Everest Ransomware Hits Two US Banks via Third-Party Vendor: A Wake-Up Call for Saudi Financial Sector Supply Chain Security

A single compromised vendor just exposed 250,000 banking customers across two major US financial institutions. The Everest ransomware group didn't need to breach Frost Bank or Citizens Financial Group directly — they simply targeted the weakest link in the supply chain: a third-party statement printing and tax-document fulfillment provider. For Saudi financial institutions operating under SAMA's Cyber Security Framework, this incident is a textbook demonstration of why third-party risk management isn't optional — it's existential.

The Everest Attack: How a Vendor Breach Became a Banking Crisis

On April 20, 2026, the Russia-linked Everest ransomware-as-a-service (RaaS) operation listed both Frost Bank and Citizens Financial Group on its dark web leak site, issuing a six-day ultimatum before dumping stolen data publicly. The breach didn't originate from either bank's infrastructure. Instead, Everest compromised a shared third-party vendor — one that handled statement printing for Citizens and tax-document fulfillment for Frost. This single point of failure gave the attackers access to approximately 250,000 client records from Frost Bank alone, including Social Security numbers, tax identification numbers, mortgage rates, investment returns, income data, and home addresses.

Double Extortion and the Shared-Vendor Problem

Everest operates a classic double-extortion model: exfiltrate sensitive data first, encrypt systems second, then threaten public release if ransom demands aren't met. What makes this incident particularly alarming is the cascading effect of shared-vendor compromise. Both banks confirmed the breach originated externally, yet both face regulatory scrutiny, class-action lawsuits filed within four days, and severe reputational damage. By April 24, two proposed class actions landed in US District Court alleging negligence and breach of implied contract — not against the vendor, but against the banks themselves. The legal precedent is clear: outsourcing operations does not outsource accountability.

Why Saudi Financial Institutions Cannot Ignore This

SAMA's Cyber Security Framework (CSCC) explicitly mandates third-party cybersecurity risk management under Domain 3 (Third Party Cybersecurity). Financial institutions must assess, monitor, and enforce security controls across their entire vendor ecosystem. The NCA's Essential Cybersecurity Controls (ECC) similarly requires supply chain risk assessment under Subdomain 2-2. Yet in practice, many Saudi banks and insurance companies still rely on annual questionnaire-based assessments for critical vendors — the same approach that failed spectacularly for Frost Bank and Citizens. The Everest attack demonstrates that attackers deliberately target vendors servicing multiple financial institutions to maximize leverage. A single Saudi-based document processing vendor, payment gateway provider, or cloud hosting partner could expose multiple SAMA-regulated entities simultaneously.

SAMA CSCC Third-Party Requirements Under Scrutiny

Domain 3 of SAMA CSCC requires member organizations to implement continuous third-party risk monitoring, not periodic checkbox exercises. Specifically, institutions must maintain a comprehensive inventory of all third-party service providers with access to sensitive data, conduct risk-based due diligence before onboarding vendors, include cybersecurity clauses in all vendor contracts (right to audit, breach notification timelines, data handling standards), perform periodic security assessments proportional to the vendor's access level, and establish incident response procedures that account for third-party breach scenarios. The Frost Bank incident exposes the gap between policy compliance and operational reality. Having the right clauses in contracts means nothing if you cannot detect when a vendor has been compromised before the ransomware group posts your data online.

Practical Recommendations for Saudi Financial Institutions

1. Implement Continuous Vendor Security Monitoring: Replace annual questionnaires with real-time monitoring of vendor security posture. Use automated tools that track exposed credentials, infrastructure vulnerabilities, and dark web mentions of your vendors. SAMA CSCC Domain 3.3.4 explicitly requires ongoing monitoring — not annual snapshots.
2. Classify Vendors by Data Access Criticality: Not all vendors carry equal risk. A vendor processing customer PII, tax documents, or financial statements requires the same security scrutiny as your internal SOC. Map every vendor to the specific data types they access and apply proportional controls.
3. Enforce Breach Notification SLAs: Your contracts should mandate 24-hour breach notification — not the 72 hours many vendors currently offer. In the Frost Bank case, the gap between vendor compromise and bank awareness gave Everest time to exfiltrate and stage data for publication.
4. Conduct Joint Incident Response Exercises: Run tabletop exercises that simulate a critical vendor breach scenario. Test whether your IR team can isolate vendor connections, assess data exposure, and notify SAMA within the required timeframe when the breach originates outside your perimeter.
5. Require SOC 2 Type II Plus Penetration Testing: Annual SOC 2 reports are insufficient for high-risk vendors. Require quarterly vulnerability assessments and annual penetration testing for any vendor with access to customer data covered under PDPL or PCI-DSS scope.
6. Implement Zero Trust for Vendor Connections: Apply least-privilege access for all vendor integrations. Segment vendor-accessible systems from core banking infrastructure. If a vendor's environment is compromised, the blast radius should be contained to the minimum data necessary for service delivery.

The Regulatory Trajectory: Accountability Is Shifting

The class-action lawsuits against Frost Bank and Citizens — not their vendor — signal a global regulatory trajectory that Saudi institutions must anticipate. SAMA's enforcement posture has consistently tightened, and PDPL (Personal Data Protection Law) holds data controllers responsible regardless of whether processing occurs in-house or through third parties. When the next vendor breach hits the Saudi financial sector, regulators will ask what continuous monitoring was in place, not whether the vendor ticked a compliance box twelve months ago.

Conclusion

The Everest ransomware attack on Frost Bank and Citizens Financial Group isn't a US-specific problem — it's a preview of what happens when financial institutions treat vendor risk management as a compliance exercise rather than an operational security imperative. Saudi banks, insurance companies, and fintech platforms share the same vendor ecosystem vulnerabilities. The difference is whether you detect and contain the compromise before a ransomware group sets a six-day countdown clock on your customers' data.

Is your vendor ecosystem your weakest link? Contact Fyntralink for a complimentary Third-Party Risk Assessment aligned to SAMA CSCC Domain 3 — identify your critical vendor exposures before attackers do.