JPMorgan Chase CISO Warns of Rising Software Supply Chains Risk

Subscribe to our free newsletter today to keep up to date with the latest supply chain news.

Software supply chains are increasingly becoming a prime target for cyber attackers, prompting organizations to reevaluate their digital risk strategies. With the expansion of software-as-a-service models and reliance on open-source components, many businesses now face elevated levels of vulnerability. JPMorgan Chase’s Chief Information Security Officer, Patrick Opet, addressed this issue during the RSA Conference 2025, urging the industry to rethink its approach to software security.

While financial institutions traditionally lead in cybersecurity investments, they must now confront the fact that third-party code can expose systems to major breaches. Even the most secure internal environments can be compromised by vulnerabilities inherited from external sources.

JPMorgan Chase’s perspective on software supply chain vulnerabilities

During his RSA address, Opet emphasized the importance of improving the security posture of software vendors. Recent incidents, such as the exploitation of third-party tools by Silk Typhoon, have revealed deep weaknesses in the digital supply chain.

Opet called on software developers and vendors to embrace a secure-by-design approach, embedding security practices from the beginning of the development process. This includes transparent documentation of code components through software bills of materials, better dependency oversight, and end-to-end encryption across development environments.

The role of third-party vendors in software supply chain security

The reliance on third-party vendors has become standard practice across the financial sector. These external tools and platforms support a wide array of operations, from mobile banking to internal analytics. However, they also create new entry points for attackers.

Events like the SolarWinds breach underscored the systemic risk of poorly vetted suppliers. In response, JPMorgan Chase now imposes strict requirements on software partners, including adherence to federal cybersecurity standards and real-time vulnerability reporting.

Implementing secure-by-design principles in software development

The secure-by-design philosophy encourages developers to consider security as a core principle. Rather than auditing software only after completion, it promotes security checks throughout every development phase.

JPMorgan Chase expects its software providers to conduct threat modeling, implement robust testing protocols, and deploy features like confidential computing, which safeguards data during processing. These practices help limit exposure and reduce the time needed to detect and respond to security incidents.

Opet concluded his remarks by advocating for greater collaboration across the public and private sectors. No single company can shoulder the burden of software supply chain security. Shared threat intelligence, standardized practices, and joint response frameworks are essential.

Technology is also evolving to support this effort. Tools that trace software origin, enforce zero-trust policies, and detect irregularities through machine learning are becoming more sophisticated. These advancements, combined with a cooperative mindset, offer a practical path forward.

Sources:

• Info Security Magazine