Concentration Risk Wasn't Just About Loans

Community banks have been managing concentration risk for a hundred years. Loan concentration. Geographic concentration. Industry concentration. There are whole risk programs, whole exam workpapers, and whole committee charters built around the idea that putting too many eggs in one basket is dangerous.

Then we handed our customer data, our core processing, our reporting, our document management, and our analytics to about six SaaS aggregators and called it modernization.

Last week, we found out what that actually looks like when one of the baskets breaks.

The Same Actor. The Same Week. The Same Shape.

ShinyHunters disclosed what they pulled out of Canvas, Instructure’s learning management platform. Two hundred and seventy-five million records. Eight thousand, eight hundred and nine institutions. The same group also hit Cushman & Wakefield through Salesforce. Same threat actor. Same week. Same playbook.

This is the same conversation the industry started having when Fiserv confirmed its own breach a week earlier. The shape repeats because it works. Compromise one platform that holds data for thousands of downstream customers, and one exploit reaches thousands of victims at once.

If you are a community bank reading the news cycle and thinking “but that was higher education and commercial real estate, not banking,” you are looking at the wrong variable. The variable is the platform model. Higher ed handed its data to one LMS. Commercial real estate handed its data to one CRM. Community banks handed everything to a core processor, a digital banking provider, a document repository, and a fintech aggregator (or three).

The vertical is irrelevant. The structure is the risk.

Why ShinyHunters Keeps Targeting Aggregators

There is a reason this is happening at SaaS aggregators and not at individual banks. The economics are obvious. Why phish one bank when you can compromise one Salesforce instance and reach two hundred banks at once. Why exploit one core processor’s customer when you can exploit the core processor and get every customer.

The threat model that examiners spent the last fifteen years pushing on community banks assumed the attacker would come for the bank directly. Hardened perimeter, segmented network, MFA on every workstation, employee training. Those controls are still important. They are also pointed at the wrong door.

The door the attacker is using is the door your vendor opened on your behalf. The vendor you do not directly operate. The vendor whose security program you have a SOC 2 report for and have read maybe twice.

What Concentration Risk Actually Looks Like Now

We used to draw concentration risk as a pie chart of loan exposure. Now it looks like a data flow diagram, and every line ends at the same five logos.

Run the exercise. Pick a piece of customer data. Where does it live? Who else does that platform host data for? If they had a Canvas-style or Salesforce-style incident tomorrow, would your data be in the disclosure?

For most community banks, that exercise turns up uncomfortable answers fast. Your customer onboarding documents probably sit in the same DMS as several hundred other banks. Your loan origination data probably feeds a fintech that also serves your competitors. Your analytics platform almost certainly aggregates patterns across its entire customer base, which is how it can offer the benchmarking it sells.

None of that is bad on its own. It’s how the modern bank technology stack works. But it is concentration risk, and it is not being treated like concentration risk.

What Examiners Are About to Ask

The FFIEC has been talking about third-party concentration since 2023. They have been talking about systemic risk in critical service providers for longer than that. What they did not have, until this month, was a current and well publicized set of examples that connect the regulatory language to real disclosed breaches.

Now they do. Expect questions in your next exam that sound like this. Which critical vendors hold data for more than one hundred other financial institutions. What is your exposure if any one of them is breached. Do your vendor risk reviews capture downstream concentration, or just direct service interruption. Are your contracts written to require notification when a vendor’s other customers are breached, even if your data is not directly involved.

The answer “we read their SOC 2 every year” was always thin. It is going to get rejected fast if you are facing a regulator who just read the Canvas disclosure.

What to Do This Week

You do not need to overhaul your vendor program before Friday. You need to start the inventory work that should already exist.

Pull the list of vendors that hold customer data. Mark the ones that serve more than fifty other banks. Those are your concentration nodes. For each one, write down what data they hold, what platform they run on, and who their cloud and identity providers are. That is not a complete diligence package. It is a map. You can’t manage a risk you haven’t mapped.

For the top three nodes on that map, find out whether they have had a security event in the last twenty four months and what changed because of it. Read the postmortem if there is one. Ask for one if there is not. The vendors who can produce a clean postmortem are not your problem. The ones who cannot are the ones you need to be watching.

Then look at your contracts. Most vendor contracts written before 2024 do not include cross customer breach notification. They notify you when your data is involved. They do not notify you when a different customer’s data is exfiltrated using the same exploit that could reach yours.

That is the gap that ShinyHunters is sitting inside of.

The Real Ask

Going SaaS is not the problem. The platform model is genuinely better for most community banks than running your own infrastructure was. The issue is that we adopted a platform stack and then kept managing risk like we still ran the boxes.

Concentration risk is a banking concept. It transfers cleanly: you set limits, stress test against worst case loss, report exposure to the board. You ask whether the exposure has grown, and you change behavior when it has.

You can do that with vendors, and you should. The vendors will not do it for you, because the vendor’s interests are not your interests when the breach is at their other customer. Your regulator will get there. Your customers will get there faster than your regulator if the breach is bad enough.

The basket isn’t in your building anymore, but the risk still is.

If your bank needs help mapping vendor concentration risk or rewriting third-party contracts to cover cross customer breach notification, reach out to Vaughn Cyber Group. We help community banks treat SaaS concentration the same way they treat loan concentration. Like the risk it actually is.