On April 25, 2025, Patrick Opet, CISO of JPMorgan Chase, issued an open letter to technology providers, urging the industry to address growing concerns about software supply chain security. His message emphasized the increasing operational and systemic risks associated with SaaS providers, particularly in highly regulated sectors like financial services.
To many across the SaaS and cyber security industries, this comes as no great surprise. For years, large businesses have been heavily investing in their own cyber security. However, in response, cyber criminals are moving down the supply chain to third party vendors as the new attack surface to bypass in-house security measures.
Instead of defensive posturing, we see this as an opportunity to demonstrate how purpose-built solutions can directly address these critical concerns. In particular, Opet’s call aligns with a wider industry shift—spurred by frameworks such as the EU’s DORA and the UK’s CTP regime—toward greater transparency, accountability, and operational resilience throughout the supply chain.
Head of Governance, Risk and Compliance, AutoRek.
Supporting Resilience Through Deployment Choice
A key concern raised in the open letter is the industry’s growing reliance on single deployment models that can introduce concentration risk. Many SaaS providers operate solely in multi-tenant environments with shared IT infrastructure and common update cycles—an approach that can create efficiencies, but may not suit all customers’ control or compliance requirements.
One solution, and our own approach, is to offer deployment flexibility—whether that’s via public cloud, or on-premise. These technical capabilities support both single-tenant and hybrid models, giving clients greater control over how and where their data and workloads are managed.
For example, our asset management clients processing legacy data sets may choose an on-premise deployment for maximum control, while payment processors handling high transaction volumes might opt for our scalable cloud managed service solution.
This flexibility doesn’t need to come at the expense of innovation. Release cycles can be structured to give customers clarity and choice around when to adopt updates, with rigorous testing built into the process. In sectors where operational continuity is mission-critical, this control can be just as important as feature velocity.
Reducing Supply Chain Complexity
Opet’s letter also touches on the systemic risks posed by opaque third-party dependencies. In this regard, a conservative approach to supply chain design can help to minimize reliance on external services in the delivery of core applications.
When cloud infrastructure is relied on, robust business continuity and disaster recovery planning is required, including real-time replication across zones. We actively monitor our providers and maintain the transparency needed to support regulatory expectations around fourth-party oversight.
Resilience is about more than just technical architecture—it’s about building a culture of preparedness, and ensuring clients are confident in how their data is managed, stored, and protected.
Continuous Assurance, Not Annual Compliance
Another theme highlighted is the insufficiency of annual certifications as a stand-alone assurance model. Frameworks like ISO27001 and SOC 2 should be foundational—but not the end of the story.
Organizations must provide ongoing support for client audits and due diligence, and encourage proactive engagement between teams and clients’ governance, risk, and compliance (GRC) functions. Security and resilience aren’t one-off milestones—they are continuous, evolving responsibilities.
Enabling Secure, Governed Use of AI
The growing use of AI across the software landscape brings new opportunities—and new responsibilities. Vendors are integrating AI features in areas such as anomaly detection and process automation, always with clear governance and internal risk oversight.
For regulated firms, assurance around how AI is deployed, tested, and controlled is critical. Having said that, ensuring that any AI capabilities within platforms are developed with transparency, control, and compliance at the forefront, is essential.
Building Tomorrow’s Security Standards Today
The message from JPMorgan Chase serves as an important reminder: as technology providers, we are an extension of our customers’ risk environments. Our role is not just to deliver functionality—it’s to help our clients operate safely, confidently, and compliantly in an increasingly complex world.
SaaS providers must commit to providing the flexibility, transparency, and resilience that financial services firms need to navigate today’s evolving regulatory expectations.
In return, the firms that will thrive are those that view security not as a compliance checkbox, but as a competitive advantage built through genuine partnership with their technology providers.
We’ve listed the best software asset management (SAM) tools.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
