A compliance officer at a community bank receives a letter from the bank’s core platform vendor. A sub-vendor, a third-party file transfer service used by the platform, was breached two months ago. Names, Social Security numbers, account numbers, and dates of birth for 50,000 of the bank’s customers were exposed.
The bank’s own systems were never touched. Its firewalls held. Its SOC monitoring showed nothing unusual. Nevertheless, 50,000 customer records are compromised, and the 36-hour regulatory notification clock is running.
Three Policies, One Coverage Gap That Matters
The cyber policy covers part of the breach response: notification, forensics, credit monitoring. But dependent business interruption coverage for vendor-caused losses may not apply when the sub-vendor isn’t on the policy schedule. The fidelity bond doesn’t apply. Neither policy covers what happens next.
Once the bank files its 36-hour notification with the regulator, the OCC opens a targeted examination of the bank’s vendor risk management program. The Federal Financial Institutions Examination Council’s (FFIEC) guidance on third-party relationships is specific: the board is responsible for overseeing vendor risk, which includes sub-contractors. The examiner asks whether the board approved the vendor risk management policy, whether it reviewed the vendor’s SOC reports, whether it evaluated fourth-party concentrations, and whether management escalated known risks.
The board’s attorneys begin preparing for the examination. Defense costs will run six figures. The directors reach out to their D&O carrier.
The carrier reviews the claim and points to the policy’s cyber exclusion: “arising out of or in any way involving any cyber event.” A vendor breach is a cyber event. The regulatory investigation arises from it. Coverage denied.
Three-Policy Breakdown
Partial recovery on breach response. Zero on board defense.
The Board Didn’t Fail. The Policy Did.
In this scenario, the bank’s own security worked. The data breach happened two links down the vendor chain. The board’s question is not “did you protect the bank’s systems?” It is “did you know who your vendor’s vendors are, and how good their cybersecurity was?”
Under the FFIEC’s 2023 updated guidance on third-party risk management, banks are expected to assess risks throughout the vendor lifecycle, which includes sub-contracting arrangements. For community banks, where the board often relies on management to handle vendor due diligence, that means the examiner will ask the board what they knew and when.
I wrote about a similar gap in April, where a breach at the bank itself triggered shareholder claims alleging the board failed to oversee cybersecurity. The D&O cyber exclusion blocked those claims too. Different fact pattern, same result: directors face personal exposure because the D&O and cyber policies point at each other.
It has already happened at scale. The MOVEit vulnerability in 2023 compromised more than 60 banks through file transfer vendors embedded in their core platforms. A ransomware attack on Marquis Software Solutions in 2025 exposed data for more than 800,000 customers across 80 banks and credit unions. In both cases, the banks’ own systems were unaffected. The breach came from outside, and the liability followed it in.
Two Things to Check
If your bank’s board has not reviewed how the D&O policy interacts with vendor-caused cyber events, start here.
D&O policies without blanket cyber exclusions exist. So do endorsements that narrow the exclusion to direct cyber losses and preserve coverage for governance and regulatory defense claims. These are renewal conversations, not exotic products. The gap is usually there because nobody asked.
A vendor breach creates the same D&O exposure as a breach at the bank itself. The difference is that the board never saw it coming.
For the full picture of how cyber, D&O, and fidelity bond policies interact across five common cyber incidents, see Five Common Cyber Incidents, Three Policies, and the Gaps Between Them.
If your board hasn’t reviewed how your D&O policy responds after a vendor breach, get in touch and I will show you where your coverage gap might be.
