Security Over Speed: Applying J.P. Morgan’s Cyber Risk Mandate to Life Sciences Vendors

Learn why ‘security over speed’ is critical for life sciences vendors and how modern TPRM programs mitigate real-world cyber risks and regulatory threats

Introduction: A Wake-Up Call for Vendor Security

In April 2025, J.P. Morgan’s Chief Information Security Officer issued an open letter to software suppliers emphasizing “security over speed”. The message was clear: rushing new features to market means nothing if weak security in the vendor ecosystem ends up disrupting global businesses. This warning resonates far beyond banking. In the life sciences industry, where pharmaceutical manufacturers, biotech firms, and healthcare organizations increasingly rely on third-party technology and service providers, the stakes are just as high. Recent studies show that 61% of companies experienced a third-party data breach or security incident in the past year, a 49% jump over prior years. Healthcare and life sciences are especially at risk – fully 35% of third-party breaches in 2023 affected healthcare organizations, more than any other sector. These numbers are alarming for senior leaders overseeing critical drug development, patient data, and supply chains.

For life sciences, the takeaway is simple: third-party risk management (TPRM) can no longer be an afterthought. You might have world-class internal security, but a vulnerability in a vendor’s system or a rushed deployment by a supplier can jeopardize patient safety, intellectual property, regulatory compliance, and your company’s reputation in one blow. In this post, we respond to J.P. Morgan’s call to arms and explore how a modern TPRM program – with continuous monitoring, risk-based vendor tiering, structured onboarding, and built-in regulatory compliance – is essential to protecting the life sciences ecosystem. We’ll examine real-world examples of third-party cybersecurity failures from 2023 onward, and show how a robust TPRM program could have mitigated or even prevented these incidents.

Responding to J.P. Morgan: “Security Over Speed” in the Vendor Ecosystem

J.P. Morgan’s open letter set the tone: software vendors “must prioritize security over rushing features”. In other words, speed to market cannot come at the expense of cybersecurity. This sentiment rings true in life sciences, where digital innovation (from cloud-based clinical trial platforms to AI analytics tools) is accelerating. As an executive, you likely feel pressure to adopt new solutions quickly to stay competitive. However, J.P. Morgan’s experience shows the cost of overlooking vendor security. Over the past three years, J.P. Morgan witnessed multiple incidents among its third-party providers, forcing the bank to isolate compromised vendors and deploy substantial resources to mitigate threats. In one publicized case, a third-party software flaw exposed sensitive records of nearly half a million retirement plan participants. In another, a faulty update from a vendor (CrowdStrike) cascaded into an international IT outage that disrupted airlines, healthcare systems, and financial services in July 2024 – all because a critical supplier’s software failed.

The lesson for life sciences is that our industries are deeply interconnected through third parties, too. Whether it’s a cloud EDC (Electronic Data Capture) system for clinical trials, a contract manufacturing organization’s IT network, or a software component embedded in a medical device, a single weak link can ripple outward. We must demand the same “security by default” ethos from our suppliers. Put plainly: If a vendor cannot meet your security and compliance standards, they shouldn’t be onboarded – no matter how innovative or fast their solution is. In practice, that means building security and compliance checkpoints into vendor selection and onboarding (e.g. requiring penetration test results or regulatory compliance attestations from vendors before contracts are signed) and holding vendors accountable through ongoing monitoring. Embracing “security over speed” may occasionally slow a deployment down, but it dramatically lowers the risk of a catastrophic vendor-related incident. And as we’ll see, those incidents are very real in our sector.

The Real-World Fallout of Weak Third-Party Cybersecurity

Third-party cybersecurity failures are not theoretical – they are happening in life sciences with increasing frequency, often with devastating results. When a vendor’s security lapses, it can directly compromise your data and operations.

For example:

• DM Clinical Research (2025): In February 2025, a Texas-based clinical trial network inadvertently exposed an enormous database of patient records. A cybersecurity researcher discovered a misconfigured, non-password-protected cloud database belonging to DM Clinical Research that left over 2 terabytes of sensitive medical data publicly accessible. More than 1.6 million clinical trial records were exposed, including patient names, contact info, health histories, medications, and even sensitive mental health and reproductive health details. While the company secured the database within 24 hours of notification, it’s unknown how long this data was out in the open or whether malicious actors accessed it. This breach starkly illustrates how a single third-party (in this case, a Contract Research Organization (CRO) that specializes in multi-therapeutic clinical trials) can create massive privacy and compliance risks. 
• Optum (2024): In February 2024, hackers targeted a major healthcare technology provider’s third-party systems and the fallout was felt across the United States. Change Healthcare (now part of Optum) is an IT vendor integral to pharmacy benefit and healthcare payment workflows. Attackers exploited weak access controls in a vendor application, breaching Change Healthcare’s network and accessing 145 million sensitive patient records. The incident shut down critical pharmacy prescription systems nationwide, as pharmacies found themselves unable to process insurance claims or retrieve electronic medical data for days. Patients couldn’t get prescriptions filled on time and hospitals faced backlogs – a direct patient care impact caused by a vendor breach. Change Healthcare had to publicly apologize, offer credit monitoring to victims, and urgently review its vendor relationships to improve security. This example highlights two key risks: the data breach itself (loss of confidentiality) and the operational disruption (loss of availability) due to a third-party outage. 
• Cencora (AmerisourceBergen) (2024): In February 2024, global drug distributor AmerisourceBergen – rebranded as Cencora – announced that hackers had exfiltrated data from its internal systems, some of which contained sensitive information. While full details are still emerging, this breach raised alarms because Cencora is a linchpin in the pharmaceutical supply chain. Not only might confidential business data have been stolen, but such an attack could potentially disrupt the distribution of medicines. (Indeed, later in 2024, a ransomware attack on a German pharma wholesaler did threaten medicine supplies to thousands of pharmacies.) The Cencora incident shows that even your most trusted partners can be hit – and if those partners hold your data or handle critical operations, your organization faces the consequences. It’s a reminder that TPRM isn’t just about protecting patient data; it’s also about ensuring supply chain resilience.

These examples drive home a critical point: insufficient third-party oversight can lead to real-world consequences – massive data exposures, multimillion-record breaches, operational paralysis, regulatory scrutiny, and harm to patients. The cascading effect is evident: as one industry observer noted, hackers are increasingly targeting pharmaceutical companies through third-party vendors, causing cascading disruptions to drug manufacturing, clinical trials, and supply chain logistics. In each of the cases above, a well-structured TPRM program could have either prevented the incident or drastically reduced the impact.

Beyond Checklists: The Limitations of Static Vendor Assessments

Many organizations still manage third-party risk with a “check-the-box” mentality – for example, sending out annual security questionnaires or requiring vendors to sign a compliance attestation once and filing it away. The truth is that static, point-in-time assessments are no longer sufficient to secure today’s dynamic vendor ecosystem. Threats evolve rapidly, and a vendor that looked safe a year ago might introduce new vulnerabilities tomorrow (through a software update, a misconfiguration, or a lapse in monitoring). As a result, vendor risk management can’t be a one-time task. Industry experts stress that a one-time security assessment is insufficient to ensure security throughout your vendor landscape – continuous monitoring is essential.

The reality is that vendor environments change constantly. New software features are released, integrations are added, systems are reconfigured, and staff turnover occurs—all of which can introduce new vulnerabilities. A vendor that met your standards six months ago may unknowingly become a liability today. Threat actors know this. They actively monitor vendor ecosystems for signs of weak patching, misconfigured services, and exposed assets that often go unnoticed between scheduled assessments.

Another limitation of static assessments is that they often rely on self-reported information from vendors. A vendor might complete a security checklist saying “we use encryption, we patch regularly” – but without validation or ongoing oversight, you have to trust that this remains true over time. Unfortunately, as seen in the examples above, vendors can fall out of compliance or suffer breaches unbeknownst to you until it’s too late. Continuous monitoring and real-time risk intelligence flip this script by providing independent data.

Regulatory Pressures: FDA, HIPAA, NIS2 and the Demand for Due Diligence

Regulatory bodies are tightening expectations for third-party cybersecurity and due diligence across life sciences. Non-compliance now carries the risk of fines, legal liability, or operational shutdowns. Key developments include:

• FDA: The FDA’s 2023 cybersecurity guidance emphasizes that medical device manufacturers must identify and mitigate cybersecurity risks associated with third-party software components. It recommends including a Software Bill of Materials (SBOM) and conducting vulnerability assessments for these components. Additionally, under the Quality System Regulation (21 CFR Part 820), manufacturers are required to validate software that impacts device safety and effectiveness, which encompasses third-party software used in GxP systems.
• HIPAA / HHS: The Health Insurance Portability and Accountability Act (HIPAA) mandates that covered entities and their business associates enter into Business Associate Agreements (BAAs) with vendors handling Protected Health Information (PHI). However, the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) has clarified that merely having a BAA is insufficient. Covered entities must also verify that their vendors implement appropriate security measures to protect PHI.
• EU NIS2 & GDPR: NIS2 mandates supply chain cybersecurity assessments and breach reporting across pharma, medtech, and clinical research. GDPR holds companies accountable for vendor data protection failures. Life sciences firms must ensure their suppliers meet cybersecurity standards and contractual requirements.

Across FDA, HIPAA, NIS2, and GDPR, the message is clear: third-party oversight is no longer optional. Regulators expect organizations to identify vendor risks, enforce security standards, and maintain proof of compliance. A mature TPRM program reduces regulatory exposure and enhances audit readiness.

Building a Modern TPRM Program: What Good Looks Like

In today’s environment of evolving cyber threats, supply chain complexity, and intensifying regulatory scrutiny, Third-Party Risk Management (TPRM) is no longer a back-office function—it is a strategic imperative. Life sciences organizations must build resilient vendor ecosystems that can withstand operational, reputational, and regulatory shocks. Below are the six foundational pillars of a modern TPRM framework, tailored to the unique demands of clinical, regulatory, and GxP-sensitive environments.

1. Executive Support and Security-First Culture

TPRM success hinges on executive buy-in. Leadership must not only approve budgets but actively promote a “security over speed” philosophy throughout the organization. This means embedding third-party cybersecurity into corporate risk governance, treating vendor risk as part of enterprise risk—not just IT’s responsibility. TPRM leaders should deliver metrics that speak the language of business: financial exposure, operational dependency, and regulatory risk from critical vendors. Making third-party risk a standing item in board and risk committee meetings signals its priority and enables risk-informed decisions on procurement, partnerships, and digital innovation.

Vendor Inventory and Risk Tiering

You can’t manage what you don’t know. A comprehensive inventory of all third parties—including software providers, contract research organizations (CROs), cloud vendors, logistics partners, and contract manufacturers—is essential. Each vendor should be profiled by the types of data they handle, the systems they connect to, and their role in business-critical workflows. From this, organizations should apply a risk-based tiering model to categorize vendors by inherent and residual risk. Tiering determines assessment frequency, level of due diligence, and ongoing monitoring requirements. For example, a CRO managing eSource data and subject PHI will require more intensive oversight than a low-risk vendor providing non-production services.

3. Onboarding and Due Diligence

Vendor onboarding is the frontline of risk prevention. Modern TPRM programs go beyond checklists to conduct multi-layered due diligence tailored to the vendor’s risk tier. This includes security questionnaires, review of third-party certifications (e.g., ISO 27001, SOC 2, HITRUST), data protection agreements, and a risk analysis based on the vendor’s access, capabilities, and geographic footprint. For high-risk or regulated vendors—especially those involved in GxP systems or handling PHI—this may extend to penetration tests, cloud security posture reviews, and contract clauses enforcing breach notification, audit rights, and compliance obligations. Onboarding must also ensure that appropriate internal stakeholders (legal, compliance, security, IT) are part of the vetting process before contracts are signed.

4. Continuous Monitoring and Incident Response Planning

Static risk assessments miss what happens between reviews. Threat actors exploit precisely this gap. Continuous monitoring bridges it by providing real-time visibility into changes in a vendor’s security posture, public threat intelligence, breach disclosures, domain exposures, and vulnerability tracking. Alerts can reveal when a vendor’s infrastructure becomes exposed to new risks or when their systems appear in dark web or threat actor datasets. Organizations must also prepare for the inevitable: vendor breaches. A strong TPRM program includes predefined playbooks for third-party incidents, tabletop exercises with internal and vendor teams, and well-rehearsed escalation and containment protocols. This preparation can significantly reduce time to resolution and regulatory exposure when a breach occurs.

5. Ongoing Governance and Reassessment

Vendor risk is dynamic. Risk levels shift as vendors change ownership, launch new features, enter new markets, or alter their infrastructure. An effective TPRM program ensures that vendors are re-evaluated periodically based on risk tier, contractual timelines, or major business changes. Reassessments should validate that prior remediation actions have been completed and check alignment with new regulatory expectations. Ongoing governance can include structured vendor reviews, KPIs tied to risk or compliance, and integration of third-party risk insights into broader enterprise risk dashboards. Governance also means updating risk scoring models and due diligence standards as new threats, technologies, and regulatory requirements emerge.

6. Documentation and Reporting

Regulators, auditors, and leadership all want evidence—of control, of oversight, and of continuous improvement. A mature TPRM program maintains a robust documentation trail of vendor assessments, risk decisions, mitigation plans, monitoring results, and communication records. Reporting must be role-specific: executives need a high-level risk overview with clear business impact, while security and compliance teams require granular reports on unresolved risks, vendor performance, and regulatory alignment. Documentation should map vendor controls to frameworks such as HIPAA, 21 CFR Part 11, NIST CSF, or the EU’s NIS2 and GDPR. In the event of a breach or audit, this centralized evidence base is what demonstrates due diligence and organizational accountability.

From Reactive to Resilient

By establishing and maturing these pillars, life sciences organizations can shift from reactive vendor oversight to proactive risk governance. A modern TPRM program doesn’t just prevent breaches—it protects patient safety, ensures continuity of clinical operations, strengthens regulator confidence, and enables secure innovation across a growing third-party landscape. In an industry where trust, compliance, and data integrity are paramount, TPRM is not just risk management—it’s business continuity.

Conclusion: Turning Insight into Action

J.P. Morgan’s rallying cry for “security over speed” should galvanize all of us in the life sciences sector. The real-world incidents we’ve examined underscore that third-party cyber risks are business risks – they can halt production lines, derail clinical trials, compromise sensitive data, and erode public trust. The good news is that with an effective TPRM program, these risks can be managed and greatly reduced. It requires commitment, the right processes, and often the right partner to guide the way. By embracing continuous monitoring, enforcing vendor security standards from day one, and staying ahead of regulatory demands, life sciences organizations can confidently collaborate with vendors to innovate at speed and with security.

Now is the time to act. As senior leaders, you have the opportunity to strengthen your company’s resilience by fortifying your third-party relationships. USDM Life Sciences stands ready to help. With our deep domain expertise in life sciences and our comprehensive TPRM Services, we have helped companies just like yours build robust third-party risk management frameworks that align with industry best practices and regulations. Let us do the heavy lifting of vendor risk assessments, continuous monitoring, and program optimization, so your team can focus on core business – knowing that your vendor ecosystem is under vigilant watch.