“The modern SaaS delivery model is quietly enabling cyber attackers”: JP Morgan Chase CISO speaks out against popular software service delivery model

Patrick Opet, Chief Information Security Officer at JP Morgan Chase says there is a growing risk in the software supply chain.

The chief information security officer at financial services giant JP Morgan Chase has come out against current SaaS models saying the current delivery model is “enabling cyber attackers”.

In an open letter published this week to third-party suppliers, Patrick Opet, CISO at JP Morgan Chase said as SaaS adoption grows it is creating a substantial vulnerability that is weakening the global economic system.

He said, “There is a growing risk in our software supply chain and we need your action.”

As SaaS becomes the default and sometimes only format that software is delivered, Opet said this leaves organisations with “little choice” but to rely heavily on a small set of leading service providers, embedding concentration risk into global critical infrastructure.

“While this model delivers efficiency and rapid innovation, it simultaneously magnifies the impact of any weakness, outage, or breach, creating single points of failure with potentially catastrophic systemwide consequences,” he said.

“Historically, software was distributed across diverse environments, each with unique security practices, inherently limiting the scale of any single breach.”

He continues, “Today, an attack on one major SaaS or PaaS provider can immediately ripple through its customers. This fundamental shift demands our collective immediate attention.”

Opet said over the past three years the company’s third-party providers have experienced several incidents within their environments.

“These incidents across our supply chain required us to act swiftly and decisively, including isolating certain compromised providers, and dedicating substantial resources to threat mitigation,” he explained.

Who is to blame?

Opet writes a list of reasons why this problem has emerged from fierce competition to inadequately secured authentication tokens.

He said fierce competition has “driven prioritisation of rapid feature development over robust security”.

Opet also points the finger at how SaaS models have changed the way companies integrate services and data.

He said this is a “a subtle yet profound shift eroding decades of carefully architected security boundaries”.

Other reasons Opet said SaaS has become a major problem include, inadequately secured authentication tokens vulnerable to theft and reuse; software providers gaining privileged access to customer systems without explicit consent or transparency; and opaque fourth-party vendor dependencies silently expanding this same risk upstream.

Opet urged providers to reprioritise security, placing it equal to or above launching new products.

“‘Secure and resilient by design’ must go beyond slogans—it requires continuous, demonstrable evidence that controls are working effectively, not simply relying on annual compliance checks.”

He asked readers to reject integration models without better solutions.

“I hope you’ll join me in recognising this challenge and responding decisively, collaboratively, and immediately,” he ended.

Read the open letter here.