Compliance Paperwork Won’t Save You From a Vendor Breach
Key quote:
All of Marquis Software Solutions, Inc.’s deadlines in the above-captioned action are stayed pending the parties’ mediation efforts.
Why it matters:
The litigation surrounding the Marquis Software Solutions breach is currently taking a break for mediation, as seen in the April 6, 2026, Order in In Re Marquis Software Solutions, Inc. Data Breach Litigation (Case No. 4:25-cv-01277) in the U.S. District Court for the Eastern District of Texas. While the stay might be a temporary reprieve, the underlying case serves as a reminder that a signed compliance checklist is not a get-out-of-jail card. When attackers exploited unencrypted MFA codes stolen from SonicWall to breach Marquis’s network on August 14, 2025, they weren’t thinking about the bank’s SOC 2 reports. Yet, in cases like Krall v. Marquis and Noble v. Marquis, plaintiffs are suing financial institutions like First National Bank of Pennsylvania and iQ Credit Union for negligence and breach of fiduciary duty, arguing the banks failed to oversee their vendors.
Which shows the risks of compliance documentation coming up in discovery. The very documents that organizations create to satisfy regulators, like due diligence files, audit logs, and vendor contracts, are now the exhibits plaintiffs will use to prove you knew the risks and didn’t act. If your vendor risk program is designed only to pass an regulatory exam, it will probably fall apart in discovery. You need to treat your supply chain as an extension of your own perimeter. This means moving beyond boilerplate language in contracts to enforce specific, measurable security requirements and exercising right-to-audit clauses before a crisis hits. Vendors should anticipate this request and charge for the cost of the audit, or we’ll see knock-on pricing effects.
And this cluster keeps growing. Marquis filed its own lawsuit against SonicWall, claiming the firewall vendor failed to secure its cloud backups, creating a cascading liability chain that put everyone into this mess. With over 672,000 individuals affected across 74 financial institutions, the settlement pressure is immense.
Companies have to stop treating third-party risk as an exercise in box-checking. Re-tier your vendors based on actual data sensitivity and risks, pressure-test your incident response plans with the vendors themselves, and make sure that your board sees the risk as a live threat, not a compliance footnote covered by your contracts. You’re already losing if you wait until a complaint’s filed to recognize that your vendor’s security posture was a paper tiger.
