Marquis Breach Hits 80 Banks: SAMA Vendor Risk Lessons for Saudi CISOs

A single unpatched SonicWall firewall at a fintech vendor exposed 824,000 banking customers across 80 institutions. For Saudi banks under SAMA CSCC, the Marquis Software breach is not a foreign headline — it is a stress test of every Third-Party Risk Management control on your books.

Marquis Software Breach: A Single Vendor, Eighty Compromised Banks

Marquis Software Solutions, a Texas-based fintech that powers marketing analytics, statement printing, and customer communications for more than 700 US banks and credit unions, has now confirmed that its August 2025 ransomware incident affected at least 80 financial institutions and 823,548 individuals — more than double the initial estimate disclosed in early regulatory filings. The Akira ransomware affiliate exploited CVE-2024-40766, an improper access control flaw in SonicWall SonicOS SSL-VPN, to obtain initial access. From there, attackers pivoted into Marquis's customer data stores and exfiltrated names, addresses, dates of birth, Social Security numbers, taxpayer identification numbers, and bank account and payment card data.

Several breached banks have now begun mailing notification letters more than nine months after the intrusion, and one credit union filing — later quietly redacted — suggested Marquis paid the ransom to suppress data leakage. Whether or not that is accurate, the operational reality is the same: 80 financial institutions had no contractual or technical visibility into the firewall hygiene of a vendor sitting on hundreds of thousands of their customers' identity records.

The Akira Playbook: Why Edge Devices Remain the Cheapest Way Into a Bank

Akira has built its 2024–2026 surge almost entirely on misconfigured and unpatched edge appliances — SonicWall, Cisco ASA, Fortinet, and Citrix NetScaler. CVE-2024-40766 was disclosed in August 2024, added to the CISA KEV catalog within days, and remained one of the most-exploited firewall vulnerabilities through the first half of 2026. The pattern is consistent: low-privilege account on the appliance, MFA bypass through misconfiguration, lateral movement via legacy SMB and unrestricted RDP, then domain-wide encryption and double extortion.

What makes Marquis instructive is not the technique — it is the blast radius. The attackers did not need to breach 80 banks. They breached one shared service provider that already held the data, the trust, and the API keys. This is the modern supply-chain reality: a bank's effective attack surface is the union of its own perimeter and every fintech, MSP, and SaaS provider with a connection or a copy of its data.

Impact on Saudi Financial Institutions

Saudi banks operate under one of the most prescriptive third-party cyber regimes in the region. SAMA Cyber Security Framework (CSCC) section 3.4 — Third Party Cyber Security — explicitly requires regulated entities to assess, contractually bind, monitor, and audit the cyber posture of every vendor with access to systems or data. NCA ECC sub-domain 4-2 mirrors this for the broader public and critical sector, and PDPL Article 29 makes the data controller (the bank) liable for processor breaches involving personal data of Saudi residents.

Concretely, a Marquis-style incident affecting a Saudi bank's vendor would trigger: mandatory SAMA notification within hours, SAMA CSCC compliance review, potential PDPL enforcement action by SDAIA, and customer notification obligations. The bank, not the vendor, owns the regulatory consequence. Most Saudi banks today have strong assessments at onboarding but weak continuous-monitoring telemetry on Tier-1 vendors — exactly the gap Akira-class actors are pricing into their target selection.

SAMA CSCC 3.4 Vendor Risk Playbook: What to Do This Quarter

1. Inventory Tier-1 fintechs by data exposure, not contract value. Any vendor holding customer PII, account numbers, or transaction data is Tier-1 — even if the contract is small. Map them to specific CSCC controls (3.4.1 through 3.4.5) and PDPL processor obligations.
2. Demand evidence of edge-appliance hygiene. Add a contractual right to receive monthly attestation that all internet-facing devices (firewalls, VPN, load balancers) are patched within 14 days of CISA KEV inclusion. CVE-2024-40766 should already be on every Saudi bank's vendor questionnaire.
3. Continuous external attack-surface monitoring on every Tier-1 vendor. Tools like external attack surface management platforms can detect exposed SonicWall, Fortinet, and Citrix instances on vendor IP ranges before attackers do. This is now table stakes under CSCC 3.4.4.
4. Network segmentation between vendor connections and core banking. Any inbound vendor session must terminate in a DMZ with full TLS inspection, anomaly detection, and just-in-time access — never direct to core. CSCC 3.3.5 and NCA ECC 2-13 both require this.
5. Tabletop a vendor ransomware scenario quarterly. Run the Marquis scenario verbatim with your incident response team, communications, legal, and SAMA liaison. Measure time-to-customer-notification — under PDPL it is 72 hours from awareness.
6. Right-to-audit and right-to-terminate clauses with teeth. Many Saudi bank vendor contracts still have soft language. Convert these into measurable SLAs with breach-of-contract triggers tied to specific cyber incidents.
7. Independent penetration testing of vendor integration points. At least annually, test the API, file-transfer, and VPN tunnels you maintain with each Tier-1 vendor. Most Marquis-affected banks had never tested the Marquis-to-bank link.

Conclusion

The Marquis breach is not a story about one Texas fintech — it is a preview of the next decade of Saudi banking risk, where the weakest link is no longer inside your perimeter. SAMA's regulatory expectation is unambiguous: the bank is accountable for the vendor's controls. The institutions that will weather the next Akira-class campaign are those treating vendor cyber posture as a continuously-monitored, contractually-enforced, board-level risk — not an annual questionnaire exercise.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment, including a Tier-1 vendor risk gap analysis mapped to CSCC 3.4 and PDPL processor obligations.