Why JP Morgan Chase’s Patrick Opet’s letter at RSAC hit a nerve

COMMENTARY: One of the most talked-about moments at the RSA Conference (RSAC) this year wasn’t a product launch or a keynote. It was a letter.

Patrick Opet, chief information security officer of JP Morgan Chase, published an open letter to third-party suppliers on the first day of the conference.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

His message was blunt: Get your act together. Opet’s letter called out the lack of reliability, accountability, and transparency from too many cybersecurity and SaaS vendors. For many security leaders, it put words to a frustration that’s been simmering for years: we’re spending more than ever on tools, and yet we still can't answer basic questions during an incident.

The letter was more than a complaint — it was a call to arms. And judging by the conversations it sparked at RSAC and on LinkedIn, it hit a nerve.

A supply chain built on blind trust

Opet’s core message was clear: third-party SaaS vendors now play a critical role in enterprise security postures, but many are falling short of the responsibility that role demands. “SaaS has become the default,” he wrote, “embedding concentration risk into global critical infrastructure.”

This model delivers speed and convenience, but it also creates new single points of failure. When a major SaaS provider goes down or gets breached, the impact ripples through thousands of connected customers. JP Morgan Chase knows this firsthand. Over the past three years, the bank has dealt with multiple incidents across its supply chain, forcing it to isolate compromised vendors and redirect massive internal resources to mitigate cascading threats.

Opet’s letter highlights a fundamental asymmetry: Vendors hold the keys, but customers bear the consequences.

The need for visibility

The most immediate and solvable issue raised in Opet’s letter — and echoed in dozens of LinkedIn comments — was the lack of usable logging and visibility from vendors. As one commenter put it: “It’s absolutely critical that SaaS providers stop thinking of things like logging and SSO as additional SKUs.”

That sentiment has been backed by data. In a recent analysis of 70 popular SaaS platforms by our research team:

The data shows that it’s not just a compliance concern, but an operational one. When an API key gets compromised or an OAuth token gets used to exfiltrate sensitive customer data, most security teams are effectively blind. Logs may not exist, are often incomplete, or may misattribute actions to the wrong identity.

Token sprawl and non-human identity risk

Opet and many in his network also called out the rising risk from non-human identities through OAuth tokens, API keys, and AI automations. These identities often have extensive, persistent access to sensitive data, and unlike user accounts, they typically lack MFA, expiration dates, or any kind of behavioral monitoring.

When these non-human identities are compromised, they are often used silently for weeks or months. One contributor to the discussion called this “the silent threat of SaaS,” and again, logging gaps make it worse. Even when activity is logged, it’s often attributed to the wrong entity, such as a user session ID instead of the actual automation or integration that initiated the request.

The result: misattribution, missed alerts, and missed breaches.

So what’s the solution? Opet calls on vendors to embrace secure-by-default configurations, give customers meaningful control over data access, and provide continuous evidence of security control effectiveness, not just annual audit reports.

This isn’t a new wish list: it’s a baseline expectation. The shift from "secure by design" slogans to "secure-by-default" architectures is long overdue. As Opet writes: “The most effective way to begin change is to reject these integration models without better solutions.”

Real change needs to come from buyers insisting that SaaS vendors do better.

Where we go from here

The letter has already sparked a wave of support and a sense of collective momentum, but talk isn’t enough. If we want to avoid the next Okta, MOVEit, or Snowflake-level breach, we must act decisively.

Here are four steps security leaders can take today:

Patrick Opet’s letter didn’t just express frustration: it lit a fire. His call for accountability has already moved teams into action and raised expectations. This will take a partnership.

It’s time to raise the bar for the entire industry: together.

Amir Khayat, co-founder and CEO, Vorlon

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.