Analysis: Financial Supply Chains Are Only as Strong as Their Riskiest Vendors

Any supply chain is only as strong as its riskiest vendor.

When a vendor is offline, out of stock or compromised in some way, the vulnerabilities have negative ripple effects across all manner of firms, right down to the end customers.

The same is true with financial supply chains, and specifically banks, where the vendors are tech firms providing the software (and hardware) that puts the infrastructure in place to underpin money movement.

J.P. Morgan Chase Chief Information Security Officer Patrick Opet said in an open letter last week that the banking giant’s software-as-a-service (SaaS) providers are vulnerable, at risk for hacks and cyberattacks — and they need to shore up those risks.

In the letter to third-party providers, Opet said that among the risks, there “are specific vulnerabilities intrinsic to this new landscape,” wherein the software is delivered to banks and corporates via SaaS models.

They include “inadequately secured authentication tokens vulnerable to theft and reuse; software providers gaining privileged access to customer systems without explicit consent or transparency; and opaque fourth-party vendor dependencies silently expanding this same risk upstream,” Opet said in the letter. “Critically, the explosive growth of new value-bearing services in data management, automation, artificial intelligence and AI agents amplifies and rapidly distributes these risks, bringing them directly to the forefront of every organization.”

“We stand at a critical juncture,” per the letter. “Providers must urgently reprioritize security, placing it equal to or above launching new products.”

The SaaS providers themselves depend on their own (sometimes vulnerable) third-party relationships (aka the fourth-party relationship).

“Today, an attack on one major SaaS or [platform-as-a-service (PaaS)] provider can immediately ripple through its customers,” Opet said in the letter. “This fundamental shift demands our collective immediate attention. At J.P. Morgan Chase, we’ve seen the warning signs firsthand. Over the past three years, our third-party providers experienced a number of incidents within their environments. These incidents across our supply chain required us to act swiftly and decisively, including isolating certain compromised providers and dedicating substantial resources to threat mitigation.”

Opet pointed to the need for sophisticated authorization and advanced detection capabilities.

“The operating rules that keep you out of trouble and mean success versus failure are different now,” Ingo Payments CEO Drew Edwards told PYMNTS in December, adding that “what’s changing are the rules around how banks play with FinTechs.”

Within financial ecosystems, the SaaS model includes banking as a service (BaaS) and can link businesses and platforms with payment and banking features.

“While the BaaS model is attractive to banks and tech companies for its potential to scale quickly and reduce barriers to entry, it carries inherent risks,” PYMNTS wrote Monday (May 5). “Unlike traditional banks, which maintain direct customer relationships, BaaS sponsor banks often serve as the back-end platform, relying on third-party FinTechs to onboard customers, manage compliance processes and monitor transactions. This fragmentation of responsibility is what makes the model efficient, yet it also is what makes it vulnerable to compliance lapses.”

There’s recognition of some of the vulnerabilities of relying on outside providers. The PYMNTS Intelligence report “How Fraud Fears Impact FIs’ Adoption of Faster Payment Solutions” found that among financial institutions using cloud-based fraud and financial crime prevention platforms, 41% said the benefits of open banking outweigh the risks, which left a majority who said the opposite.

The Federal Deposit Insurance Corp. reported in March through its Inspector General audit that the number of problem banks remains elevated (and the problems can be operational in scope). They face threats from cyberattacks and vulnerabilities in third-party relationships. The number of problem banks most recently stood at 66, with total assets on hand of $87.3 billion. Those figures were up sharply from the 44 similarly defined institutions with $54.5 billion in assets seen in the previous year.

“Currently the FDIC faces risks in ensuring that it has examiners with the requisite skillsets to perform IT examinations using existing examination procedures,” the FDIC said.

That places even greater importance on financial institutions and enterprises taking stock of the vulnerabilities inherent in their financial supply chains.

The post Analysis: Financial Supply Chains Are Only as Strong as Their Riskiest Vendors appeared first on PYMNTS.com.