This post is part of a series on credit union cybersecurity. Read more here.
When most credit union leaders think about cybersecurity threats, they think about their own environment: their endpoints, their credentials, their staff clicking a phishing link. Those are real concerns worth addressing. But one of the fastest-growing attack vectors in financial services has nothing to do with your own systems. It starts with a vendor you trust completely, and it turns that trust into the attack itself.
Supply-chain attacks work by compromising a vendor that already has legitimate access to your environment, then using that access to reach you. In a supply-chain attack, the target is not your defenses, but the trusted relationship that bypasses them entirely.
Why Vendors Are High-Value Targets
Every vendor your credit union works with occupies a position of trust in your environment. Your digital banking provider can reach member account data. Your IT managed service provider holds administrative credentials across your systems. Your marketing and compliance platforms carry names, contact details, dates of birth, and possibly Social Security numbers for your entire membership.
When an attacker compromises one of these vendors, they do not just gain access to that vendor’s systems. They inherit the trust relationship that vendor has with every one of its clients. They can use legitimate credentials, established communication channels, and existing access to move into client environments without triggering the alerts that an unknown external actor would set off. The attacker is not breaking through an unfamiliar door. They are walking through one that is already open, using a key that is already recognized, at a time when no one is expecting a problem.
This is what makes supply-chain attacks so effective and so difficult to detect from the inside. No alarm sounds on your end because, as far as your systems are concerned, nothing unusual is happening.
The Marquis Breach: How One Compromised Vendor Exposed 700 Institutions
The Marquis Software Solutions breach illustrates exactly how severe the consequences can be. Marquis provided marketing, analytics, and compliance software to over 700 banks and credit unions. On August 14, 2025, attackers exploited a vulnerability in its SonicWall firewall and accessed files containing member data held on behalf of dozens of client institutions. By the time affected organizations began notifying members in late November and early December, more than 823,000 individuals across at least 80 institutions had their personal and financial information exposed, including names, addresses, Social Security numbers, dates of birth, and financial account details.
The attackers did not need to breach 80 credit unions. Breaching one vendor those credit unions had trusted was enough, and the damage propagated outward from there.
What made the breach particularly troubling was that the failure was not sophisticated. The controls Marquis announced it would implement after the attack, including patching firewall devices, enabling multi-factor authentication on VPN accounts, applying login lockout policies, and eliminating outdated user accounts, are foundational requirements that regulators and insurers have been asking about for years. The Akira ransomware group, widely believed responsible, had been exploiting this specific SonicWall vulnerability since at least early 2024. When Marquis was breached, a patch for this vulnerability had existed for over a year.
Supply-Chain Security is already a Regulatory Priority
NCUA’s 2026 Supervisory Priorities make third-party vendor oversight an explicit focus area, and the bar has moved well beyond a vendor management policy on file. Examiners are looking for evidence of active, ongoing oversight: documentation showing that you reviewed the security posture of vendors holding your members’ data, that you know what systems and data each vendor can access, and that this review predates any incident rather than being assembled in response to one.
Most credit unions under $500 million in assets struggle to produce that documentation on demand, not because they are careless, but because sustaining that level of oversight with a small IT team is genuinely difficult. The Marquis breach gave examiners a concrete, public example of exactly what happens when vendor oversight is inadequate, and it is reasonable to expect that scrutiny to intensify in the exam cycles ahead.
What Effective Vendor Oversight Looks Like
Protecting your credit union from supply-chain risk starts with knowing your exposure. That means a complete inventory of every vendor that touches member data, with a clear record of what each vendor holds, what systems they can access, and what security controls you have independently verified they have in place.
Documentation of your oversight activity matters as much as the oversight itself. The evidence an examiner wants to see is a dated record of what you reviewed, what you found, and what action you took. That kind of ongoing work becomes sustainable when it is built into daily operations rather than assembled under pressure before an exam. The TorchLight Zero-Cost IT Model is designed to do exactly that, integrating vendor oversight documentation into the ongoing work of managing your security and compliance posture to maintain accuracy and exam-readiness.
An Accelerating Trend
The Marquis breach is not an outlier. The 2026 CrowdStrike Global Threat Report documented a 42% increase in zero-day vulnerabilities exploited before public disclosure and a 266% increase in cloud-conscious intrusions by state-affiliated threat actors. Sophisticated adversaries have learned that breaching one well-positioned vendor is far more efficient than breaching dozens of individual institutions. As long as that calculus holds, the vendors your credit union trusts will remain attractive targets.
Your members trust your credit union with their financial lives, and that trust extends to every vendor you allow to handle their data. The security posture of those vendors is part of your responsibility, the oversight of those relationships is something your examiner will evaluate, and the time to build that documentation is before a breach notification forces the question.