Frost Bank and the New Vendor-Risk Reality

Vendor Risk Is No Longer a Back-Office Compliance Exercise
‍

For years, third-party risk management was treated as an annual documentation exercise.

Collect the questionnaire. Review the SOC report. Confirm the vendor has policies. File the evidence. Repeat next year.

That model is no longer sufficient.
‍

Recent reporting states that Frost Bank is facing proposed class-action lawsuits following an alleged breach involving a third-party vendor, with more than 100,000 customers reportedly affected. Frost reportedly said there was no evidence of unauthorized access to its own network, while the lawsuits allege sensitive customer information may have been exposed and that notification delays increased customer risk.

That distinction matters.

It also may not matter enough.

Because customers experience the outcome, not the internal control boundary.

If their Social Security number, financial information, contact details, or identity data is exposed, they are unlikely to separate “our vendor had the issue” from “our institution failed to protect me.”

That is the new vendor-risk reality.

Why “Our Network Was Not Compromised” Is No Longer Enough
‍

The phrase “our network was not compromised” may be technically important. It can clarify scope. It may help investigators. It may matter in litigation.

But it is no longer enough as an executive risk defense.

A modern organization’s operating model depends on vendors, SaaS platforms, payment processors, cloud providers, data platforms, managed service providers, analytics tools, and outsourced business workflows.

Those vendors often touch sensitive information or critical business processes.

That means the trust boundary has expanded.

If a vendor can access your data, process your customer information, support your systems, or operate inside your workflow, then that vendor is part of your risk surface.

In the Frost reporting, one lawsuit estimated roughly 109,000 people may have been affected, and Texas law generally requires certain breach reports within 30 days when at least 250 residents are affected.

That creates immediate executive questions:

• Which vendors have sensitive data?
• Which vendors have privileged access?
• Which vendors create customer-impacting exposure?
• Which contracts require notification and cooperation?
• Which vendors could create litigation or regulatory exposure if breached?

The old model asked, “Did the vendor complete our questionnaire?”

The new model asks, “Can we prove vendor trust is governed continuously?”

‍

What Executives Should Learn

The Frost case reinforces five lessons for boards and leadership teams.
‍

“In modern cyber risk, ‘our network was not compromised’ is no longer a defense when customers experience the breach as yours.”
‍

1. Third-Party Risk Is First-Party Accountability

When a vendor fails, the business still owns the customer relationship.

That means leaders must govern vendor exposure as part of enterprise risk, not merely procurement.

2. Vendor Incidents Can Become Board-Level Events

A vendor breach can trigger legal exposure, regulatory scrutiny, media attention, customer churn, and operational distraction.

That is board-level material.

3. Notification Delays Amplify Damage

Speed matters.

Delays can reduce customer ability to act, increase frustration, and weaken trust.

4. Customer Trust Erodes Faster Than Litigation Resolves

Legal processes move slowly. Customer trust can move instantly.

A well-governed response must address both.

5. Annual Questionnaires Are Not Enough

Vendor trust must be monitored, tested, and governed continuously.

A mature program should include:

• vendor inventory,
• data-flow mapping,
• access reviews,
• contractual notification obligations,
• audit rights,
• incident escalation paths,
• tabletop exercises,
• and risk-based monitoring.

‍