The Vendor You Cannot Name.
Lens Four: Where business, innovation, and messaging come into focus.
By Sean Martin, CISSP · Edition 06 · May 11, 2026
Why “no evidence of unauthorized access to our network” has become the most dangerous sentence in cybersecurity disclosure — because it points at the network and leaves the data, the contract, and the customer out of the picture.
Watch · Listen · Read
Listen to this article, read by TAPE9.
I look at the intersection of business, technology, and messaging through three lenses. The first watches how organizations actually run. The second tracks what is reshaping the market. The third examines the language — how words shape budgets, decisions, and what the industry believes about itself.
This week, all three lenses turned toward the same problem.
The Situation At A Glance
2 Banks
disclosed an incident at the same third-party vendor in April 2026.
6 Lawsuits
filed in two weeks — against the banks. Not the vendor.
0 Names
of the vendor in either bank’s public statement.
72 Hours
on the federal incident reporting clock — starting at suspicion, not confirmation.
Lens One · Programs / Business
What is a security program accountable for when the breach happens at someone else’s network?
The named brand carries the disclosure burden, the lawsuits, and the regulatory exposure — even when the failure happened somewhere it cannot reach.
In April 2026, Citizens Financial Group disclosed a data incident “involving data extracted from a third party vendor.”1 Frost Bank, served by what cybersecurity researchers concluded was the same vendor, disclosed its own incident the next day.2 Within two weeks, six class actions had been filed — against the banks. The vendor is not a defendant.3
I call this the Common Point of Failure — a single specialized service provider whose compromise propagates across an industry vertical or function. A parallel case at Adobe, alleging compromise through a third-party business process outsourcing firm, surfaced in early April. As of the coverage reviewed for this analysis, no public confirmation or denial from Adobe had surfaced.4
The named brand carries the disclosure. The vendor carries none of the public scrutiny.
— CPOF Asymmetry
Verizon’s analysis of its 2025 Data Breach Investigations Report — drawing on more than 22,000 incidents contributed by law enforcement, forensic firms, and insurers — found the share of breaches involving a third party doubled year over year, from 15% to 30%.5 Read it as Verizon’s analysis, not a settled industry fact. The directional signal aligns with what the breach disclosures themselves are showing: the line between “our network” and “their network” has stopped being a meaningful boundary for the customer or the regulator.
Lens Two · Innovation / Market
What does the regulatory clock do to a vendor ecosystem nobody fully maps?
The federal incident-reporting rule starts its 72-hour clock at “reasonable belief,” not at confirmation.
The Cyber Incident Reporting for Critical Infrastructure Act is targeting May 2026 finalization, though a federal appropriations lapse has made a further extension likely.67 Read this carefully: the clock starts when the entity reasonably believes a covered incident has occurred. If a SOC analyst flags a high-severity alert on Monday, the clock likely starts Monday — not Wednesday when the legal team confirms. If the suspected source is a vendor whose forensic posture the entity does not control, the clock keeps running while the vendor’s investigation moves on its own timeline.
Who Is Actually Shaping What Gets Bought
The pressure is not coming primarily from the threat. It is coming from the regulator and the insurer.
The Regulator
On October 21, 2025, NYDFS issued an industry letter to covered financial institutions on managing third-party service provider risk under 23 NYCRR Part 500. The agency stated it “has and will continue to consider the absence of appropriate TPSP risk management practices by Covered Entities in its examinations, investigations, and enforcement actions.”8
The Insurer
Woodruff Sawyer’s annual Cyber Looking Ahead Guide notes carriers in 2025 expected significant underwriting scrutiny on third-party risk management controls — looking for “strong contractual language, cybersecurity certifications from vendors, and requirements for vendors to purchase cyber or technology errors and omissions insurance.”9
Covered entities have every reason to invest in what produces a defensible audit, a clean insurance renewal, and an enforcement-ready posture. Those are not bad things to invest in. They also do not necessarily reduce blast radius.
The customer whose data left through the unnamed vendor does not get a copy of that documentation, and is not the party the documentation is designed to protect.
Lens Three · Messaging / Language
What is the language of these disclosures actually doing?
It points at the network and leaves the data, the contract, and the customer out of the picture.
Read the Citizens statement carefully. “There is no evidence of unauthorized access to the Citizens network, and our operations continue as normal.”1 Read the Frost statement. “At this time, there is no evidence of unauthorized access to the Frost network.”2 Both are precisely engineered. Neither is false. Both point at a perimeter that is not where the attack happened and assert the perimeter held. That is not lying. That is also not what the customer needs to know.
Three Things The Network Sentence Leaves Out
01 · The Data
Where it lived. Who held it. How it was stored. What format it was in when it left. Whether the vendor was contractually required to encrypt it or delete it. None of that is in the network sentence. All of it determines what the customer can actually do.
02 · The Operating Model
Even if the bank’s network was never compromised, the bank’s operating model included giving a vendor enough access that the vendor’s compromise produced customer harm. The network framing treats the vendor relationship as a perimeter question rather than as an operating-model question.
03 · The Chain Of Accountability
The contractual relationship between the named brand and the unnamed vendor — the access granted, the controls required, the breach-notification clauses, the indemnification structure — is hidden by the network framing. The customer cannot see who is responsible for what.
Who Does Not Care Which Network The Data Left From
— The customer whose Social Security number is on a leak site.
— The plaintiff in Bexar County.
— The Massachusetts Attorney General receiving a breach notification covering 428 individuals.3
— The CISA reviewer evaluating a federal incident report once the rule lands.
The regulatory clock, the legal theory, and the customer experience all collapse the difference between “our network” and “their network.” The disclosure language is the only place where that difference is still being defended.
There is also the matter of the vendor whose name does not get said. When a disclosure says “third-party vendor” without naming the vendor, that is a messaging choice. The legal reasons are real — pending investigation, contractual confidentiality, fear of secondary liability. But the effect is asymmetric. The named brand carries the public scrutiny. The unnamed vendor carries none. The market signal that should travel — this vendor failed — does not travel.
That is the product of a disclosure regime where the named brand has every incentive to protect the contract and very few incentives to protect the customer’s downstream ability to make informed choices. The most likely path to change: discovery in the class actions. The plaintiffs have every reason to name the vendor. When that happens, the market signal will travel — because the legal process forced it, not because the named brand chose to share it.
The Fourth Lens
When the breach happens somewhere you cannot reach, what is the security program for?
The program reality is that the named brand is accountable for things that happen at a vendor it cannot directly control. The market reality is that the regulator and the insurer have already written the checklist. The messaging reality is that the disclosure language has not caught up to either.
The people most affected by this are not the executives who own the brand. They are the security leaders whose name ends up on the disclosure, whose career arc bends around how they handled an event that happened somewhere they could not see, and who carry the personal cost of a decision they did not get to make.
I keep coming back to a conversation Marco and I had with Tim Brown ahead of his keynote at AISA CyberCon in Melbourne in October 2025.10 The line that stayed with me was not about technology or about regulation. It was about what carries a CISO through the worst day of their career: trust built before the trust was needed. Context. Perspective. Communication. The leadership qualities that do not show up on a tools-and-controls audit but determine whether the program survives an event the program could not have prevented.
A different conversation with Joe Sullivan, also alongside Marco, ahead of his Black Hat Europe 2023 keynote, lives in the same territory.11 Joe’s framing — keeping the CISO role safe and successful, making it possible for security leaders to keep doing the work without being broken by the cost of doing it — is exactly the human question hiding behind the regulatory clock. Joe returned the next year as the opening keynote at the Australian Cyber Conference, and the analogy he used has stuck with me: build your cyber team the way a fire department is built — one team on the go, one on standby, one resting.12 That is operational resilience. It is also a model the regulatory clock and the disclosure language both fail to account for.
The vendor whose name you do not know is the vendor whose risk you cannot manage. The fix is not in the disclosure language. It is in the operating model the disclosure language is currently helping to obscure.
If “no evidence of unauthorized access to our network” is the most dangerous sentence in cybersecurity disclosure, the most important question is the one the sentence is engineered to keep off the table: where did the data actually go, who actually controlled it, and what does the program owe the customer that the contract did not.
That question does not have a clean answer yet. The next twelve to eighteen months — through the first CIRCIA enforcement action, through the first court-ordered discovery that names a CPOF vendor, through whatever the next shared-vendor breach turns out to be — will start writing one.
Sean Martin is a cybersecurity market analyst, content strategist, and advisor with 30+ years across engineering, product development, marketing, and media. Co-founder of ITSPmagazine and Studio C60, host of the Redefining CyberSecurity Podcast and the Music Evolves Podcast. Sean works with CISOs, security vendors, go-to-market teams, and analyst firms to connect technology operations and cybersecurity programs to business outcomes. Connect at seanmartin.com.
Subscribe to Lens Four — Where business, innovation, and messaging come into focus.
References
1. “UPDATED: Citizens Bank Hit With Two Federal Lawsuits After Cyberattack,” GoLocalProv, April 23, 2026 — golocalprov.com
2. “Frost Bank hit with class-action lawsuits over data breach affecting more than 100,000 customers,” via Yahoo Finance / San Antonio Express-News — finance.yahoo.com
3. “Ransomware Hit Citizens Bank and Frost Bank Through a Vendor Neither Will Name,” Gblock, April 25, 2026 — gblock.app
4. “Alleged Adobe Breach — What Adobe Partners Should Know Now,” IDADAY (updated April 14, 2026) — idaday.nl
5. “Verizon’s 2025 Data Breach Investigations Report: Alarming surge in cyberattacks through third-parties,” Verizon press release, April 23, 2025 — verizon.com
6. “Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA),” CISA — cisa.gov
7. “New Federal Cybersecurity Reporting Rules are on Their Way: FAQs for Businesses About CIRCIA Regulations,” Fisher Phillips, April 7, 2026 — fisherphillips.com
8. “NYDFS Issues Guidance on Managing Risks Related to Third-Party Service Providers,” Alston & Bird Privacy, Cyber & Data Strategy Blog, October 27, 2025 — alstonprivacy.com
9. “Cyber Looking Ahead Guide,” Woodruff Sawyer (annual cyber insurance market analysis) — woodruffsawyer.com
10. “Beyond the Title: What It Really Takes to Be a CISO Today — Insights Following A Conversation with SolarWinds CISO, Tim Brown,” A Musing on the Future of Cybersecurity with Sean Martin and TAPE9, October 16, 2025 — youtu.be/ATWlhuekwoY
11. “We Need to Stop the Temperature From Rising If We Don’t Want to Ice the CISO Role,” Black Hat Europe 2023 Event Coverage with Sean Martin, Marco Ciappelli, and Joe Sullivan — youtube.com
12. “Unveiling Cybersecurity’s Future: Joe Sullivan’s Keynote Journey to Australian Cyber Conference 2024 in Melbourne,” On Location Coverage with Sean Martin and Marco Ciappelli, November 2024 — youtu.be/NpsfwTxvSag
Topics Covered In This Analysis
Common Point of Failure, CPOF, shared-vendor breach, third-party risk management, TPRM, third-party service provider, TPSP, vendor concentration risk, supply chain security, Citizens Financial Group, Frost Bank, Everest ransomware, Adobe alleged breach, UNC6783, BPO compromise, business process outsourcing, breach disclosure language, “no evidence of unauthorized access,” masked test data, Massachusetts Attorney General breach notification, class action data breach litigation, Cyber Incident Reporting for Critical Infrastructure Act, CIRCIA, CISA, 72-hour reporting, 24-hour ransomware payment reporting, reasonable belief trigger, NYDFS, 23 NYCRR Part 500, NYDFS industry letter, NYDFS October 21 2025 guidance, NIS2 Directive, U.K. Cyber Security and Resilience Bill, cyber insurance underwriting, Woodruff Sawyer Cyber Looking Ahead Guide, compliance-driven security investment, defensible documentation, audit-ready posture, data-not-network framing, operating model, chain of accountability, Verizon 2025 Data Breach Investigations Report, DBIR, third-party involvement in breaches, vendor risk concentration, vendor unnamed disclosure, Tim Brown, SolarWinds CISO, AISA CyberCon Melbourne 2025, Joe Sullivan, former Uber CISO, Cloudflare, Black Hat Europe 2023, Australian Cyber Conference 2024, CISO accountability, fire department analogy, operational resilience, Sean Martin, ITSPmagazine, Studio C60, Redefining CyberSecurity Podcast, Lens Four.
Frequently Asked Questions
What is a Common Point of Failure (CPOF) breach?
A Common Point of Failure breach happens when a single specialized service provider — a document processor, statement printer, support BPO, or similar — is compromised, and the attack propagates through that one vendor to multiple customer organizations across an industry vertical or function.
Why do the banks not name the vendor in their breach disclosures?
There are real legal reasons — pending investigation, contractual confidentiality, and concern about secondary liability for naming a third party that may sue back. There is also a market-incentive dynamic: the named brand has every incentive to protect the contract and few incentives to surface the vendor name in a way that would help customers or other potential customers of that same vendor make better decisions.
What does “reasonable belief” mean under CIRCIA?
Under the proposed CIRCIA rule, the 72-hour clock for reporting a substantial cyber incident to CISA starts when the covered entity reasonably believes a covered incident has occurred — not when the investigation confirms it. That phrasing changes the operating math for every covered entity, particularly when the suspected source is a third-party vendor whose forensic posture the entity does not directly control.
Is the Adobe BPO breach confirmed?
Not in the coverage reviewed. As of mid-April 2026 and based on the coverage and publicly available channels reviewed for this analysis, no Adobe confirmation, denial, Trust Center notice, or SEC disclosure had surfaced. Multiple security publications have covered the threat actor’s claims, and Google Threat Intelligence Group has published research on the broader UNC6783 cluster with a probabilistic, not confirmed, link to the persona claiming the Adobe breach.
What can a security program actually do about CPOF risk?
The honest answer is that no amount of vendor questionnaires, continuous monitoring, or TPRM dashboards eliminates the risk. The realistic targets are blast-radius reduction, faster detection, pre-built kill-switch processes for revoking third-party credentials before the vendor’s own report arrives, and operational resilience built before an event — the kind of fire-department-style staffing model Joe Sullivan has described. The disclosure language and the dashboard cannot do the work the operating model has to do.
