On April 20, 2026, the Everest ransomware gang posted both Citizens Financial Group and Frost Bank to its dark web leak site, setting a six-day deadline before publishing stolen data. Both banks confirmed what the gang claimed: attackers had accessed customer information, and that access had come through third-party vendors โ€” not through the banksโ€™ own networks.

When the investigation concluded, the scope was significant. Everest claimed approximately 3.4 million Citizens Bank records from a SQL database dump containing full names, home addresses, account numbers, and internal document identifiers. For Frost Bank, the claimed take was smaller in volume but considerably more sensitive: approximately 250,000 records containing Social Security numbers, tax identification numbers, full names, mortgage interest rates, investment profits, income data, taxable amounts, and home addresses.

Citizens Bank confirmed the vendor was a statement printing and mailing provider. Frost Bank confirmed its vendor handled tax document fulfillment. In both cases, the banks stated that their own internal systems were not directly compromised โ€” the breach occurred entirely within the third-party environment.

By April 24, class actions had been filed against Citizens Bank in the U.S. District Court for the District of Rhode Island. Law firms announced investigations into potential claims on behalf of affected Frost Bank customers.

The Everest Ransomware Group: A Different Profile Than ShinyHunters

The Citizens and Frost Bank incidents are distinct from the ShinyHunters-linked Salesforce supply chain attacks that affected McGraw-Hill and Rockstar Games earlier in April 2026. Understanding the difference matters for threat intelligence and for vendor risk classification.

Everest is a ransomware-as-a-service (RaaS) operation that has been active since at least 2020. Its operational model combines data exfiltration with ransom demands, listing non-paying victims on a dark web site to create reputational and regulatory pressure. Everest has previously targeted healthcare organizations, government agencies, and financial sector companies. Its focus is on data exfiltration and extortion rather than the platform-exploitation supply chain methodology that characterized the ShinyHunters-Snowflake campaign.

ShinyHunters operates primarily through credential theft, authentication token replay, and exploitation of cloud storage misconfigurations โ€” most visibly the 2024 Snowflake-connected campaign that affected Ticketmaster, Santander Bank, and dozens of other organizations, and the April 2026 campaign that hit McGraw-Hill via Salesforce Experience Cloud and Rockstar Games via Anodotโ€™s Snowflake environment.

The differentiation matters for vendor risk classification. Everestโ€™s attack model targets vendors with high-value customer data but potentially weaker security postures โ€” statement printing and tax document fulfillment firms are not typically at the technological frontier of cybersecurity investment, and they hold financial records for millions of customers. ShinyHuntersโ€™ cloud-focused methodology targets vendors with broad authentication access to cloud environments. The controls appropriate for each threat model differ.

GLBA and the Vendor Accountability Framework

The Gramm-Leach-Bliley Actโ€™s Safeguards Rule, administered by the FTC for non-bank financial institutions and enforced by bank regulators for covered financial institutions, requires financial institutions to implement a comprehensive information security program that includes, specifically, oversight of service provider arrangements.

Under the Safeguards Rule as amended in 2023, financial institutions must:

  • Select and retain service providers capable of maintaining appropriate safeguards for customer information they handle
  • Require service providers by contract to implement and maintain appropriate safeguards
  • Oversee service providers by including contractual provisions and, where applicable, monitoring their compliance with those provisions

The 2023 amendments strengthened the specificity of these requirements, including new obligations to respond to security events involving customer information held by service providers.

For Citizens Bank and Frost Bank, the compliance question is not whether the banks were technically the primary victims of the breach โ€” they were not. The question regulators will examine is whether the banksโ€™ vendor oversight programs met the Safeguards Ruleโ€™s requirements for the specific vendors involved:

  • Was the vendorโ€™s security posture assessed before engagement and on a periodic basis thereafter?
  • Did the contract with the vendor include security requirements proportionate to the sensitivity of the data the vendor processed?
  • Did the bankโ€™s monitoring program identify the indicators of compromise before the Everest gangโ€™s dark web posting?
  • Were incident response procedures for third-party security events exercised and current?

The answer to any one of these questions being โ€œnoโ€ creates a regulatory finding independent of the question of who technically owned the compromised systems.

OCC Third-Party Risk Management: The 2023 Interagency Guidance

In June 2023, the OCC, Federal Reserve, and FDIC jointly issued final interagency guidance on third-party risk management โ€” one of the most significant updates to bank vendor oversight expectations in a decade. The guidance is directly relevant to the Citizens and Frost Bank incidents.

The 2023 guidance establishes a lifecycle model for third-party risk management covering planning, due diligence, contract negotiation, ongoing monitoring, and termination. For relationships involving customer data, the guidance specifically addresses:

Due diligence. Banks must evaluate the third partyโ€™s financial condition, key personnel, risk management practices, information security practices, resilience capabilities, and incident response capabilities before engaging the vendor and at appropriate intervals thereafter.

Contract requirements. Contracts with third parties that handle customer data must address: the nature and scope of services, performance standards, security requirements aligned with the bankโ€™s own security standards, rights of audit, breach notification obligations and timelines, and rights of termination.

Ongoing monitoring. Banks must monitor third-party performance and risk throughout the relationship โ€” this includes reviewing service provider reports, conducting periodic audits, and monitoring for security incidents and vulnerabilities affecting the service providerโ€™s environment.

Concentration risk. Where multiple banks use the same third-party service provider for the same function โ€” a pattern common in statement printing and tax document fulfillment, where a small number of specialized vendors serve large portions of the industry โ€” bank examiners will examine whether the bank has adequately assessed the concentration risk and taken steps to mitigate it.

The Citizens-Frost incident illustrates concentration risk in practice: two separate banks experiencing breach via the same functional category of vendors (statement and tax document fulfillment) suggests the sector-level exposure to this vendor category is systematic.

The 36-Hour Notification Requirement for Banks

In November 2021, the OCC, Federal Reserve, and FDIC issued a rule requiring banking organizations to notify their primary federal regulator as soon as possible and no later than 36 hours after determining that a โ€œnotification incidentโ€ has occurred. A notification incident is defined as a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the banking organizationโ€™s ability to carry out banking operations or deliver services to customers.

Service providers to banking organizations must notify the bank as soon as possible after they experience a computer-security incident that could materially affect the bank โ€” this is a specific, contractually enforceable obligation that the 2021 rule imposes on vendor contracts with banking organizations.

For the Citizens and Frost Bank incidents, the regulatory review will examine:

  1. When did the vendor become aware of the compromise? The timeline from the vendorโ€™s initial detection to its notification of the bank is the first accountability question.

  2. When did the bank receive notification? This establishes the bankโ€™s own awareness timestamp and starts the 36-hour clock.

  3. When did the bank notify its primary federal regulator? The OCC is the primary federal regulator for Citizens Bank (a national bank) and Frost Bank (also a national bank through its parent Cullen/Frost Bankers). The OCCโ€™s examination will include the notification timeline.

If the vendor failed to notify the banks promptly โ€” if the banks first learned of the breach through the Everest dark web posting rather than through vendor notification โ€” that is a vendor contract failure that the banks can address contractually and operationally, but it is also a signal to bank examiners that the vendor management program did not adequately monitor for and enforce notification obligations.

NYDFS Part 500: New York-Specific Obligations

Citizens Financial Group is headquartered in Providence, Rhode Island, but operates extensively in New York state, where it holds a bank charter regulated by the New York State Department of Financial Services. NYDFS Part 500, New Yorkโ€™s cybersecurity regulation for financial services companies, applies.

Part 500โ€™s third-party obligations include requirements that covered entities:

  • Maintain written policies and procedures governing third-party service provider risk assessment and selection
  • Include cybersecurity representations and warranties in contracts with third-party service providers
  • Implement risk-based third-party access policies including multi-factor authentication requirements for third-party access to internal systems
  • Periodically assess third-party service providers based on the risk they present

The 2023 amendments to Part 500, which took effect for most requirements in December 2023 and November 2024, significantly increased the specificity of these obligations and added new requirements around supply chain security, vulnerability management, and audit trail retention.

A NYDFS examination following the Citizens Bank incident will look specifically at whether the bankโ€™s third-party cybersecurity assessments covered the vendor involved, whether the contract contained the required cybersecurity provisions, and whether the bankโ€™s incident response procedures were followed once the breach was identified.

The Tax and Financial Data Sensitivity Distinction

The two banksโ€™ exposure is not symmetric from a regulatory risk perspective.

Citizens Bankโ€™s claimed exposure โ€” names, addresses, account numbers, and document flags โ€” is significant but contains no government-issued identifiers. The primary harm vectors are account takeover (using account numbers combined with social engineering), mail fraud (using verified addresses), and profile enrichment for targeted attacks.

Frost Bankโ€™s exposure is materially more sensitive. Social Security numbers and tax identification numbers are the backbone of identity fraud in the United States. Combined with income, investment, and mortgage data, the Frost Bank records represent a comprehensive financial profile that enables synthetic identity construction, tax refund fraud, financial account takeover, and targeted financial fraud.

Under GLBA and NYDFS Part 500, the obligation to protect โ€œnonpublic personal informationโ€ โ€” which includes SSNs, tax IDs, and account numbers โ€” is among the most clearly defined in financial sector compliance. The regulatory threshold question for Frost Bankโ€™s breach is whether the vendor received appropriate contractual protections and whether the bankโ€™s oversight of that vendor was proportionate to the sensitivity of the data the vendor processed.

An oversight program that reviews a tax document fulfillment vendor with the same cadence and depth as a lower-risk vendor โ€” for example, a marketing analytics provider โ€” is likely not proportionate. Risk-based vendor tiering that classifies vendors handling SSNs and tax data at the highest risk tier, with corresponding annual assessment obligations, enhanced contract terms, and active monitoring, is the expected standard.

Class Action Litigation Landscape

Two class actions were filed against Citizens Bank in U.S. District Court for the District of Rhode Island within days of the breach disclosure. Law firm announcements of investigations into Frost Bank claims followed shortly thereafter.

Financial sector data breach class actions in the United States have evolved significantly since the Supreme Courtโ€™s Spokeo decision. Plaintiffs must demonstrate concrete injury โ€” not merely the risk of future harm โ€” to establish Article III standing. For breaches involving SSNs and tax IDs, courts have more consistently found standing based on the inherent risk of identity fraud that attaches to exposure of these identifiers. For breaches involving only names, addresses, and account numbers without government-issued identifiers, standing arguments are more contested.

The distinction between the Citizens Bank and Frost Bank breach records will likely produce different outcomes in litigation. Plaintiffs whose SSNs and tax IDs were exposed (Frost Bank) are in a materially stronger standing position than plaintiffs whose records consisted only of names, addresses, and account numbers (Citizens Bank).

For the banks, the litigation risk is compounded by the vendor relationship: defendants in financial data breach class actions regularly attempt to join or implead the third-party vendor whose breach caused the exposure. The contractual terms between the banks and their vendors โ€” particularly indemnification provisions, limitation of liability clauses, and breach response cost allocation โ€” will be examined in discovery.

What Financial Institutions Must Do Now

Tier your vendor risk program by data sensitivity. Tax and government document processing vendors that handle SSNs, tax IDs, and financial records should sit at the highest risk tier in your vendor management program. The assessment cadence, contract requirements, and monitoring obligations for these vendors should be proportionate to the sensitivity of what they process.

Audit your vendor contracts for 36-hour notification obligations. The OCCโ€™s 2021 rule requires banking organizations to contractually obligate service providers to notify them of material security incidents โ€œas soon as possible.โ€ Review whether your current vendor contracts contain this requirement, whether it is operationally enforceable (i.e., the vendor knows who to call and how to escalate), and whether the vendorโ€™s internal incident response procedures are adequate to support the notification timeline.

Assess concentration risk in statement and document fulfillment. The Citizens-Frost pattern suggests that statement printing and tax document fulfillment vendors serve multiple financial institutions from shared infrastructure. If your institution uses vendors in this category, assess what other financial institutions share the same vendor infrastructure, and what your exposure is if that shared infrastructure is compromised.

Exercise your third-party incident response procedures. When a vendor discloses a breach โ€” or when you learn of a vendor breach through external sources before receiving vendor notification โ€” your response procedure should activate a defined workflow: assess whether customer data was within the blast radius, determine whether the OCC 36-hour clock has started, and initiate customer notification analysis under applicable state breach notification laws.

Review state breach notification obligations by jurisdiction. Citizens Financial Groupโ€™s class actions were filed in Rhode Island, its home state. The state breach notification laws applicable to a breach at a financial institution vary by where affected customers reside. A breach affecting 3.4 million customers nationally will trigger notification obligations across dozens of states with varying timelines, content requirements, and notification methods. Your breach response program should have a pre-built multi-state notification capability, not one assembled in real time.

The Accountability Floor

The Citizens and Frost Bank incidents are not novel in type โ€” financial institutions have been breached through vendors for years. What is new is the regulatory accountability expectation.

The OCCโ€™s 2023 interagency guidance and the 2021 36-hour notification rule together establish that third-party breaches are not a category of event that financial institutions can treat as entirely outside their control. The Safeguards Rule, NYDFS Part 500, and the OCCโ€™s examination procedures collectively expect that a bankโ€™s vendor management program is designed to prevent, detect, and respond to exactly this type of event โ€” and that โ€œour vendor was breached, not usโ€ is a factual statement about where the intrusion occurred, not an answer to the regulatory question of whether the bank met its oversight obligations.

The examination reviews that follow the Citizens and Frost incidents will determine whether the banksโ€™ vendor programs met that standard. The litigation will determine what the financial consequences are for affected customers. Both processes are underway. Neither will be satisfied by the observation that the banksโ€™ own networks were not directly touched.

This article draws on public statements from Citizens Financial Group and Frost Bank, reporting from Cybernews, SC Media, American Banker, and PYMNTS, and regulatory guidance from the OCC, FDIC, Federal Reserve, and NYDFS. This article is provided for informational purposes only and does not constitute legal advice.