If you’re leading security or risk at a community or regional bank, third-party vendor cyber risk for banks is no longer an abstract concern, it’s the front door attackers are choosing first. Recent disclosures about a ransomware attack against Marquis Software Solutions, a fintech marketing and compliance vendor that impacted more than 70 U.S. banks and credit unions, are just the latest reminder that your strongest controls can be undone by a single exposed vendor. TechRader
For institutions already facing AI-driven phishing, ransomware, and evolving regulatory pressure, vendor risk has become a defining challenge for 2025.
Why third-party vendor cyber risk for banks is growing
Banks have always relied on vendors but the nature of that dependence has changed.
Today, even a modest community bank may depend on dozens of external providers:
- Core processors and online banking platforms
- Loan origination and portfolio management systems
- Digital marketing, data analytics, and CRM vendors
- Fraud detection, KYC/AML, and sanctions screening solutions
- Cloud hosting providers, MSSPs, and remote access tools
Each of those relationships extends your attack surface into environments you don’t directly control. The Marquis incident is a textbook example: attackers exploited a SonicWall vulnerability in August 2025, gaining access to a vendor environment that processed sensitive data for 74 banks and credit unions exposing names, SSNs, account details and more for an estimated 400,000 consumers. TechRader
For community banks, this intersects directly with existing pain points:
- Legacy systems and patching gaps that make integration with vendors complex
- Limited in-house security staff to monitor every third party continuously
- Escalating regulatory expectations around vendor oversight and operational resilience
In an environment where the average breach costs financial institutions roughly $5.9 million, relying on trust and contracts alone is no longer viable.
What the Marquis breach reveals about your own vendors
You don’t need to be a Marquis customer for this to be a wake-up call. Incidents like this highlight several systemic issues in third-party vendor cyber risk for banks:
- The weakest link is often outside your firewall
In the Marquis case, attackers compromised a SonicWall device used for remote access, not a bank’s internal network.- Even if your bank patches quickly, a lagging vendor can still expose your customers.
- Once attackers have vendor-level access, they may not need to breach your perimeter directly.
- Patching alone isn’t enough
Reporting indicates that simply applying the SonicWall patch isn’t sufficient; administrators must also reset credentials and review MFA configurations because attackers are using stolen credentials to bypass MFA and maintain persistence. - Data minimization is still underused
Many vendors hold far more sensitive data than they strictly need—from SSNs to full account details—dramatically increasing breach impact when something goes wrong. - Contractual requirements don’t equal operational reality
On paper, vendors may commit to strong security. In practice:- Logging may be incomplete or unmonitored
- Incident response plans may be immature
- Vulnerability management cycles may lag weeks or months behind critical advisories
For banking executives, the lesson is clear: third-party risk management needs to move from paper-based checklists to continuous, operational assurance.
Regulatory expectations: vendor cyber risk at community banks
Regulators have been increasingly explicit that boards and senior management are accountable for third-party risk not the vendors themselves.
Recent guidance and reports emphasize:
- OCC & FFIEC focus on third-party and operational resilience
Recent OCC reports highlight ongoing ransomware campaigns targeting both banks and their third parties, stressing the importance of protecting against disruptive attacks that originate in vendor environments. - Community bank scrutiny
Analyses of 2025 community bank cybersecurity underline that smaller institutions face the same sophisticated phishing and ransomware threats as large banks, but with fewer resources and often heavier reliance on external providers. - Expectations for due diligence and ongoing monitoring
Regulators expect banks to:- Perform risk-based due diligence before onboarding
- Include detailed security and incident response requirements in contracts
- Monitor vendor performance, controls, and incidents on an ongoing basis
- Include third-party scenarios in business continuity and incident response testing
In short: “We trusted our vendor” will not satisfy your examiner, or your board, if a vendor breach becomes headline news with your bank’s name attached.
A practical playbook to reduce third-party vendor cyber risk for banks
You don’t need a big-bank budget to materially reduce third-party vendor cyber risk for banks. You do need a structured, repeatable approach that your team and your vendors can follow.
Here’s a practical roadmap you can start executing in Q1:
1. Build a real vendor risk inventory
- Catalog all vendors that access, process, or store customer or confidential bank data
- Tag them by criticality (e.g., Tier 1: core banking/online banking; Tier 2: payments/loan systems; Tier 3: marketing/analytics)
- Identify which vendors have remote access into your network or systems
This becomes the backbone of everything else.
2. Tighten security expectations and contracts
For your highest-risk vendors:
- Require clear security baselines (MFA everywhere, vulnerability management SLAs, encryption standards, logging and monitoring)
- Include defined incident notification timelines (e.g., within 24 hours of discovery)
- Specify breach response responsibilities, data ownership, and cooperation expectations
- Require annual independent assessments or SOC 2 / ISO 27001 reports where appropriate
3. Assess and prioritize your top 10 vendors
You don’t have to start with everyone at once.
- Identify your top 10–15 high-risk vendors
- Conduct targeted assessments focusing on:
- Patch management and vulnerability remediation
- Remote access controls (VPN, privileged accounts, third-party admins)
- Data minimization and retention practices
- Backup and recovery capabilities
Where gaps are found, create written remediation plans with timelines.
4. Implement continuous monitoring, not annual check-ups
Move beyond “once-a-year questionnaires”:
- Monitor for high-severity vulnerabilities affecting vendor technologies
- Subscribe to threat intel or alerting services that track breaches involving your vendors
- Use your SIEM or MSSP to watch for suspicious activity tied to vendor accounts and connections
This is where partnering with a cybersecurity provider that understands banking threat patterns can dramatically lighten the load.
5. Integrate vendor incidents into your IR and BCP testing
Your incident response (IR) and business continuity (BCP) plans should assume:
- A critical vendor is taken offline by ransomware
- A vendor with your customer data suffers a breach and is slow to notify you
- Credentials tied to a vendor VPN or remote tool are compromised
Run tabletop exercises simulating these scenarios with cross-functional teams (IT, security, risk, compliance, operations, and communications). Document decisions and improve playbooks after each session.
How The Saturn Partners helps community banks close the gap
For many community and regional banks, the challenge isn’t recognizing the severity of third-party vendor cyber risk for banks, it’s having the staff, time, and expertise to manage it at scale.
That’s where The Saturn Partners comes in.
Grounded in banking-specific cybersecurity frameworks and regulatory expectations, we help institutions:
- Build and maintain a risk-based vendor inventory tied to your unique business model
- Create or modernize third-party risk policies, due diligence templates, and contract language
- Assess high-risk vendors for real-world security posture—not just checkbox compliance
- Integrate vendor access points into 24/7 monitored SOC services and threat detection
- Run vendor-focused tabletop exercises and incident simulations for leadership and boards
We also help you prepare for future-facing threats from AI-driven attacks to quantum risk by aligning your vendor strategy with broader banking cybersecurity initiatives, including quantum-safe cryptography planning. For a deeper dive on that topic, see our recent post on how banks can prepare for quantum-safe cryptography before it’s too late.
Conclusion: Vendor risk is now core banking risk
The Marquis breach is not an outlier it’s a preview.
As more of your critical operations move into vendor and fintech ecosystems, third-party compromise becomes one of the most likely paths to a high-impact incident. For community and regional banks, the path forward is not to pull back from vendors, but to professionalize and operationalize vendor cyber oversight.
That means:
- Treating vendor risk as a strategic board-level issue
- Prioritizing high-impact vendors for deeper scrutiny
- Moving from annual questionnaires to continuous assurance
- Partnering with specialists who understand the realities of your size, budget, and regulatory landscape
If your institution is ready to move beyond checkbox vendor management and build a practical, risk-based program that stands up to both attackers and examiners, we’d be happy to help. Talk to our banking cybersecurity team about assessing your top high-risk vendors and building a third-party cyber risk roadmap tailored to your institution.