Two U.S. banks disclosed a breach at the same unnamed third-party vendor in April 2026, with six class action lawsuits in two weeks. A regulatory clock about to start at suspicion, an NYDFS letter telling covered entities exactly what to do, and an insurance underwriter asking the same questions — Lens Four works through what the disclosure language is leaving out and what carries a CISO through the moment a vendor they cannot control fails on their watch.
⬥EPISODE NOTES⬥
The most dangerous sentence in cybersecurity disclosure right now is "no evidence of unauthorized access to our network." It is technically true. It is also operationally hollow. The customer whose data is on a leak site does not care which network it left from. The plaintiff in Bexar County does not care. The regulator about to receive a federal incident report under a 72-hour clock that starts at suspicion, not confirmation, will not care.
In April 2026, two U.S. banks disclosed an incident at the same unnamed third-party vendor. Six class action lawsuits followed in two weeks. The vendor still has not been publicly named. The plaintiffs sued the banks anyway. In a separate situation, an alleged Adobe breach surfaced through a threat actor's claims about a third-party business process outsourcing firm -- and as of the coverage reviewed for this analysis, no public confirmation or denial from Adobe had surfaced. This is the Common Point of Failure pattern, and it is arriving with enough frequency that it deserves to be named clearly.
🔍 In this edition of Lens Four:
— Why "no evidence of unauthorized access to our network" leaves the data, the contract, and the customer out of the picture — and why that omission is doing real damage as regulators, plaintiffs, and customers all collapse the distinction between "our network" and "their network"
— How the proposed CIRCIA rule's "reasonable belief" trigger changes the operating math when the suspected source is a third party: the 72-hour clock starts when the SOC analyst flags, not when the legal team confirms
— What the NYDFS October 21 2025 industry letter on third-party service providers tells covered entities to do — and how the regulator's prescriptive guidance becomes the de facto checklist for audits, examinations, and enforcement
— Why the cyber insurance market, per Woodruff Sawyer's annual Cyber Looking Ahead Guide, is now functioning as a verification mechanism — and why the underwriter and the regulator are now the ones shaping what gets bought, not the threat
— Verizon's own analysis of its 2025 Data Breach Investigations Report — drawing on more than 22,000 incidents — found the share of breaches involving a third party doubled year over year, from 15% to 30%
— Three things the network sentence leaves out: the data (where it lived, how it was stored, what controls applied), the operating model (how a vendor came to have enough access to produce customer harm), and the chain of accountability (the contractual relationship between named brand and unnamed vendor)
— Why the vendor concentration the industry has been selling as "consolidation" for two decades is also the thing concentrating blast radius — and why discovery in the class actions, not voluntary disclosure, is the most likely path to actually naming the vendors
— Two CISO conversations the Fourth Lens draws on: Tim Brown on what carries a security leader through the worst day of their career (trust built before the trust was needed, context, perspective, communication), and Joe Sullivan on building cyber teams the way fire departments are built — one team on the go, one on standby, one resting
— The Fourth Lens: the program reality is that the named brand is accountable for things happening at a vendor it cannot directly control; the market reality is that the regulator and the insurer have already written the checklist; the messaging reality is that the disclosure language has not caught up to either
Fourth Lens: The vendor whose name you do not know is the vendor whose risk you cannot manage. The fix is not in the disclosure language. It is in the operating model the disclosure language is currently helping to obscure. The next twelve to eighteen months — through the first CIRCIA enforcement action, the first court-ordered discovery that names a CPOF vendor, and whatever the next shared-vendor breach turns out to be — will start writing the answer to what a security program is actually for when the breach happens somewhere you cannot reach.
🔗 Full article and references: https://seanmartin.com/lens-four/the-vendor-you-cannot-name
📧 Subscribe to Lens Four: https://seanmartin.com/lens-four
🎙 Redefining CyberSecurity Podcast: https://redefiningcybersecuritypodcast.com
🎧 Music Evolves Podcast: https://musicevolvespodcast.com
🌐 ITSPmagazine: https://itspmagazine.com
🎬 Studio C60: https://studioc60.com
Sean Martin is a cybersecurity market analyst, content strategist, and go-to-market advisor with more than 30 years of experience across engineering, product development, marketing, and media. He is co-founder of ITSPmagazine (itspmagazine.com) and Studio C60 (studioc60.com), host of the Redefining CyberSecurity Podcast (redefiningcybersecuritypodcast.com) and Music Evolves Podcast (musicevolvespodcast.com), and co-host of On Location (itspmagazine.com/on-location) and Random and Unscripted (randomandunscripted.com). Learn more at seanmartin.com.
🔎 Keywords: Common Point of Failure, third-party risk, vendor breach, breach disclosure, CIRCIA, NYDFS, cyber insurance, CISO accountability, supply chain security, Tim Brown, Joe Sullivan, operational resilience, Sean Martin, Lens Four