The modern ‘software as a service’ (SaaS) delivery model is quietly enabling cyber attackers and – as its adoption grows – is creating a substantial vulnerability that is weakening the global economic system.

• Software providers must prioritize security over rushing features. Comprehensive security should be built in or enabled by default.
• We must modernize security architecture to optimize SaaS integration and minimize risk.
• Security practitioners must work collaboratively to prevent the abuse of interconnected systems.

There is a growing risk in our software supply chain and we need your action

SaaS has become the default and is often the only format in which software is now delivered, leaving organizations with little choice but to rely heavily on a small set of leading service providers, embedding concentration risk into global critical infrastructure. While this model delivers efficiency and rapid innovation, it simultaneously magnifies the impact of any weakness, outage, or breach, creating single points of failure with potentially catastrophic systemwide consequences. Historically, software was distributed across diverse environments, each with unique security practices, inherently limiting the scale of any single breach. Today, an attack on one major SaaS or PaaS provider can immediately ripple through its customers. This fundamental shift demands our collective immediate attention.

At JPMorganChase, we’ve seen the warning signs firsthand. Over the past three years, our third-party providers experienced a number of incidents within their environments. These incidents across our supply chain required us to act swiftly and decisively, including isolating certain compromised providers, and dedicating substantial reso