A community bank with $500 million in assets opens on a Monday morning. Tellers log in to the core banking system. Nothing loads. The mobile app shows a maintenance screen. ACH files are not processing. Wire transfers are stuck.
The bank’s IT director calls the core platform provider. The answer: a ransomware attack hit the vendor’s data center over the weekend. Systems are down. No timeline for restoration.
The bank’s own systems are unaffected. Its firewalls held. Its backups are intact. But none of that matters, because every transaction the bank processes runs through that vendor’s platform.
By Wednesday, the bank is still down. Branch staff are handling deposits manually. Commercial loan closings are postponed. The bank is losing fee income, paying overtime, and fielding calls from regulators. The estimated financial impact: $1.8 million in lost income and extra expenses over five days.
The bank files a claim under its cyber policy. Dependent business interruption coverage. $5 million limit on the declarations page.
The adjuster comes back with a number: $1 million. That is the sublimit for dependent BI. The $5 million applies to the bank’s own systems. The vendor outage falls under a carve-out buried on page 34.
This Is Not Hypothetical
In August 2025, Marquis Software Solutions, a fintech vendor serving more than 700 banks and credit unions, was hit by ransomware. The Akira group exploited an access control vulnerability in a SonicWall firewall. Customer records for more than 823,000 individuals were exposed across dozens of institutions.
The banks themselves were not breached. Their own security held. But they depended on Marquis for data analytics, compliance reporting, and customer relationship tools. When Marquis went down, those functions went with it.
Examiner Attention Is Already Here
After the Marquis breach, vendor concentration became the top examiner concern in cybersecurity conversations with community banks. Regulators are now asking whether insurance programs respond when critical vendors fail.
Every community bank runs on a core platform. Jack Henry, Fiserv, FIS, CSI, Corelation. These are not interchangeable. Switching core vendors takes 12 to 18 months. When one goes down, the bank cannot operate, and it cannot switch.
Two Problems With the Cyber Coverage
The sublimit problem. In five consecutive bank reviews, dependent BI coverage ranged from $100,000 to not purchased at all. The best-positioned program had a $1 million sublimit. A multi-day core platform outage can generate $1.5 million to $2.5 million in losses. The sublimit covers 40 to 65 cents on the dollar.
The trigger problem. Many dependent BI provisions only respond if the vendor outage results from a “security breach.” A failed software update, a power failure, or a hardware malfunction at the vendor does not trigger the coverage. The bank’s operations stop regardless of the cause.
Some policies cover dependent BI for "Security Breach" only. Others cover "Security Breach and System Failure." The second version is broader and better. A pure operational outage at the vendor, one that has nothing to do with a cyberattack, is only covered if the system failure trigger exists. Most bank policies do not include it.
The fidelity bond does not cover this. No fraud occurred. The D&O policy does not cover this. No claim against directors. The bank’s single most critical operational dependency sits under the weakest coverage on the program.
The Fix
Your bank cannot operate without its core platform. One vendor, no substitute, 12 to 18 months to switch. The insurance should reflect that dependency. In most cases, it does not.
Vendor concentration is one of five incident types where coverage breaks down across all three bank policies. I map the full picture here. If your bank has not modeled a core vendor outage against its current coverage, get in touch and I will show you where the sublimit falls short.
