JPMorgan Chase's recent open letter to third-party suppliers is a must-read for anyone responsible for their organization's security. As a security professional, I strongly agree: the risks introduced by third-party SaaS and software providers are now among the most critical threats facing modern businesses.
"SaaS has become the default and is often the only format in which software is now delivered, leaving organizations with little choice but to rely heavily on a small set of leading service providers, embedding concentration risk into global critical infrastructure... This fundamental shift demands our collective immediate attention." — JPMorgan, May 2025
The Hidden Dangers of SaaS and Third-Party Integrations
JPMorgan's CISO, Patrick Opet, highlights a reality I see every day: SaaS and cloud integrations are quietly eroding decades of hard-won security boundaries. The drive for rapid innovation and seamless integration has led to:
- Collapsed security perimeters—APIs and direct integrations now connect sensitive internal systems to the internet, often with minimal segmentation.
- Overly broad permissions—Authentication and authorization are frequently merged, granting third parties more access than necessary.
- Opaque supply chains—Fourth-party dependencies and hidden vendor relationships multiply risk, often without your knowledge.
These issues aren't theoretical. As I've discussed in Third-Party Risk Management: Best Practices, attackers are increasingly targeting trusted integration partners to gain access to downstream customers. The Marks & Spencer data breach and Dior's China data breach are recent, real-world examples of how third-party weaknesses can have devastating consequences.
Why I Strongly Support JPMorgan's Call to Action
JPMorgan is right: security must be prioritized over feature velocity. Providers must build security in by default, and customers must demand transparency, robust controls, and continuous evidence that those controls are working. Annual compliance checkboxes are not enough.
But the responsibility doesn't stop with providers. Every organization must:
- Continuously assess third-party risk
- Demand secure-by-design solutions
- Monitor for changes in vendor risk posture
- Have a plan for isolating or replacing compromised providers
Recent Evidence: The Brosix and Chatox Breach
The recent Brosix and Chatox data breach perfectly illustrates JPMorgan's concerns. These communication platforms promised "end-to-end encryption" but exposed 100+ million chat messages in plain text, including sensitive healthcare data and government communications. This breach demonstrates how vendor security claims can be misleading and how third-party failures can cascade across multiple organizations.
Hardware Supply Chain Risks: The Lenovo Webcam Vulnerability
The Lenovo Webcam BadUSB vulnerability represents another critical dimension of third-party risk: hardware supply chain compromise. This vulnerability allows attackers to remotely transform webcams into malicious devices, demonstrating how hardware peripherals can be weaponized for sophisticated attacks. This incident underscores the need for comprehensive supply chain security that extends beyond software to include hardware and firmware validation.
How Peter Hallen Security Services Can Help
At Peter Hallen Security Services, we specialize in:
- Third-Party Risk Assessments: We map your SaaS and software supply chain, identify hidden dependencies, and evaluate vendor security practices.
- Vendor Due Diligence: We help you ask the right questions and demand the right evidence from your providers.
- Incident Response Planning: We ensure you're ready to act if a third-party provider is compromised.
- Continuous Monitoring: We provide ongoing oversight so you're never caught off guard by changes in your risk landscape.
If you're concerned about the risks your SaaS and software vendors introduce, contact us today for a free consultation.
Further Reading & Reciprocal Links
- Third-Party Risk Management: Best Practices
- Marks & Spencer Data Breach: A Wake-Up Call for Retail Security
- Dior's China Data Breach: A Stark Reminder of Data Holders' Security Obligations
- Brosix and Chatox Data Breach: When 'End-to-End Encryption' Promises Fall Short
- Lenovo Webcam BadUSB Vulnerability: When Hardware Becomes a Threat
- A Python in Disguise: PyInstaller Malware Targets macOS
By cross-referencing these articles, you'll gain a comprehensive understanding of the evolving threat landscape—and how to protect your business from the next supply chain attack.
For the original open letter and more insights, read JPMorgan's blog.