of cyber criminals or of nation-states that are going to be able to put a very powerful tool in place. On the receiving end of that. I think we've all got to make sure that we are-- as a business that you are in good hands and that you are professionally looking at-- but one thing that we always say is you're probably not going to be a shop or a business with only one version of an AI tool. You might be using ChatGPT. You might be using a Claude and various other unique and specific models. But what data they access is really critical.

So we always suggest to firms, make sure you have an AI policy. I recently just read that about 43% of firms have shadow AI, meaning you're seeing employees who are downloading versions of AI that are not yet permissioned by the company onto their own devices and using this. So it's really critical for firms to get a data policy in place or an AI policy to say, these are the ones that we've tested, vetted. These are the ones we've okayed, and these are the ones we're not, and really prevent people from being able to download software.

What about licensing?

Licensing I'm a huge proponent of. Please license buy something. Do not use the free versions. Why?

I can tell a couple horror stories. One, because the data can also be going out-- I love to call it to the mothership. The data is going back out. I really believe we're sitting on the edge of a huge privacy cliff. There are people who are putting in company data, and also personal data, into these tools who have not turned off model learning, who have not restricted the data going out. And what you have to understand is the owners of these AI firms, they're reading everything. They're collecting everything on the other end and can be building a much bigger source of information. So it's really important that you license it, turn off model learning, and use it responsibly.

I think that's another reason why a data policy is very important. Decide what data is approved for use when you're using these tools and what should not be ever used. What is confidential data? What is private data? Assume anything you use with these models could be exfiltrated into the actual larger system for learning. So you have to have very strict rules around the usage.

The other thing we're seeing in some of the newer models and tools is the ability to build agentic tools, like agents. That's when you're emulating what a human would do, and you're building workflows and orchestration. And there's certain risks around that. Again, it's incredibly powerful, and it's a great tool to build efficiency into every organization. But also, should be knowledgeable and awareness of when these agents are created, what kind of access do they have? What kind of skills and capabilities will they have?

One other thing I think is very important for people to-- organizations large and small to think about is, who has access to these tools? You may not want people who have high sensitive critical administrative access-- like, for example, your CFO, who has access to all your bank accounts, understands all the passwords-- do you want them to also be running certain types of AI or even building agents to do things personally or locally on their laptops or desktops? There could be a risk in that. So understanding of segregating certain roles and access from these tools and these AI agents is very important for every organization to think about.

And this is where I think it's so important, again, to say, even in the cyber world where you should be seeking out professional services, you also, in this AI and data governance area, should be seeking out teams. There are companies that will help isolate, segregate, and help you really do proper data governance on what you want.

One of the examples I often give when explaining agentic AI-- we talk about it. Most people don't. If you and I have a conversation, and you say, Ileana, I'm definitely going to send you that file after lunch, and I'm waiting all day going, when is she going to send this, I can ask my agent, theoretically, to go to your agent and say, go get that email she promised me out of your email. And your agent does. Because if the permissions have not been set up-- and you could have said, I want to look at that file before I send it to her, because I know it also has--

Because of the governance.

--sensitive data. But if data just goes, sure, my agent can just deliver things, and if we don't think that properly through, there can be a lot of data that is lost just because of lack of insight or lack of oversight.

So I want to pivot now a little bit to personal use of AI. I speak for myself and my family that we are using it in almost every area of our personal lives. I'm sure most people are. Will you just talk a little bit about how people are using it in their personal lives and how we should think about using it in our personal lives?

So I would say-- when I say a lot of us use these tools recreationally, rule number one, I would never-- I want you to sign up for a license.

Even personally?

Even personally, I would sign up with a license because it is giving you the ability to restrict certain things and turn off model learning. Use a different email when you sign up for this than you do for your banking, for medical use, or anything else important. You do not want the AI tool learning, oh, this is where BJ or Joe have the vast majority of their life. Because as fast as this technology is moving, the more you can keep things segregated, the better.

Anonymize your profile. You don't need to have your real name in the profile. You can make things up a little bit. But use a VPN, a virtual private network, which can be an app. There are several good ones out there. But what that does is it anonymizes your device from knowing, oh, this is from coming from BJ Goergen's home computer. It has no idea who the query is coming from. So it anonymizes you every time. Turn off the model learning. And I would also say take this time to also reduce your digital footprint in many, many places.

This is like the digital hygiene you two have been talking about. It's like AI hasn't changed it. It's made it more important, and more important immediately.

It's heightened it, yes, absolutely.

These are all best practices. I think, just to go a little bit deeper, turning off model learning, it sounds a little jargony, but what it's basically saying is you don't want the world to learn from the questions you're asking your ChatGPT or your tool and putting that as part of the larger global model. So I think people don't realize that these tools are constantly learning and bringing new information in constantly. You do not have to be part of that cycle. Every one of them, whatever product it is, has a way of disabling that so your information stays personal and private to you.

Yeah, so in the data and security section of your model, there is a-- "I do not want to share" is basically the essence of it. I personally really like-- I don't know if you know DuckDuckGo. So DuckDuckGo is a privacy browser.

I know it because of prepping for this conversation.

So it's a great install to do. But DuckDuckGo also has duck.ai, and it itself goes to eight different models. And it also keeps the chats personally on your device and goes out anonymously for you and ask the question. So I always think you want to talk to a lot of these tools not like know me better, but just asking for a friend. The less it knows about you personally and takes that information home, one, the privacy rules on a lot of these tools do not exist to a great degree.

So you're having to put the privacy in for yourself.

You have to put the privacy-- that's a great way to put it, BJ. It is not a fiduciary. It is not an attorney. You are not covered by HIPAA laws or anything else. And therefore, when-- a lot of people are now using these tools as therapists and sharing an intense amount of personal information. I recently dealt with somebody who was in the middle of a custody battle, and she entered in, did I overdose my six-year-old?

Well, in a custody battle, if that chat goes into the court of law, that is all knowable about that parent, which is very unfortunate. So these are the types of things that can be-- I think we have not yet really-- are just beginning to learn what damage they can also do.

Two other things that you all had talked about before, previously, is we talk about multi-factor authentication and passwords. I know that seems really pedestrian, but you both talked about it in prepping for this conversation.

Yeah. I would say, particularly for both the business and for personal, multi-factor authentication on anywhere offered. On a business, your insurance rates will go down the more you multi-factor. But more importantly, in the face of AI, where vulnerabilities are very quickly found, having a second factor of authentication to release money or to access systems or devices, it is critical as part of your security. I always say it's like the deadbolt on your door, not just the little jiggly lock. It's the deadbolt that helps keep things at bay. Personally, you should use it on anything and everything. Because again, these tools are moving so quickly.

And if there's a piece of software or a vendor or tool you work with and they don't offer MFA, I would be concerned about that in terms of what is the quality of that tool and other types of vulnerabilities or cyber risks. So MFA should be the standard, and everyone should be leveraging that in every connection.

So is there anything else that the two of you do personally that we need to know before we close out of this conversation? I feel like the two of you have a heightened level of awareness.

Yeah, it's a little bit different. It's not necessarily from security. But in terms of leveraging AI and these different tools, I don't go to-- I don't use one. I use multiple. And I almost treat it as a panel of experts. If I'm trying to learn something or get information, I will present the same prompt or question to several different of these AIs and then try to understand, OK, let's make sense of answers.

I just think relying on a single large language model or a single model, whatever version of that model is, I think is somewhat risky no matter what you're using these tools for. And I think you should be leveraging a variety of them. That's one of the personal things.

Yeah, and I think going to that, always verifying the source of any information. I think what has happened now-- previously when we had search engines, when we entered in a query, you'd get 20 responses back, and you'd be like, oh, I should have asked the question, or I can kind of find the link. We're now seeing things-- AI assistance coming forward and answering questions. Did I ask the question correctly? Is it misinterpreting?

Even though there are some AI models that are terribly popular right now, those things will rapidly change. And I think taking two steps backward and keeping your eye on the entire landscape is really, really important.

I feel like I could listen to this all afternoon, and it's such a flavor of what you deal with every day. Thank you so much for sharing some of these best practices and things to think about. We're going to link all of the materials that Joe and Ileana mentioned today with this webcast so that you have access to them. And Joe, Ileana, and our team at JPMorgan are here to help you and partner with you along this journey. Thank you.

(DESCRIPTION)

KEY RISKS. This material is for information purposes only, and may inform you of certain products and services offered by private banking businesses, part of JPMorgan Chase & Co. ("JPM"). Products and services described, as well as associated fees, charges and interest rates, are subject to change in accordance with the applicable account agreements and may differ among geographic locations. Not all products and services are offered at all locations. If you are a person with a disability and need additional support accessing this material, please contact your J.P. Morgan team or email us at accessibility.support@jpmorgan.com for assistance. Please read all Important Information. GENERAL RISKS & CONSIDERATIONS. Any views, strategies or products discussed in this material may not be appropriate for all individuals and are subject to risks. Investors may get back less than they invested, and past performance is not a reliable indicator of future results. Asset allocation/diversification does not guarantee a profit or protect against loss. Nothing in this material should be relied upon in isolation for the purpose of making an investment decision. You are urged to consider carefully whether the services, products, asset classes (e.g. equities, fixed income, alternative investments, commodities, etc.) or strategies discussed are suitable to your needs. You must also consider the objectives, risks, charges, and expenses associated with an investment service, product or strategy prior to making an investment decision. For this and more complete information, including discussion of your goals/situation, contact your J.P. Morgan team.

(SPEECH)

Thank you for joining us. Prior to making financial or investment decisions, you should speak with a qualified professional in your JPMorgan team. This concludes today's webcast. You may now disconnect.

[MUSIC PLAYING]

(DESCRIPTION)

NON-RELIANCE. Certain information contained in this material is believed to be reliable; however, JPM does not represent or warrant its accuracy, reliability or completeness, or accept any liability for any loss or damage (whether direct or indirect) arising out of the use of all or any part of this material. No representation or warranty should be made with regard to any computations, graphs, tables, diagrams or commentary in this material, which are provided for illustration/ reference purposes only. The views, opinions, estimates and strategies expressed in this material constitute our judgment based on current market conditions and are subject to change without notice. JPM assumes no duty to update any information in this material in the event that such information changes. Views, opinions, estimates and strategies expressed herein may differ from those expressed by other areas of JPM, views expressed for other purposes or in other contexts, and this material should not be regarded as a research report. Any projected results and risks are based solely on hypothetical examples cited, and actual results and risks will vary depending on specific circumstances. Forward-looking statements should not be considered as guarantees or predictions of future events. Nothing in this document shall be construed as giving rise to any duty of care owed to, or advisory relationship with, you or any third party. Nothing in this document shall be regarded as an offer, solicitation, recommendation or advice (whether financial, accounting, legal, tax or other) given by J.P. Morgan and/or its officers or employees, irrespective of whether or not such communication was given at your request. J.P. Morgan and its affiliates and employees do not provide tax, legal or accounting advice. You should consult your own tax, legal and accounting advisors before engaging in any financial transactions.

YOUR INVESTMENTS AND POTENTIAL CONFLICTS OF INTEREST. Conflicts of interest will arise whenever JPMorgan Chase Bank, N.A. or any of its affiliates (together, "J.P. Morgan") have an actual or perceived economic or other incentive in its management of our clients' portfolios to act in a way that benefits J.P. Morgan. Conflicts will result, for example (to the extent the following activities are permitted in your account): (1) when J.P. Morgan invests in an investment product, such as a mutual fund, structured product, separately managed account or hedge fund issued or managed by JPMorgan Chase Bank, N.A. or an affiliate, such as J.P. Morgan Investment Management Inc.; (2) when a J.P. Morgan entity obtains services, including trade execution and trade clearing, from an affiliate; (3) when J.P. Morgan receives payment as a result of purchasing an investment product for a client's account; or (4) when J.P. Morgan receives payment for providing services (including shareholder servicing, recordkeeping or custody) with respect to investment products purchased for a client's portfolio. Other conflicts will result because of relationships that J.P. Morgan has with other clients or when J.P. Morgan acts for its own account. Investment strategies are selected from both J.P. Morgan and third-party asset managers and are subject to a review process by our manager research teams. From this pool of strategies, our portfolio construction teams select those strategies we believe fit our asset allocation goals and forward-looking views in order to meet the portfolio's investment objective. As a general matter, we prefer J.P. Morgan managed strategies. We expect the proportion of J.P. Morgan managed strategies will be high (in fact, up to 100 percent) in strategies such as, for example, cash and high-quality fixed income, subject to applicable law and any account-specific considerations.

YOUR INVESTMENTS AND POTENTIAL CONFLICTS OF INTEREST. While our internally managed strategies generally align well with our forward-looking views, and we are familiar with the investment processes as well as the risk and compliance philosophy of the firm, it is important to note that J.P. Morgan receives more overall fees when internally managed strategies are included. We offer the option of choosing to exclude J.P. Morgan managed strategies (other than cash and liquidity products) in certain portfolios. The Six Circles Funds are U.S.-registered mutual funds managed by J.P. Morgan and sub-advised by third parties. Although considered internally managed strategies, JPMC does not retain a fee for fund management or other fund services. LEGAL ENTITY, BRAND & REGULATORY INFORMATION. In the United States, bank deposit accounts and related services, such as checking, savings and bank lending, are offered by JPMorgan Chase Bank, N.A. Member FDIC. JPMorgan Chase Bank, N.A. and its affiliates (collectively "JPMCB") offer investment products, which may include bank managed investment accounts and custody, as part of its trust and fiduciary services. Other investment products and services, such as brokerage and advisory accounts, are offered through J.P. Morgan Securities LLC ("JPMS"), a member of FINRA and SIPC. Insurance products are made available through Chase Insurance Agency, Inc. (CIA), a licensed insurance agency, doing business as Chase Insurance Agency Services, Inc. in Florida. JPMCB, JPMS and CIA are affiliated companies under the common control of JPM. Products not available in all states.

LEGAL ENTITY, BRAND & REGULATORY INFORMATION. In Germany, this material is issued by J.P. Morgan SE, with its registered office at Taunustor 1 (TaunusTurm), 60310 Frankfurt am Main, Germany, authorized by the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) and jointly supervised by the BaFin, the German Central Bank (Deutsche Bundesbank) and the European Central Bank (ECB). In Luxembourg, this material is issued by J.P. Morgan SE – Luxembourg Branch, with registered office at European Bank and Business Centre, 6 route de Treves, L-2633, Senningerberg, Luxembourg, authorized by the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) and jointly supervised by the BaFin, the German Central Bank (Deutsche Bundesbank) and the European Central Bank (ECB); J.P. Morgan SE – Luxembourg Branch is also supervised by the Commission de Surveillance du Secteur Financier (CSSF); registered under R.C.S Luxembourg B255938. In the United Kingdom, this material is issued by J.P. Morgan SE – London Branch, registered office at 25 Bank Street, Canary Wharf, London E14 5JP, authorized by the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) and jointly supervised by the BaFin, the German Central Bank (Deutsche Bundesbank) and the European Central Bank (ECB); J.P. Morgan SE – London Branch is also supervised by the Financial Conduct Authority and Prudential Regulation Authority. In Spain, this material is distributed by J.P. Morgan SE, Sucursal en España, with registered office at Paseo de la Castellana, 31, 28046 Madrid, Spain, authorized by the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) and jointly supervised by the BaFin, the German Central Bank (Deutsche Bundesbank) and the European Central Bank (ECB); J.P. Morgan SE, Sucursal en España is also supervised by the Spanish Securities Market Commission (CNMV); registered with Bank of Spain as a branch of J.P. Morgan SE under code 1567. In Italy, this material is distributed by J.P. Morgan SE – Milan Branch, with its registered office at Via Cordusio, n.3, Milan 20123, Italy, authorized by the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) and jointly supervised by the BaFin, the German Central Bank (Deutsche Bundesbank) and the European Central Bank (ECB); J.P. Morgan SE – Milan Branch is also supervised by Bank of Italy and the Commissione Nazionale per le Società e la Borsa (CONSOB); registered with Bank of Italy as a branch of J.P. Morgan SE under code 8076; Milan Chamber of Commerce Registered Number: REA MI 2536325.

LEGAL ENTITY, BRAND & REGULATORY INFORMATION. In the Netherlands, this material is distributed by J.P. Morgan SE – Amsterdam Branch, with registered office at World Trade Centre, Tower B, Strawinskylaan 1135, 1077 XX, Amsterdam, The Netherlands, authorized by the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) and jointly supervised by the BaFin, the German Central Bank (Deutsche Bundesbank) and the European Central Bank (ECB); J.P. Morgan SE – Amsterdam Branch is also supervised by De Nederlandsche Bank (DNB) and the Autoriteit Financiële Markten (AFM) in the Netherlands. Registered with the Kamer van Koophandel as a branch of J.P. Morgan SE under registration number 72610220. In Denmark, this material is distributed by J.P. Morgan SE – Copenhagen Branch, filial af J.P. Morgan SE, Tyskland, with registered office at Kalvebod Brygge 39-41, 1560 København V, Denmark, authorized by the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) and jointly supervised by the BaFin, the German Central Bank (Deutsche Bundesbank) and the European Central Bank (ECB); J.P. Morgan SE – Copenhagen Branch, filial af J.P. Morgan SE, Tyskland is also supervised by Finanstilsynet (Danish FSA) and is registered with Finanstilsynet as a branch of J.P. Morgan SE under code 29010. In Sweden, this material is distributed by J.P. Morgan SE – Stockholm Bankfilial, with registered office at Hamngatan 15, Stockholm, 11147, Sweden, authorized by the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) and jointly supervised by the BaFin, the German Central Bank (Deutsche Bundesbank) and the European Central Bank (ECB); J.P. Morgan SE – Stockholm Bankfilial is also supervised by Finansinspektionen (Swedish FSA); registered with Finansinspektionen as a branch of J.P. Morgan SE. In Belgium, this material is distributed by J.P. Morgan SE – Brussels Branch with registered office at 35 Boulevard du Régent, 1000, Brussels, Belgium, authorized by the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) and jointly supervised by the BaFin, the German Central Bank (Deutsche Bundesbank) and the European Central Bank (ECB);

J.P. Morgan SE Brussels Branch is also supervised by the National Bank of Belgium (NBB) and the Financial Services and Markets Authority (FSMA) in Belgium; registered with the NBB under registration number 0715.622.844. In Greece, this material is distributed by J.P. Morgan SE – Athens Branch, with its registered office at 3 Haritos Street, Athens, 10675, Greece, authorized by the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) and jointly supervised by the BaFin, the German Central Bank (Deutsche Bundesbank) and the European Central Bank (ECB); J.P. Morgan SE – Athens Branch is also supervised by Bank of Greece; registered with Bank of Greece as a branch of J.P. Morgan SE under code 124; Athens Chamber of Commerce Registered Number 158683760001; VAT Number 99676577. In France, this material is distributed by JPMorgan Chase Bank, N.A. Paris Branch, registered office at 14, Place Vendome, Paris 75001, France, registered at the Registry of the Commercial Court of Paris under number 712 041 334 and

LEGAL ENTITY, BRAND & REGULATORY INFORMATION. This communication is an advertisement for the purposes of the Markets in Financial Instruments Directive (MIFID II) and the Swiss Financial Services Act (FINSA). Investors should not subscribe for or purchase any financial instruments referred to in this advertisement except on the basis of information contained in any applicable legal documentation, which is or shall be made available in the relevant jurisdictions (as required). In Hong Kong, this material is distributed by JPMCB, Hong Kong branch. JPMCB, Hong Kong branch is regulated by the Hong Kong Monetary Authority and the Securities and Futures Commission of Hong Kong. In Hong Kong, we will cease to use your personal data for our marketing purposes without charge if you so request. In Singapore, this material is distributed by JPMCB, Singapore branch. JPMCB, Singapore branch is regulated by the Monetary Authority of Singapore. Dealing and advisory services and discretionary investment management services are provided to you by JPMCB, Hong Kong/Singapore branch (as notified to you). Banking and custody services are provided to you by JPMCB Singapore Branch. The contents of this document have not been reviewed by any regulatory authority in Hong Kong, Singapore or any other jurisdictions. You are advised to exercise caution in relation to this document. If you are in any doubt about any of the contents of this document, you should obtain independent professional advice. For materials which constitute product advertisement under the Securities and Futures Act and the Financial Advisers Act, this advertisement has not been reviewed by the Monetary Authority of Singapore. JPMorgan Chase Bank, N.A., a national banking association chartered under the laws of the United States, and as a body corporate, its shareholder's liability is limited. With respect to countries in Latin America, the distribution of this material may be restricted in certain jurisdictions.

We may offer and/or sell to you securities or other financial instruments which may not be registered under, and are not the subject of a public offering under, the securities or other financial regulatory laws of your home country. Such securities or instruments are offered and/or sold to you on a private basis only. Any communication by us to you regarding such securities or instruments, including without limitation the delivery of a prospectus, term sheet or other offering document, is not intended by us as an offer to sell or a solicitation of an offer to buy any securities or instruments in any jurisdiction in which such an offer or a solicitation is unlawful. Furthermore, such securities or instruments may be subject to certain regulatory and/or contractual restrictions on subsequent transfer by you, and you are solely responsible for ascertaining and complying with such restrictions. To the extent this content makes reference to a fund, the Fund may not be publicly offered in any Latin American country, without previous registration of such fund´s securities in compliance with the laws of the corresponding jurisdiction.

LEGAL ENTITY, BRAND & REGULATORY INFORMATION. JPMorgan Chase Bank, N.A. (JPMCBNA) (ABN 43 074 112 011/AFS Licence No: 238367) is regulated by the Australian Securities and Investment Commission and the Australian Prudential Regulation Authority. Material provided by JPMCBNA in Australia is to "wholesale clients" only. For the purposes of this paragraph the term "wholesale client" has the meaning given in section 761G of the Corporations Act 2001 (Cth). Please inform us if you are not a Wholesale Client now or if you cease to be a Wholesale Client at any time in the future. JPMS is a registered foreign company (overseas) (ARBN 109293610) incorporated in Delaware, U.S.A. Under Australian financial services licensing requirements, carrying on a financial services business in Australia requires a financial service provider, such as J.P. Morgan Securities LLC (JPMS), to hold an Australian Financial Services Licence (AFSL), unless an exemption applies. JPMS is exempt from the requirement to hold an AFSL under the Corporations Act 2001 (Cth) (Act) in respect of financial services it provides to you, and is regulated by the SEC, FINRA and CFTC under US laws, which differ from Australian laws. Material provided by JPMS in Australia is to "wholesale clients" only. The information provided in this material is not intended to be, and must not be, distributed or passed on, directly or indirectly, to any other class of persons in Australia. For the purposes of this paragraph the term "wholesale client" has the meaning given in section 761G of the Act. Please inform us immediately if you are not a Wholesale Client now or if you cease to be a Wholesale Client at any time in the future. This material has not been prepared specifically for Australian investors. It: may contain references to dollar amounts which are not Australian dollars; may contain financial information which is not prepared in accordance with Australian law or practices; may not address risks associated with investment in foreign currency denominated investments; and does not address Australian tax issues.

LEGAL ENTITY, BRAND & REGULATORY INFORMATION. References to "J.P. Morgan" are to JPM, its subsidiaries and affiliates worldwide. "J.P. Morgan Private Bank" is the brand name for the private banking business conducted by JPM. This material is intended for your personal use and should not be circulated to or used by any other person, or duplicated for non-personal use, without our permission. If you have any questions or no longer wish to receive these communications, please contact your J.P. Morgan team. © 2026 JPMorgan Chase & Co. All rights reserved.

Logo: J.P. Morgan.