Skip to main content
Currently onloravaughn.com→ visit Vaughn Cyber Group
Lora Vaughn

// BLOG POST

When Your Vendor Gets Breached, You Find Out Last

By · Jul 13, 2026 · 4 min read

Between 672,000 and 1.35 million people had their names, Social Security numbers, and account details exposed when a software vendor called Marquis got hit with ransomware in 2025. The vendor serves banks and credit unions, and more than 70 of them got pulled into it. Their customers didn’t do anything wrong, and neither did most of the banks. They picked a vendor, ran the questionnaire, filed the SOC 2, and moved on.

The vendor got breached anyway, and a lot of those customers didn’t hear about it for months.

That gap is the story. Not the ransomware.

The questionnaire covered the wrong moment

Your vendor due diligence looks at one point in time. You send the questionnaire, you get the SOC 2 report, you check whether they have MFA and encryption and an incident response plan on paper. Then you sign, and the file goes quiet until renewal.

None of that tells you what happens the day they actually get hit. The report says they have an IR plan. It does not say they will call you inside 24 hours. It does not say who decides what gets disclosed, or when, or to whom. You audited whether the vendor looks secure. You never audited what they owe you when they aren’t.

For a community bank, that is the whole exposure. You are the one holding the regulatory relationship. FDIC and your examiners don’t care that it was the vendor’s SonicWall box that got brute-forced. It’s your customers’ data and your name on the notification letter.

Your vendor made three calls without you in the room

When Marquis got breached, somebody made decisions that landed on every bank downstream.

Someone decided whether to pay the ransom. At least one credit union’s notification letter said the vendor paid. That is a choice with real consequences for every institution whose data was sitting in that environment, and none of them were in the room for it.

Someone decided what to say. Someone decided when to say it. And the banks learned the shape of all three long after the fact, some of them through a filing rather than a phone call.

You can have a spotless vendor file and still be in exactly this spot. The clean report and the fast notification are not the same control. Everyone tests for the first one. Almost nobody contracts for the second.

What actually protects you is boring

It’s the contract. Specifically, the breach notification clause.

Most vendor agreements say the vendor will notify you “without undue delay” or “as required by law.” That language means nothing when you need it. Undue delay is whatever their lawyers decide it is after the fact.

Put a number in it. The vendor notifies you within 24 or 48 hours of confirming an incident, in writing, with a named contact. Spell out that you get told before public disclosure, not after. Require that any decision to pay a ransom involving your data comes with notice to you. Add the right to your own forensic summary, not just a press statement.

This is the part of third-party risk that has teeth. A security rating is a guess, and a SOC 2 is a snapshot from months ago. A notification clause with a real deadline is the thing you can actually hold a vendor to when the worst day comes, and for a bank running a small team, it is cheaper than any tool you could buy, because it is words on a page you already sign.

Go pull your three most critical vendor contracts. The core provider, the one that touches customer data most directly, and whichever one you’d panic about first. Read the notification language. If it says “without undue delay” and nothing else, you found your next redline before renewal.

If you want help figuring out which clauses actually matter for your risk and which are noise, book a call: https://cal.com/vaughn-cyber-group

Lora Vaughn, fractional CISO and cybersecurity speaker

About the Author

Lora Vaughn is a fractional CISO and cybersecurity speaker with 20+ years securing banks, digital payments, and financial products at scale. She is a two-time CISO (MoneyGram, Simmons Bank), a former NSA analyst, a CISSP, and a two-time CISOs Connect A100 honoree. She writes practical, no-buzzword security guidance from Birmingham, Alabama.

Work With Lora

Need Help Getting Exam-Ready?

Vaughn Cyber Group helps community banks build security programs that satisfy examiners and actually protect your institution.

Consulting services are delivered through Vaughn Cyber Group.