From Risk to Resilience: A SaaS Provider's Blueprint for Financial Services Security

Date:
Fri, 01 Aug 2025 10:38:21 +0000

Description:
JPMorgan issued an open letter to technology providers to address software supply chain security.

FULL STORY ======================================================================

On April 25, 2025, Patrick Opet, CISO of JPMorgan Chase, issued an open
letter to technology providers, urging the industry to address growing concerns about software supply chain security. His message emphasized the increasing operational and systemic risks associated with SaaS providers, particularly in highly regulated sectors like financial services.

To many across the SaaS and cyber security industries, this comes as no great surprise. For years, large businesses have been heavily investing in their
own cyber security . However, in response, cyber criminals are moving down
the supply chain to third party vendors as the new attack surface to bypass in-house security measures.

Instead of defensive posturing, we see this as an opportunity to demonstrate how purpose-built solutions can directly address these critical concerns. In particular, Opets call aligns with a wider industry shiftspurred by
frameworks such as the EUs DORA and the UKs CTP regimetoward greater transparency, accountability, and operational resilience throughout the
supply chain. Supporting Resilience Through Deployment Choice

A key concern raised in the open letter is the industrys growing reliance on single deployment models that can introduce concentration risk. Many SaaS providers operate solely in multi-tenant environments with shared IT infrastructure and common update cyclesan approach that can create efficiencies, but may not suit all customers control or compliance requirements.

One solution, and our own approach, is to offer deployment flexibilitywhether thats via public cloud, or on-premise. These technical capabilities support both single-tenant and hybrid models, giving clients greater control over how and where their data and workloads are managed.

For example, our asset management clients processing legacy data sets may choose an on-premise deployment for maximum control, while payment processors handling high transaction volumes might opt for our scalable cloud managed service solution.

This flexibility doesnt need to come at the expense of innovation. Release cycles can be structured to give customers clarity and choice around when to adopt updates, with rigorous testing built into the process. In sectors where operational continuity is mission-critical, this control can be just as important as feature velocity. Reducing Supply Chain Complexity

Opets letter also touches on the systemic risks posed by opaque third-party dependencies. In this regard, a conservative approach to supply chain design can help to minimize reliance on external services in the delivery of core applications.

When cloud infrastructure is relied on, robust business continuity and disaster recovery planning is required, including real-time replication
across zones. We actively monitor our providers and maintain the transparency needed to support regulatory expectations around fourth-party oversight.

Resilience is about more than just technical architectureits about building a culture of preparedness, and ensuring clients are confident in how their data is managed, stored, and protected. Continuous Assurance, Not Annual
Compliance

Another theme highlighted is the insufficiency of annual certifications as a stand-alone assurance model. Frameworks like ISO27001 and SOC 2 should be foundationalbut not the end of the story.

Organizations must provide ongoing support for client audits and due diligence, and encourage proactive engagement between teams and clients governance, risk, and compliance (GRC) functions. Security and resilience arent one-off milestonesthey are continuous, evolving responsibilities. Enabling Secure, Governed Use of AI

The growing use of AI across the software landscape brings new opportunitiesand new responsibilities. Vendors are integrating AI features in areas such as anomaly detection and process automation, always with clear governance and internal risk oversight.

For regulated firms, assurance around how AI is deployed, tested, and controlled is critical. Having said that, ensuring that any AI capabilities within platforms are developed with transparency, control, and compliance at the forefront, is essential. Building Tomorrow's Security Standards Today

The message from JPMorgan Chase serves as an important reminder: as
technology providers, we are an extension of our customers risk environments. Our role is not just to deliver functionalityits to help our clients operate safely, confidently, and compliantly in an increasingly complex world.

SaaS providers must commit to providing the flexibility, transparency, and resilience that financial services firms need to navigate todays evolving regulatory expectations.

In return, the firms that will thrive are those that view security not as a compliance checkbox, but as a competitive advantage built through genuine partnership with their technology providers.

We've listed the best software asset management (SAM) tools .

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro



======================================================================
Link to news story: https://www.techradar.com/pro/from-risk-to-resilience-a-saas-providers-bluepri nt-for-financial-services-security


--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)