On April 25, 2025, Patrick Opet, CISO of JPMorgan Chase, issued an open letter to technology providers, urging the industry to address growing concerns about software supply chain security. His message emphasized the increasing operational and systemic risks associated with SaaS providers, particularly in highly regulated sectors like financial services.
As a provider of reconciliation and data management software to over 100 financial institutions, we at AutoRek welcome this opportunity to reflect on how we’re supporting our customers in an evolving risk and regulatory landscape. In particular, Opet’s call aligns with a wider industry shift—spurred by frameworks such as the EU’s DORA and the UK’s CTP regime—toward greater transparency, accountability, and operational resilience.
Rather than critique or posture, our aim here is to share how AutoRek’s model supports this direction, and how our flexible deployment approach provides a meaningful alternative to “one-size-fits-all” SaaS strategies.
-
Supporting Resilience Through Deployment Choice
A key concern raised in the open letter is the industry’s growing reliance on single deployment models that can introduce concentration risk. Many SaaS providers operate solely in multi-tenant environments with shared infrastructure and common update cycles—an approach that can create efficiencies, but may not suit all customers’ control or compliance requirements.
At AutoRek, we’ve taken a different path. Our platform is designed to offer deployment flexibility—whether that’s via public cloud, private cloud, or on-premises. We support both single-tenant and hybrid models, giving our clients greater control over how and where their data and workloads are managed.
This flexibility doesn’t come at the expense of innovation. Our release cycles are structured to give customers clarity and choice around when to adopt updates, with rigorous testing built into the process. In sectors where operational continuity is mission-critical, this control can be just as important as feature velocity.
-
Reducing Supply Chain Complexity
Opet’s letter also touches on the systemic risks posed by opaque third-party dependencies. In this regard, we’ve taken a conservative approach to supply chain design, minimizing reliance on external services in the delivery of our core application.
Where we do rely on cloud infrastructure, we apply robust business continuity and disaster recovery planning, including real-time replication across regions. We actively monitor our providers and maintain the transparency needed to support regulatory expectations around fourth-party oversight.
We believe that resilience is about more than just technical architecture—it’s about building a culture of preparedness, and ensuring our clients are confident in how their data is managed, stored, and protected.
-
Continuous Assurance, Not Annual Compliance
Another theme highlighted is the insufficiency of annual certifications as a stand-alone assurance model. We agree that frameworks like ISO27001 and SOC 2 should be foundational—but not the end of the story.
That’s why AutoRek supports ongoing client audits and due diligence, and encourages proactive engagement between our teams and our clients’ governance, risk, and compliance (GRC) functions. Security and resilience aren’t one-off milestones—they are continuous, evolving responsibilities.
-
Enabling Secure, Governed Use of AI
The growing use of AI across the software landscape brings new opportunities—and new responsibilities. At AutoRek, we are integrating AI features in areas such as anomaly detection and process automation, always with clear governance and internal risk oversight.
For regulated firms, assurance around how AI is deployed, tested, and controlled is critical. We ensure that any AI capabilities within our platform are developed with transparency, control, and compliance at the forefront.
Final Thoughts
The message from JPMorgan Chase serves as an important reminder: as technology providers, we are an extension of our customers’ risk environments. Our role is not just to deliver functionality—it’s to help our clients operate safely, confidently, and compliantly in an increasingly complex world.
At AutoRek, our commitment is to provide the flexibility, transparency, and resilience that financial services firms need to navigate today’s evolving regulatory expectations. Whether through our hybrid deployment options, our hands-on approach to customer collaboration, or our continuous focus on quality and assurance, we aim to be a partner our clients can trust—release after release.
If you’re reviewing your software supply chain or preparing for upcoming regulatory changes, we’d be glad to share how we can help
Contact us to learn how AutoRek delivers secure SaaS for financial services.
By Leahn Parry, Head of Governance, Risk and Compliance, AutoRek