Marquis Software Breach: 80 Banks Hit — A SAMA TPRM Reckoning

A single ransomware intrusion into one Iowa-based fintech vendor — Marquis Software Solutions — is now confirmed to have cascaded into at least 80 US banks and credit unions, with disclosure filings as recent as April 2026 pushing the consumer impact above 824,000 individuals. For Saudi CISOs operating under SAMA Cyber Security Controls, the case is not a foreign curiosity. It is a textbook illustration of the third-party risk management failure mode SAMA CSCC Domain 3.3.14 was written to prevent.

Anatomy of the Marquis Software Breach

On 14 August 2025, threat actors breached Marquis Software Solutions through an exposed SonicWall firewall, exfiltrating customer records held on behalf of dozens of community banks and credit unions before deploying ransomware. Marquis paid the ransom according to a since-withdrawn notification letter from Community 1st Credit Union, but the data had already been staged. Between October 2025 and April 2026, downstream notifications trickled out: Maine's Attorney General was told 672,000 individuals were affected, then state breach registries pushed the figure past 788,000, and American Banker reported in March 2026 the toll had reached 80 institutions and 824,000 consumers. The exfiltrated records included names, addresses, Social Security and Taxpayer Identification Numbers, dates of birth, and bank account information — the exact dataset prized by synthetic identity fraud rings.

Why a US Vendor Breach Is a Saudi Problem

SAMA-regulated banks rarely use Marquis directly, but they almost universally use functionally identical vendors: print-and-mail outsourcers, marketing analytics platforms, statement processors, KYC enrichment providers, and core banking add-ons hosted abroad. The Marquis pattern — a single mid-tier supplier holding the data of dozens of regulated institutions, breached through a misconfigured perimeter device, with delayed and uneven downstream notification — is precisely the systemic concentration risk SAMA flagged in its 2024 cybersecurity supervisory guidance. When one vendor falls, every bank on its customer roster inherits the breach, the regulatory disclosure obligation, and the customer trust damage simultaneously.

Mapping the Impact to SAMA CSCC and NCA ECC

Under SAMA CSCC Domain 3.3.14 (Third Party Cyber Security), member organizations must enforce contractual security clauses, perform pre-engagement due diligence, monitor vendors throughout the lifecycle, and ensure breach notification is timely and contractually binding. NCA ECC control 2-12 (Third-Party and Cloud Computing Cybersecurity) imposes parallel obligations on critical national infrastructure, and PDPL Article 19 makes the data controller — the bank — accountable for any processor breach involving Saudi resident data. A Marquis-style incident affecting a Saudi bank's offshore vendor would therefore trigger SAMA breach notification within the 72-hour window, PDPL data subject notifications, and almost certainly a SAMA supervisory examination of the bank's TPRM programme. Many Saudi banks still rely on annual self-attestation questionnaires for vendors — a control posture that would not survive scrutiny after an incident of this scale.

Practical Recommendations for Saudi Banks in 2026

1. Inventory your fourth parties. Marquis-style breaches expose gaps in n-tier vendor mapping. Require every Tier 1 supplier to disclose its own subprocessors and the data classes they touch, and reconcile that against your own data classification under SAMA CSCC 3.3.5.
2. Replace questionnaires with evidence. Move from annual SIG-Lite responses to continuous external attack surface monitoring of critical vendors. Tools such as BitSight, SecurityScorecard, and Black Kite give defensible board-level metrics aligned with SAMA CSCC 3.3.14.3.
3. Contractually mandate 24-hour breach notification. Marquis took weeks to reach downstream banks. Update master service agreements to require notification within 24 hours of confirmed compromise, with daily updates and full forensic disclosure — not the 30-day cushion still common in legacy contracts.
4. Test vendor incident playbooks. Run a tabletop exercise this quarter where a critical processor announces ransomware. Measure your time to identify exposed Saudi data subjects, draft SAMA notification, and brief the executive committee. Most banks discover the playbook does not exist.
5. Segment vendor access at the edge. Marquis was breached via SonicWall — a perimeter device with internet-exposed management. Audit your own vendors' connectivity into your network. SAMA CSCC 3.3.13 and NCA ECC 2-5 both require zero-trust, identity-bound access for any external party.
6. Encrypt at rest at the processor. Where vendors handle PII or account data, contractually require customer-managed encryption keys (BYOK) so a vendor compromise does not equate to a Saudi data subject compromise.

Conclusion

The Marquis Software breach is unfolding as the defining third-party risk story of 2026 not because the vendor was unusually negligent, but because the structural concentration it represents is everywhere. Saudi financial institutions concentrate vendor risk just as aggressively, often without the regulatory cushion the US sector enjoys. Boards that treat SAMA CSCC 3.3.14 as a paperwork exercise will find — as 80 American institutions just did — that vendor breach response is brand response, regulatory response, and litigation response simultaneously.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment focused on third-party risk governance and vendor concentration analysis under SAMA CSCC and NCA ECC.