The volatile mix of geopolitical and cyber risks was expected to stir the pot at the 2025 RSA Conference, one of the biggest cybersecurity gatherings. Yet alarm about a third-party risk caused a buzz that reverberated during and well beyond the San Francisco event.
It was an April open letter by Patrick Opet, JPMorgan Chase’s chief information security officer, that took to task third-party technology suppliers, specifically the “software-as-a-service (SaaS) delivery model,” for enabling cyber attackers and “creating a substantial vulnerability that is weakening the global economic system.”
Restating his view on LinkedIn, Opet said, “SaaS has delivered real enterprise value – but it’s also quietly introduced dangerous concentration risk.” The letter’s 800-plus words laid out why “security must be built in by default; the SaaS integration models have undermined foundational security practices; and convenience can no longer outpace control.”
The salvo prompted reactions such as this “RSAC takeaway” from SAFE Security: “Third-party risk management (TPRM) isn’t just a pain point. It’s the pain point.” The vendor went on to say that “the market is waking up to a reality: Manual third-party risk management just can’t keep up. And automation isn’t a ‘nice to have’ anymore – it’s survival.” (SAFE sells what it calls “the industry’s first fully autonomous TPRM platform” using agentic AI.)
The letter was left online to speak for itself.
“Opet’s letter highlights a fundamental asymmetry,” Amir Khayat, co-founder and CEO of Vorlon, which specializes in SaaS ecosystem security, wrote in an SC Media commentary. “Vendors hold the keys, but customers bear the consequences.”
Mentioned in dozens of LinkedIn comments, Khayat said, “was the lack of usable logging and visibility from vendors. As one commenter put it: ‘It’s absolutely critical that SaaS providers stop thinking of things like logging and SSO [single sign-on] as additional SKUs [tracking codes].’”
While acknowledging the broad acceptance of SaaS and its likely staying power, CISO Opet insisted that risks in the software supply chain are worsening, and it requires urgent prioritization and modernization.
“‘Secure and resilient by design’ must go beyond slogans,” said the “Call to Action” section of the letter. “It requires continuous, demonstrable evidence that controls are working effectively, not simply relying on annual compliance checks . . .
“We must establish new security principles and implement robust controls that enable the swift adoption of cloud services while protecting customers from their providers' vulnerabilities. Traditional measures like network segmentation, tiering, and protocol termination were durable in legacy principles but may no longer be viable today in a SaaS integration model. Instead, we need sophisticated authorization methods, advanced detection capabilities, and proactive measures to prevent the abuse of interconnected systems.”
Providers and users both have a role, said Kris Lau, managing director at advisory firm ACA Group’s ACA Aponix. “We see this a lot in SaaS-based applications and cloud applications,” he explained. “The vendor will provide a framework in a platform. The user has a duty to configure that properly from a security perspective.”
Kris Lau of ACA Aponix
In pondering Opet’s point of view, Lau compared choosing SaaS to buying a car: “You don't go the car dealer and then have to worry about checking the brakes yourself and checking that the airbags are working.” Opet is essentially telling vendors not to release products without embedding security – “Don’t put that responsibility on me to have to worry about whether or not your product was safe to use.”
If a bank cannot get a SaaS supplier to change its practices or security controls, then it has to do what it can to mitigate the risk. Said Lau: “Can I have a workaround if they go down? Or if there are certain data elements that they don't necessarily need, that would reduce the potential impact. There are things that can be done, even if the vendor can't or won't make changes on their side.”
According to Eric Hensley, chief technology officer and chief security officer at risk management solutions company Aravo, Opet is reacting to how companies’ IT management has changed, as responsibilities formerly handled in-house have shifted to SaaS providers.
Eric Hensley of Aravo
“His concern is very familiar to me from talking with our customers,” Hensley noted. “It’s a lack of comfort, because it’s been a big change.” He added that Aravo’s services include addressing the concentration risk that Opet identified.
“You have to assess the risks of all of these SaaS companies and think about the data,” he continued, but using “one giant provider” can be risky. “If you have multiple providers, at least you have the opportunity to determine how they are interacting.” Still, “there is no such thing as a protected interior where you don't have to worry so much about your security.”
“Handing all of this off” through outsourcing is no panacea, Hensley said. His outlook, however, is optimistic, because over time, “SaaS companies are going to do what they do better.”
Looking beyond the current “critical juncture,” Opet wants providers to “urgently reprioritize security, placing it equal to or above launching new products.” Desirable measures include secure-by-default configurations, transparency to risks, and controls needed to operate safely within a SaaS delivery model.
“There are some solutions available today, like confidential computing, customer self-hosting, and bring your own cloud, which all give organizations stronger controls to protect their data while enabling them to benefit from SaaS solutions,” the security executive wrote.
He called for security principles and controls to allow use of the cloud while protecting customers from provider vulnerabilities, as well as “sophisticated authorization methods, advanced detection capabilities, and proactive measures to prevent the abuse of interconnected systems.”
Hensley commented, “When a big innovation happens, a lot of times those costs get swept under the rug. Opet is trying to raise the profile of that. I’m completely sympathetic to that.”
A cyber attack in June on Chain IQ, a Swiss procurement service provider, reportedly exposed personal data of 130,000 UBS employees including CEO Sergio Ermotti. Ilia Kolochenko, CEO of application security company ImmuniWeb, called that “a grim reminder that third parties are the Achilles’ heel even of the largest financial institutions.”