Skip to content

JP Morgan Warns Suppliers of SaaS Risks in Open Letter

02 May 2025

JP Morgan Warns Suppliers of SaaS Risks in Open Letter

JP Morgan released an open letter in April to suppliers, highlighting the risks linked to the SaaS delivery model. With significant concentration risks tied to key vendors and intense pressure to rapidly deliver new features and products, maintaining strong security must be a top priority for third-party providers.

 

Third-party suppliers are crucial to a comprehensive, efficient, and adaptable FCC approach, but risks such as privileged access to customer systems, hidden fourth-party dependencies, and insecure authentication methods can leave firms vulnerable to exploitation and create critical points of failure.

At Plenitude Consulting, we’ve observed some key trends in this area:

➡️ Greater scrutiny from 1st line control owners on FCC system security and the robustness of contingencies in the event of system outages;

➡️ Growing discussions around contingency planning with operations and financial crime teams to ensure firms can quickly adapt to new systems and processes, reducing sole reliance on a single system or vendor;

➡️ Increasing involvement from InfoSec teams in shaping FCC system requirements to ensure secure technology integration and stronger operational resilience.

💡 As the letter highlights, FCC software providers must deliver comprehensive security as standard, along with clear, ongoing evidence that controls are working effectively.

💡 Strengthening collaboration between InfoSec and 1st line systems teams will be critical to achieving a comprehensive risk mitigation approach, enhancing security, operational resilience, and the effectiveness of FCC frameworks.