Everest Ransomware Hits US Banks: Vendor Risk Lessons for SAMA

On April 20, 2026, the Everest ransomware gang listed two well-known US banks — Frost Bank and Citizens Financial Group — on its dark web leak site. Neither bank was breached directly. Both fell through the same shared third-party vendor. For SAMA-regulated banks in Saudi Arabia, this incident is more than a foreign headline; it is a textbook stress test of every clause in the SAMA Cyber Security Framework dealing with third-party risk.

What Happened: Two Banks, One Vendor, One Ransomware Crew

Everest claimed roughly 250,000 client records from Frost Bank — including Social Security numbers, tax IDs, full names, mortgage interest rates, investment profits, income data, and home addresses — alongside 3.4 million records from Citizens Financial Group sourced from a SQL database dump. Both institutions confirmed the intrusion did not occur on their own networks. The compromised vendor reportedly handled statement printing for Citizens and tax document fulfillment for Frost. Within four days of the leak announcement, two class action lawsuits had already been filed in the US District Court in Providence, each seeking damages exceeding USD 5 million.

Why a Single Vendor Compromise Cascades Across Multiple Banks

Modern banks outsource non-core but data-rich functions: print operations, tax fulfillment, KYC enrichment, AML screening, mobile push delivery, customer analytics, and SaaS-based core banking add-ons. Each contract becomes a one-way data pipe. When a vendor is breached, the blast radius equals every bank it serves. Everest did not need to defeat Frost or Citizens defenses — the vendor effectively delivered customer data to the attacker on a single SQL query. The same architectural pattern exists in nearly every Saudi bank, where shared local processors handle ATM personalization, statement printing, SMS delivery, and outsourced contact centers.

Impact on Saudi Financial Institutions Under SAMA, NCA and PDPL

The SAMA Cyber Security Control Framework (CSCC) explicitly mandates third-party cyber security risk management under Control 3.3.15, requiring formal risk assessments, contractual security clauses, ongoing monitoring, and incident notification timelines for every supplier handling member data. The NCA Essential Cybersecurity Controls (ECC-1:2018) reinforce this through Control 4-1, while the Personal Data Protection Law (PDPL) holds the data controller — the bank — fully accountable for any unauthorized disclosure caused by a processor. A vendor-driven breach in Riyadh would simultaneously trigger SAMA reporting within 4 hours, NCA notification, PDPL data subject disclosure within 72 hours, and PCI-DSS forensic obligations if cardholder data is touched. The Everest incident shows how all four obligations can fire from a single supplier failure.

Practical Recommendations for Saudi Banks

1. Map every third-party that stores, processes, prints, or transmits customer data. Maintain a live inventory tied to data classification and SAMA criticality tiers — not a static spreadsheet.
2. Demand independent attestation. Require ISO 27001, SOC 2 Type II, and PCI-DSS AOC where applicable. For high-criticality vendors, conduct annual on-site assessments aligned to SAMA CSCC Domain 3.
3. Enforce contractual cyber clauses: encryption at rest and in transit, breach notification within 24 hours, right-to-audit, sub-processor approval, data residency inside the Kingdom for sensitive data, and secure disposal certificates.
4. Deploy continuous third-party attack surface monitoring. Tools such as SecurityScorecard, BitSight, or Tenable One can detect exposed vendor assets, leaked credentials on dark web markets, and vulnerable internet-facing services before they become incidents.
5. Test the joint incident response plan. Run a tabletop exercise simulating exactly this scenario — a shared printing vendor compromised by ransomware — and measure time to contain, notify SAMA, and preserve evidence.
6. Limit data exposure by design. Apply tokenization, data minimization, and field-level encryption so that even if a vendor SQL dump is exfiltrated, the records are unreadable without keys held inside the bank.
7. Establish a vendor exit and key rotation procedure. Contracts must include data return or certified destruction within 30 days of termination, with cryptographic key revocation for all integrations.

Conclusion

The Everest breach of Frost and Citizens is not a story about ransomware sophistication. It is a story about governance gaps in vendor oversight — gaps that exist today inside many Saudi banks. SAMA CSCC, NCA ECC, and PDPL already provide the regulatory blueprint; the question is whether your third-party risk program operationalizes those clauses or only documents them.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment focused on third-party and supply chain risk.