$5.25M Cadence Bank Settlement Ends Class Action Lawsuit Over May 2023 Data Breach

By Cybersol·March 24, 2026·6 min read
SourceOriginally from $5.25M Cadence Bank Settlement Ends Class Action Lawsuit Over May 2023 Data Breach by ClassAction.orgView original

Third-Party Software Vulnerabilities as Board-Level Liability: The Cadence Bank MOVEit Settlement and Vendor Risk Governance Failure

Why This Matters Structurally

Cadence Bank's $5.25 million settlement over a May 2023 MOVEit vulnerability breach exposes a critical governance asymmetry: financial institutions bear full liability for third-party software vulnerabilities they neither authored nor controlled. With 869,411 affected individuals and settlement approval granted in January 2026, this case signals that vendor risk management has evolved from operational concern to board-level liability exposure—particularly under emerging regulatory frameworks like NIS2 and DORA. The settlement structure reveals not just a breach, but a systemic failure in how institutions contractually manage, monitor, and recover costs from software vendors.

The Vendor Risk Governance Gap

The MOVEit zero-day vulnerability affected Cadence Bank's file transfer infrastructure, yet the institution's contractual relationship with Progress Software (MOVEit's publisher) and its patch management protocols remain opaque in public filings. Under NIS2's essential entity requirements, financial institutions must demonstrate documented vendor risk assessment, contractual service-level agreements (SLAs) for vulnerability remediation, and audit trails proving timely patching. The absence of such evidence in regulatory disclosures suggests many financial institutions lack enforceable contractual mechanisms to compel vendor remediation—meaning liability defaults entirely to the data controller rather than being shared with or recovered from the software publisher.

This governance gap is not unique to Cadence. Most vendor contracts in the financial services sector were drafted before NIS2 enforcement began and lack explicit clauses requiring vendors to: (1) notify customers of vulnerabilities within defined timeframes; (2) provide patches within contractually binding SLAs; (3) maintain cyber insurance covering downstream breach costs; or (4) grant audit rights to verify security posture. Without these contractual levers, institutions become passive recipients of vendor security decisions, absorbing all downstream liability.

The Asymmetric Cost Structure and Vendor Incentive Misalignment

The settlement structure reveals a second, more troubling weakness: breach costs are socialized across victims and borne by the data controller, not recovered from the vendor. Cadence absorbed the $5.25 million settlement fund, $3.5 million in additional security investments, credit monitoring for 869,411 individuals, and reputational damage. Progress Software—the vendor responsible for the vulnerable code—faced no direct class action liability, no punitive damages, and no contractual clawback. This asymmetry creates perverse incentives: vendors prioritize speed-to-market and feature velocity over security hardening, because financial consequences for vulnerabilities fall on downstream users, not on the software publisher.

Under DORA and NIS2, this cost structure is increasingly untenable. Regulators expect institutions to demonstrate that vendors bear proportional accountability for security failures. Cadence's settlement suggests the institution lacked contractual mechanisms to shift or share liability—such as escrow arrangements, vendor cyber insurance requirements, or indemnification clauses with teeth. Organizations that have not revised vendor contracts to include mandatory cyber insurance verification, breach cost recovery mechanisms, and vendor liability caps are exposed to similar settlements and regulatory escalation.

Contractual and Operational Control Deficiencies

From a vendor risk governance perspective, the Cadence case exposes four critical control gaps that many institutions have not yet addressed:

Real-time vulnerability monitoring with contractual SLAs: Cadence apparently lacked contractual requirements for Progress Software to notify customers of vulnerabilities within specific timeframes (e.g., 24 hours for critical zero-days). Without such SLAs, institutions cannot enforce timely patching or hold vendors accountable for delayed disclosure.

Vendor notification and escalation protocols: The institution did not appear to have contractual clauses requiring vendors to notify designated security contacts of vulnerabilities before public disclosure. This left Cadence reactive rather than proactive in its response.

Audit rights and security posture verification: Most vendor contracts lack explicit audit rights allowing institutions to verify vendor security controls, penetration testing frequency, and patch management processes. Cadence's framework apparently did not include such mechanisms.

Cyber insurance and indemnification: The settlement makes no mention of vendor cyber insurance or indemnification clauses that would have shifted breach costs to Progress Software's insurer. This is a critical omission in modern vendor contracts.

Regulatory Implications: NIS2 and DORA Enforcement

Under NIS2, essential entities (including most EU financial institutions) must classify third-party software as critical operational risk and maintain documented vendor risk assessments. DORA goes further, requiring financial institutions to establish contractual arrangements with third-party service providers that include explicit cyber risk management obligations. Cadence's settlement demonstrates that many institutions lack the contractual and operational controls necessary to meet these requirements.

EU regulators will increasingly scrutinize vendor contracts during examinations and breach investigations. Institutions that have not revised agreements to include mandatory vulnerability disclosure timelines, patch SLAs, cyber insurance verification, and audit rights are exposed to regulatory findings and enforcement action. The Cadence settlement serves as a cautionary precedent: courts and regulators will hold institutions accountable for vendor security failures, regardless of whether the institution authored the vulnerable code.

Cybersol's Perspective: The Overlooked Supply Chain Layer

What many organizations overlook is that vendor risk governance is not primarily a technology problem—it is a contractual and liability problem. The Cadence case reveals that institutions often treat vendor contracts as administrative documents rather than risk transfer mechanisms. Security teams focus on vulnerability scanning and patch management, while procurement and legal teams fail to embed enforceable security obligations into vendor agreements.

The systemic weakness is this: institutions negotiate vendor contracts based on price, functionality, and service levels, but rarely include binding cyber risk requirements. When a breach occurs, institutions discover that their contracts provide no mechanism to recover costs from vendors, no audit rights to verify security practices, and no insurance requirements to backstop liability. This is a governance failure, not a technology failure.

Organizations should treat vendor contract revision as a board-level priority. Every critical third-party software agreement should include: (1) mandatory vulnerability disclosure within 24 hours of discovery; (2) patch SLAs tied to severity (critical patches within 7 days); (3) vendor cyber insurance requirements (minimum $10 million coverage); (4) annual audit rights; (5) indemnification clauses covering downstream breach costs; and (6) contractual liability caps that incentivize vendor security investment. Without these mechanisms, institutions remain exposed to settlements like Cadence's, where they bear 100% of breach costs for vulnerabilities they did not create.

Conclusion

The Cadence Bank MOVEit settlement is not simply a data breach settlement—it is evidence of a governance architecture failure. The case demonstrates that financial institutions have not yet aligned their vendor contracts with regulatory expectations under NIS2 and DORA. As regulatory enforcement accelerates and class action litigation becomes more sophisticated, institutions that have not revised vendor agreements to include binding cyber risk obligations, audit rights, and liability recovery mechanisms will face similar settlements and regulatory findings.

Readers should review the full ClassAction.org filing to understand the scope of affected individuals, settlement claim procedures, and the timeline for final court approval (July 9, 2026). More importantly, boards and risk committees should use this settlement as a trigger to audit their vendor contract portfolio and assess whether critical third-party software agreements include the contractual controls necessary to meet NIS2 and DORA requirements.

Source: ClassAction.org. "$5.25M Cadence Bank Settlement Ends Class Action Lawsuit Over May 2023 Data Breach." https://www.classaction.org/news/5.25m-cadence-bank-settlement-ends-class-action-lawsuit-over-may-2023-data-breach

← Back to Blog