The chief information security officer at JPMorgan Chase is calling on third party software providers to prioritise security over speed to market, warning that the shift to a SaaS delivery model is creating "substantial vulnerability".
In an open letter, JPMorgan Ciso Patrick Opet warns that the now-default Software-as-a-Service delivery model is "quietly enabling cyber attacks" and "weakening the global economic system".
SaaS has become the default and is often the only format in which software is now delivered, leaving firms with little choice but to rely heavily on a small set of providers, embedding concentration risk into global critical infrastructure.
The SaaS model provides efficiency and rapid innovation, says Optet, but it also magnifies the impact of any weakness, outage, or breach, creating single points of failure with potentially catastrophic systemwide consequences.
JPMorgan Chase has seen "a number" of incidents over the last three years at third-party providers across the bank's supply chain which required it to isolate compromised providers and throw resources at threat mitigation.
Optet says that competition among software providers has also driven them to push rapid feature development over robust security.
He calls for the industry to modernise their security architecture, telling providers they "must urgently reprioritise security, placing it equal to or above launching new products".