Get ahead of third-party risk or wave goodbye to your cyber resilience – 1v1 Video Chat & LIve Streaming & Influencer Subscription

By Martin Greenfield

Tech Radar Pro

Tech Radar Gaming

Tech Radar Pro

TechRadar the business technology experts

Search TechRadar

View Profile

België (Nederlands)

Deutschland

North America

US (English)

Australasia

New Zealand

Expert Insights

Website builders

Web hosting

Amazon Prime Day deals
Best web hosting
Best office chairs
Best website builder
Best antivirus
Expert Insights

Recommended reading

Largest bank in the world issues stark security warning about technology that billions use every single day

Digital fortress or open vault? Community banks on the cybersecurity front lines

M&S, Co-Op and Harrods got hit by a cyberattack: here’s what retailers need to do to stop this

Rely on cybersecurity fundamentals, not LLMs, in the face of emerging threats

Future-proofing enterprise security in a zero trust world

The growing shadow in healthcare: securing the vulnerable supply chain

The engineer’s guide to staying ahead of cyber threats

Get ahead of third-party risk or wave goodbye to your cyber resilience

Martin Greenfield

7 July 2025

Response to JP Morgan’s Open Letter

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock)

JPMorgan has raised the alarm on the growing threat posed by modern software integration models. The global finance corporation released an open letter to its technology suppliers as a call for them to modernize their security or risk being cut off. It’s a bold, necessary move in an era where one weak link can unravel an entire organization’s cyber defenses.

Security architecture must be modernized to keep pace with growing threats and ensure organizations can continue to operate safely. However, as well we know, visibility is the bedrock of any resilient security strategy. Without full, real-time insight into all assets, especially those brought in by third-party suppliers, organizations are effectively flying blind. Recent high-profile breaches in the retail sector have shown us that even the most sophisticated enterprises are vulnerable when blind spots exist in their supply chains.
So while the open letter places a lot of emphasis on third parties and their role in supply chain security, it shouldn’t divert responsibility away from businesses themselves. Organizations must take ownership and enforce compliance and security standards across their supplier ecosystem. When disaster strikes, it doesn’t matter where the fault lies, it’s only the victim who suffers.

You may like

Largest bank in the world issues stark security warning about technology that billions use every single day

Digital fortress or open vault? Community banks on the cybersecurity front lines

M&S, Co-Op and Harrods got hit by a cyberattack: here’s what retailers need to do to stop this

Martin Greenfield
Social Links Navigation

CEO of Quod Orbis.
Third-party risk is first-party responsibility
Expecting every supplier to meet high security standards is only part of the equation. Businesses can’t enforce what you can’t see, and right now, many don’t have real-time visibility into their own assets, let alone those of their partners.

The problem is, too many are still burying their heads in the sand. Many senior executives cling to the dangerous assumption that “the IT team has it covered” or that cyber insurance will magically fix everything after an attack. History is plagued by organizations who underinvested, or perhaps more accurately mis-invested, in cyber resilience and failed to properly understand the risk until they were dealing with a full-blown crisis.
Attacks on retail giants like Target and more recently M&S and the Co-op have shown us what happens when third-party risk is underestimated. These aren’t startups with immature IT, they’re household names with serious resources. And still, the breach came through third-party access points.
Some businesses are genuinely overwhelmed by the technical complexity and competing priorities, but others have simply been lulled into complacency by years of dodging cybersecurity incidents through sheer luck rather than good management.
But it’s not always deliberate ignorance. It often comes down to decision paralysis where leaders are confronted with an intimidating wall of threats and solutions and simply don’t know where to begin. This is often combined with a reluctance to spend money when they themselves haven’t experienced an attack. The easiest approach therefore ends up being to delay making a decision. However this inaction just allows security gaps to grow larger by the day as attackers refine their methods.
The unfortunate reality is that many businesses only develop robust cybersecurity practices after suffering a significant breach when the damage is already done.
Don’t invest in more tools; invest in smarter architecture
Boosting cyber resilience is not about adding more tools to an already extensive tech stack; it’s about ensuring that every part of that stack functions cohesively. Collectively, we need less complexity, more clarity and above all, the ability to continuously control. That’s how to build security that lasts.
At a minimum, cybersecurity should be treated like safety or finance at board-level, as something that is supported by automation, continuously monitored and managed and it starts with visibility. Full, continuous visibility across the entire tech stack, including third-party integrations, is the only way to manage modern threat paths. It’s not enough to trust a supplier’s word. You need evidence, you need monitoring, and you need to know the moment something changes.
Regulatory compliance also places huge importance on third party risk, which should be a big indicator that organizations need to take the proactive steps in ensuring that their third parties are secure. The Digital Operational Resilience Act (DORA), The Financial Conduct Authority (FCA), ISO 27001 and NIS 2 all mandate that third party risk is now a core compliance requirement.
So, while the knee-jerk response to JPMorgan’s letter might be to bolt on yet another tool, more tech isn’t always the answer. In reality, it often just adds complexity which works against businesses looking for greater cyber resilience.
Take ownership of your security
Managing third party risk isn’t something businesses can shift to their suppliers. Instead the Board must listen to their cyber teams who are crying out for the right systems and support. Only then can they take control and ensure they have the ability to monitor systems continuously, align security frameworks and surface evidence of compliance and risk in real time. That’s where the future of cybersecurity lies, and it will help them prepare for whatever new threats emerge.
If you’re still relying on supplier questionnaires and periodic audits to manage third-party risk, you’re already behind. Working with third-parties is a two way street and requires ongoing collaboration. Businesses are just as responsible for their own security, and must proactively hold partners accountable for their end. JPMorgan’s letter is a wake-up call, but the response shouldn’t be panic. It should be clarity and control.
We’ve featured the best encryption software.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Martin Greenfield

Social Links Navigation

Martin Greenfield is CEO of Continuous Controls Monitoring solutions provider, Quod Orbis.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Largest bank in the world issues stark security warning about technology that billions use every single day

Digital fortress or open vault? Community banks on the cybersecurity front lines

M&S, Co-Op and Harrods got hit by a cyberattack: here’s what retailers need to do to stop this

Rely on cybersecurity fundamentals, not LLMs, in the face of emerging threats

Future-proofing enterprise security in a zero trust world

The growing shadow in healthcare: securing the vulnerable supply chain

Latest in Pro

5 ways AI marketing can help drive your ecommerce success

Hacker threatens to leak a rumoured huge cache of stolen Telefónica data

Louis Vuitton says customer data was leaked following cyberattack

Moving past the hype: what does AGI really mean for your business?

Oracle is reportedly giving the US government some major software cloud discounts

Ingram Micro confirms ransomware attack, internal systems affected and shut down

Latest in Opinion

Moving past the hype: what does AGI really mean for your business?

Modernizing data center infrastructure: how businesses thrive beyond legacy data centers

The DDoS smoke screen: why restoring uptime may be your first mistake

Yes, there are AirPods Pro 2 deals in the 4th of July sales – but you shouldn’t buy them, here’s why

Europe needs to decouple from Big Tech USA: Here’s 5 ways it can be achieved

Will tech-driven risks be the most likely cause of compliance issues for firms in the next year?