In a rare and unequivocal open letter, Patrick Opet, Global CISO of JPMorgan Chase, delivers a clear message: the software industry’s approach to SaaS security is putting global systems at risk.
His warning is not theoretical. It is grounded in hard operational reality – and directed squarely at the vendors who form the digital supply chain that modern businesses rely on.
“The modern ‘software as a service’ (SaaS) delivery model is quietly enabling cyber attackers… and weakening the global economic system.” – Patrick Opet, JPMorgan Chase
This is not a general statement of concern – it’s a directive to stop treating security as someone else’s problem, and to stop building systems that shift the burden onto customers to defend the product.
In the letter, Opet outlines what should now be baseline expectations for any SaaS vendor selling into regulated or enterprise environments:
- Secure by default, not opt-in
- Clear separation of authentication and authorization
- Built-in visibility into token usage and integrations
- Ownership of upstream and third-party risks
- Resilience by design, including isolation and recovery
- And a willingness to slow down when security requires it
These aren’t stretch goals. They’re table stakes for participating in today’s software economy.
Why This Moment Matters
This letter is more than a policy statement from a large enterprise buyer. It’s a visible turning point in how software security is being evaluated in the marketplace.
The supply chain has changed. SaaS applications now depend on dozens of third-party services: identity providers, billing engines, data stores, container registries, observability platforms, CI/CD systems, and more. Each integration introduces a new attack surface – and a new layer of complexity that most customers never see.
“It’s not uncommon to find modern SaaS offerings utilizing scores of separate SaaS services to deliver their own product.” – Patrick Opet
This growing interdependence means that security lapses no longer stay contained. Even a single weak link – whether a misconfiguration, leaked token, or vulnerable third-party service – can put entire industries at risk.
That’s how attackers operate now: by slipping through the smallest, easily overlooked points of entry – establishing a foothold, moving laterally, and then exploiting the very same tools teams rely on to build. They target integrations, API’s, downloads – anything that offers reach and prioritize systems with downstream blast radius. The goal isn’t just a breach – it’s maximum impact.
This is the real threat behind the warning. Attackers exploit overlooked connections, authorizations, steal unmonitored tokens, and pivot laterally across misaligned trust boundaries. A weakness in one link becomes a breach across the chain.
It’s not just an operational failure. It’s a risk multiplier. And the market is no longer willing to tolerate it.
The Supply Chain Risk Is Real and Rising
The 2025 Verizon Data Breach Investigations Report (DBIR) underscores this point with hard numbers: third-party involvement in breaches has doubled, from 15% to 30% in the last year alone.
That spike is not coincidental. It reflects exactly the pattern that JPMorgan’s CISO is calling out – the silent expansion of risk through SaaS integrations and insufficiently secured dependencies.
What was once a matter of internal controls is now a systemic issue that affects everyone who touches the stack.
The Industry is Moving – and Buyers Are Leading
This shift is no longer being driven by regulators alone. It is being enforced by procurement teams, security review boards, and enterprise customers who have grown tired of asking the same questions and getting vague answers.
Security is no longer a downstream checkbox. It’s a signal of engineering discipline. A proxy for trust. A way for buyers to assess not just the functionality of your platform – but the reliability and resilience of your organization.
It’s why questions about access boundaries, token rotation, incident response, and logging are showing up before the first proof-of-concept is signed.
And it’s why teams that fail to meet those expectations are increasingly left out of the conversation.
Security Is the Standard, Not the Tradeoff
For startups, especially those selling into security-conscious markets, this shift may feel like a constraint. But it’s also a competitive advantage.
Companies that build with secure architecture from the start aren’t just mitigating risk. They’re enabling faster sales cycles, smoother compliance processes, and stronger alignment with enterprise buyers.
They’re removing friction – because the foundation is already aligned with what the market expects.
This is what the JPMorgan letter makes explicit: the next generation of software companies will not be those that move fastest at all costs. They will be the ones that move fast while meeting the bar for security, transparency, and operational maturity from day one.
The message is clear: Security isn’t a phase. It’s the foundation. And it’s time for the industry to catch up.
NXT1 LaunchIT: The Fast Track to Secure, Trusted SaaS Delivery
At NXT1, we built LaunchIT to help SaaS teams meet these rising security expectations without slowing down development. LaunchIT is a secure-by-design SaaS delivery platform that automates cloud infrastructure, security controls, and operational readiness – freeing your team to concentrate on product instead of platform plumbing.
With tenant isolation, access management, centralized logging, and compliance-ready architecture built in, LaunchIT gives startups the secure foundation they need to earn enterprise trust – before the first security questionnaire ever arrives.
Get started with a free trial at nxt1.cloud/free-trial