JPMorgan Chase, AT&T, Mastercard Form Alliance for Critical Infrastructure (ACI) to Bolster Cross-Sector Cyber Defense

Citing Lack of Faith in Government, US Corporations Launch New Infrastructure Defense Alliance

INFORMATIONAL
May 11, 2026
4m read
Policy and ComplianceSecurity OperationsRegulatory

Related Entities

Organizations

Alliance for Critical Infrastructure (ACI)

Other

JPMorgan Chase Mastercard AT&T Berkshire Hathaway EnergyUnited States

Full Report

Executive Summary

In a significant move signaling a shift in the public-private security paradigm, a group of U.S. corporate giants has formed the Alliance for Critical Infrastructure (ACI). This new coalition, which includes JPMorgan Chase, Mastercard, AT&T, and Berkshire Hathaway Energy, aims to take a leading role in protecting the nation's essential infrastructure. The formation is driven by a perception of a retreating federal government role and dwindling faith in its capacity to lead cybersecurity partnerships. The ACI will focus on enhancing cross-sector coordination, developing shared risk models, and creating response plans for complex, multi-faceted crises, effectively taking ownership of a problem they believe they can no longer outsource to Washington.

Regulatory Details

The ACI is not a formal regulatory body but a private-sector-led initiative. Its power comes from the influence and operational control its members wield over vast swaths of U.S. critical infrastructure.

  • Name: Alliance for Critical Infrastructure (ACI)
  • Mandate: To improve cross-sector coordination, planning, and response for major cybersecurity crises affecting U.S. critical infrastructure.
  • Jurisdiction: United States.
  • Key Goal: To develop a national response protocol for a 'polycrisis'—a large-scale emergency with both physical and digital consequences impacting multiple sectors simultaneously.

Affected Organizations

The alliance is composed of, and will primarily affect, operators of critical infrastructure in the United States. Key founding members include:

  • Financial Services: JPMorgan Chase, Mastercard
  • Telecommunications: AT&T
  • Energy: Berkshire Hathaway Energy

The ACI is an evolution of the Tri-Sector Executive Working Group, and its work is intended to benefit all 16 critical infrastructure sectors defined by the U.S. government.

Compliance Requirements

As a voluntary, private-sector body, the ACI does not impose legally binding compliance requirements. Instead, it will produce guidance, white papers, and best practices that its members and other organizations can adopt.

  • White Papers: The ACI plans to publish documents to help different sectors understand each other's operational dependencies and security postures.
  • Response Protocols: A key deliverable will be a national-level response protocol designed to be used during a major crisis, outlining roles, responsibilities, and communication channels between different private sector entities.
  • Information Sharing: The alliance will serve as a high-level forum for sharing sensitive threat intelligence and risk information among trusted C-suite leaders.

Implementation Timeline

  • February 2026: The ACI was formally launched.
  • May 11, 2026: The ACI's mission and structure were detailed in a public report.
  • Ongoing: The alliance will work to develop and publish its initial set of white papers and response protocols.

Impact Assessment

The formation of the ACI has several significant impacts:

  • Shift in Responsibility: It marks a formal acknowledgment by the private sector that they are ultimately responsible for their own security and cannot rely solely on the government for protection or leadership in a crisis.
  • Geopolitical Factoring: It reflects a growing trend of corporations integrating geopolitical risk into their core strategic planning, treating nation-state cyber threats as a fundamental business risk.
  • Potential for Standardization: The ACI's work could lead to de facto industry standards for cross-sector crisis management and security planning.
  • Leadership Vacuum: The move highlights a perceived leadership and capability gap at the federal level, potentially stemming from budget cuts and personnel losses at key agencies like CISA.

Compliance Guidance

While not a regulatory body, organizations can align with the ACI's goals by taking the following steps:

  1. Map Dependencies: Conduct a thorough analysis of your organization's dependencies on other critical infrastructure sectors. For example, a bank (finance) depends on power (energy) and internet connectivity (telecoms). Understand the cascading effects of an outage in a dependent sector.
  2. Engage in Cross-Sector Exercises: Participate in tabletop exercises and simulations that involve partners from other sectors to test communication and response plans.
  3. Review ACI Publications: Once published, review the ACI's white papers and protocols and assess how they can be integrated into your organization's existing incident response and business continuity plans.
  4. Strengthen Public-Private Partnerships: While the ACI was formed due to perceived government shortfalls, maintaining strong relationships with agencies like the FBI and CISA remains crucial for access to intelligence and resources.

Timeline of Events

1
February 1, 2026
The Alliance for Critical Infrastructure (ACI) was officially launched.
2
May 11, 2026
The ACI's formation and goals are detailed in a public report.
3
May 11, 2026
This article was published

Timeline of Events

1
February 1, 2026

The Alliance for Critical Infrastructure (ACI) was officially launched.

2
May 11, 2026

The ACI's formation and goals are detailed in a public report.

Sources & References

New cybersecurity industry alliance aims to lead US critical infrastructure protection
Cybersecurity Dive (cybersecuritydive.com) May 11, 2026
Security teams are turning to AI to survive alert overload
Help Net Security (helpnetsecurity.com) May 11, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

ACICritical InfrastructurePublic-Private PartnershipCybersecurity PolicyUSAJPMorgan ChaseAT&TMastercard

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.