More Banks Issue Breach Notifications Over Supplier Breach

By Cybersol·March 13, 2026·7 min read
SourceOriginally from More Banks Issue Breach Notifications Over Supplier BreachView original

Vendor Breach Cascade in Banking: When Third-Party Risk Frameworks Meet Operational Reality

Governance Implication

When a single software vendor serving 700+ financial institutions falls to ransomware, the governance failure is not localized—it cascades across an entire ecosystem. The Marquis Software Solutions breach, which triggered breach notifications at multiple banks including Artisans' Bank and VeraBank, exposes a structural weakness that regulators and boards must confront: financial institutions maintain vendor risk frameworks that are contractually sound but operationally hollow. This incident matters at board, regulatory, and contractual levels because it demonstrates the gap between documented vendor assessments and the ability to prevent or rapidly respond to third-party compromise at scale.

The Concentration Risk That Vendor Assessments Miss

Marquis Software Solutions developed marketing and compliance software for over 700 banks and credit unions. This concentration is not unusual in financial services—specialized vendors often serve hundreds of institutions simultaneously. Yet vendor risk assessments typically evaluate each vendor in isolation, asking whether controls exist, whether certifications are current, and whether contractual clauses address breach notification. Few institutions ask the systemic question: How many other banks depend on this vendor, and what is the probability that a single breach affects all of us simultaneously?

The August 14 ransomware attack exploited a SonicWall firewall vulnerability—a known, patched vulnerability. This is not a zero-day or an advanced persistent threat that evaded detection. It represents a failure in patch management discipline. For 1.4 million individuals whose personal data was exposed, the breach was preventable through operational hygiene. Yet because the vendor served 700+ institutions, the operational failure became a systemic event. Banks that had assessed Marquis as an acceptable vendor risk discovered, through public disclosure and regulatory notification, that their assessment was incomplete.

The Contractual Liability Chain and Notification Delays

The timeline reveals another governance weakness: contractual mechanisms for vendor breach notification are often ineffective. Marquis detected suspicious activity and determined it was a ransomware attack on August 14. The company did not notify Iowa regulators until November 26—a 104-day gap. Marquis notified Artisans' Bank on October 28, and the bank then conducted its own forensic review to identify affected individuals before notifying customers on December 19. VeraBank's review of stolen files did not conclude until December 12, with customer notification following shortly after.

This cascading timeline illustrates a critical contractual gap: most vendor agreements require notification "without unreasonable delay," but lack specific timeframes, escalation procedures, or liability for notification costs borne by the customer institution. Banks are obligated by regulation to notify affected individuals, yet they depend on vendors to provide timely, accurate information about what data was exposed. When vendors delay or provide incomplete information, banks absorb the regulatory and reputational cost. Contractual language that aligns liability with responsibility—requiring vendors to reimburse notification costs, credit monitoring expenses, and regulatory fines—is rare in practice.

Regulatory Exposure Under NIS2 and DORA

This incident will trigger examination focus under the EU's NIS2 Directive and Digital Operational Resilience Act (DORA), both of which require financial institutions to assess and monitor third-party cyber risk continuously. Regulators will ask affected banks: Did you conduct adequate due diligence on Marquis Software Solutions? Did you require security controls commensurate with the sensitivity of customer data? Did you have contractual mechanisms to verify vendor compliance with patch management and vulnerability remediation? Did you monitor vendor security posture on an ongoing basis, or did you rely on annual questionnaires?

Under DORA Article 28, financial institutions must ensure that third parties maintain security standards equivalent to those required of the institution itself. The SonicWall vulnerability exploitation suggests Marquis failed to meet that standard. Regulators will examine whether affected banks had contractual rights to audit vendor security controls, require evidence of patch application timelines, or terminate the relationship if the vendor failed to remediate known vulnerabilities within specified timeframes. Most vendor agreements do not include these mechanisms.

What Vendor Risk Frameworks Overlook

Cybersol's analysis identifies a systemic weakness in how financial institutions approach vendor risk: questionnaires ask whether vendors have policies; they do not require evidence of policy execution. A vendor may certify that it has a patch management process, but few banks verify that patches are applied within 30 days of release, or that critical vulnerabilities are remediated within 48 hours. The Marquis breach demonstrates that policy existence is not equivalent to operational discipline.

Second, vendor risk frameworks often fail to account for supply chain concentration. When a single vendor serves 700+ institutions, the risk is not individual—it is systemic. A breach at that vendor affects not just one institution but potentially hundreds simultaneously. This creates correlated risk that traditional vendor assessments do not capture. Banks should conduct supply chain concentration analysis: Which vendors serve multiple institutions in our market? What is the probability that a breach at that vendor affects us and our competitors simultaneously? How would regulators view our competitive position if we and our peers are simultaneously notifying customers of the same breach?

Third, vendor risk frameworks often lack contractual mechanisms that align incentives. If a vendor suffers a breach due to negligent patch management, the vendor's cost is typically limited to notification expenses and potential reputational damage. The bank's cost includes notification, credit monitoring, regulatory fines, and reputational damage. Contractual language that requires vendors to indemnify institutions for breach-related costs, or that allows institutions to recover notification expenses from vendors, is rare. This misalignment of incentives means vendors have limited financial motivation to invest in security controls beyond what is contractually required.

Cybersol's Editorial Perspective

The Marquis breach is representative of a governance pattern in which financial institutions maintain vendor risk frameworks that are theoretically sound but operationally insufficient. Vendor risk management requires three elements that are often missing:

  1. Continuous visibility into vendor security posture: Annual questionnaires and periodic audits are insufficient. Institutions should require vendors to provide evidence of patch application timelines, vulnerability scanning results, and security incident logs on a quarterly or semi-annual basis.

  2. Contractual mechanisms that align liability with responsibility: Vendor agreements should specify notification timeframes (e.g., within 24 hours of discovery), require vendors to reimburse notification costs and credit monitoring expenses, and allow institutions to recover regulatory fines resulting from vendor negligence.

  3. Supply chain concentration analysis: Institutions should map which vendors serve multiple institutions and assess the systemic risk if that vendor is breached. This analysis should inform vendor selection, contract terms, and incident response planning.

The Marquis breach also highlights a regulatory gap: NIS2 and DORA require institutions to assess third-party risk, but neither directive specifies what constitutes adequate due diligence or continuous monitoring. Regulators will likely use this incident to clarify expectations. Institutions that have not yet implemented continuous vendor monitoring, contractual mechanisms for breach notification and liability, and supply chain concentration analysis should expect examination focus.

Conclusion

The Marquis Software Solutions breach is not an isolated incident; it is a governance failure that cascades across an entire ecosystem. For financial institutions, this incident underscores the need to move beyond questionnaire-based vendor risk assessment toward continuous monitoring, contractual alignment of liability, and supply chain concentration analysis. Regulators will use this incident to clarify expectations under NIS2 and DORA. Institutions that treat vendor risk as a compliance checkbox rather than an operational imperative should expect regulatory scrutiny.

For a detailed analysis of the incident, including timeline details and affected institutions, readers should review the original Bank Information Security article.

Source: Mathew J. Schwartz, Bank Information Security. "More Banks Issue Breach Notifications Over Supplier Breach." December 31, 2025. https://www.bankinfosecurity.com/more-banks-issue-breach-notifications-over-supplier-breach-a-30421

← Back to Blog