Opinion: Third-Party SaaS Risk—Why JPMorgan's Warning Demands Action

By Peter Hallen

JPMorgan Chase's recent open letter to third-party suppliers is a must-read for anyone responsible for their organization's security. As a security professional, I strongly agree: the risks introduced by third-party SaaS and software providers are now among the most critical threats facing modern businesses.

"SaaS has become the default and is often the only format in which software is now delivered, leaving organizations with little choice but to rely heavily on a small set of leading service providers, embedding concentration risk into global critical infrastructure... This fundamental shift demands our collective immediate attention."
— JPMorgan, May 2025

The Hidden Dangers of SaaS and Third-Party Integrations

JPMorgan's CISO, Patrick Opet, highlights a reality I see every day: SaaS and cloud integrations are quietly eroding decades of hard-won security boundaries. The drive for rapid innovation and seamless integration has led to:

• Collapsed security perimeters—APIs and direct integrations now connect sensitive internal systems to the internet, often with minimal segmentation.
• Overly broad permissions—Authentication and authorization are frequently merged, granting third parties more access than necessary.
• Opaque supply chains—Fourth-party dependencies and hidden vendor relationships multiply risk, often without your knowledge.

These issues aren't theoretical. As I've discussed in Third-Party Risk Management: Best Practices, attackers are increasingly targeting trusted integration partners to gain access to downstream customers. The Marks & Spencer data breach and Dior's China data breach are recent, real-world examples of how third-party weaknesses can have devastating consequences.

Why I Strongly Support JPMorgan's Call to Action

JPMorgan is right: security must be prioritized over feature velocity. Providers must build security in by default, and customers must demand transparency, robust controls, and continuous evidence that those controls are working. Annual compliance checkboxes are not enough.

But the responsibility doesn't stop with providers. Every organization must:

• Continuously assess third-party risk
• Demand secure-by-design solutions
• Monitor for changes in vendor risk posture
• Have a plan for isolating or replacing compromised providers

How Peter Hallen Security Services Can Help

At Peter Hallen Security Services, we specialize in:

• Third-Party Risk Assessments: We map your SaaS and software supply chain, identify hidden dependencies, and evaluate vendor security practices.
• Vendor Due Diligence: We help you ask the right questions and demand the right evidence from your providers.
• Incident Response Planning: We ensure you're ready to act if a third-party provider is compromised.
• Continuous Monitoring: We provide ongoing oversight so you're never caught off guard by changes in your risk landscape.

If you're concerned about the risks your SaaS and software vendors introduce, contact us today for a free consultation.

Further Reading & Reciprocal Links

• Third-Party Risk Management: Best Practices
• Marks & Spencer Data Breach: A Wake-Up Call for Retail Security
• Dior's China Data Breach: A Stark Reminder of Data Holders' Security Obligations
• A Python in Disguise: PyInstaller Malware Targets macOS

By cross-referencing these articles, you'll gain a comprehensive understanding of the evolving threat landscape—and how to protect your business from the next supply chain attack.

For the original open letter and more insights, read JPMorgan's blog.