JPMorgan Chase’s Chief Information Security Officer, Patrick Opet, has issued a stark warning to third-party software vendors: the Software-as-a-Service (SaaS) delivery model, now the default across much of the industry, is creating systemic cyber vulnerabilities that threaten the global economic system.
In an open letter, Opet criticises the SaaS model for prioritising speed and product delivery over foundational security. While SaaS brings agility and efficiency, it also consolidates risk by funneling critical infrastructure through a limited number of external providers—creating single points of failure and amplifying the impact of any breach or outage.
“SaaS is quietly enabling cyber attacks and weakening the global economic system,” Opet warns.
JPMorgan has experienced “a number” of security incidents at third-party providers over the past three years. In each case, the bank was forced to isolate compromised vendors and divert resources to containment and mitigation, underscoring the fragility and interconnectedness of today’s software supply chain.
Opet argues that the competitive pressure to ship new features fast has pushed vendors to deprioritise robust cybersecurity practices, effectively leaving their clients exposed.
His call to action is clear:
“Software providers must urgently reprioritise security, placing it equal to—or above—launching new products.”
Opet urges vendors to modernise their security architectures, warning that without a fundamental industry shift, the growing reliance on SaaS will continue to fuel cybersecurity threats at scale.