Two US Banks, One Vendor: 11 Third-Party Vulnerabilities Invisible to Questionnaires

On April 20, 2026, the Everest ransomware group published two major US banks on its leak site. Both confirmed: the breach didn't come from their internal network but from a common third-party vendor. A chain of a few minutes, a single compromised vendor, two financial institutions exposed.

TPRM — Third Party Risk Management — is no longer a compliance topic. It has become a business continuity topic. And yet, most TPRM programs in 2026 still rely on a static annual questionnaire.

Here's what these questionnaires NEVER see — and what makes up 90% of your third parties' real risk.

Why the annual questionnaire is no longer enough

Three structural reasons: • The questionnaire measures what the vendor says. Not what they do. • Its validity window is 12 months. The exposure window of a critical CVE is 20 hours. • It does not cover the external assets of the vendor (subdomains, ports, certificates) that are the real attack vector.

The 11 third-party vulnerabilities your questionnaires NEVER detect

Here's the list of concrete vulnerability elements of a vendor that you can observe continuously, without vendor cooperation, and that are completely invisible to questionnaires: 1. Expired or weak TLS certificates on their exposed services 2. New ports opened on the internet (surface change) 3. Subdomains vulnerable to takeover (Webflow, GitHub Pages, misconfigured S3 buckets) 4. Critical CVEs on internet-facing services (detectable exposed versions) 5. Missing HTTP security headers (HSTS, CSP, X-Frame-Options) 6. Broken email configuration (SPF, DKIM, DMARC misconfigured → spoofing of their domain) 7. Leaked credentials on the dark web tied to the vendor's domain 8. Appearance in recent data leaks (breach databases) 9. Presence in CTI victimology (already attacked in the last 90 days) 10. Declared alignment drift (the vendor says SOC 2, their external signals don't match) 11. OT/ICS ports exposed on internet (Modbus, S7, BACnet… for industrial vendors)

How FortaRisks covers all 11 continuously

Our TPRM module continuously observes each critical vendor without requiring their cooperation: • EASM applied to the vendor: 100+ types of findings on their external surface (covers #1, #2, #3, #4, #5) • Email Health: SPF/DKIM/DMARC monitored continuously (covers #6) • Disclosure module: dark web + breach database scan (covers #7, #8) • CTI victimology: filtered by vendor + correlation with active actors on their sector/country (covers #9) • Posture cross-mapping: detection of drift between declaration (SOC 2, ISO 27001) and observable external signals (covers #10) • Native OT/ICS scanner applied to industrial vendors — 15+ ports: Modbus, S7, BACnet, DNP3, OPC UA, EtherNet/IP, IEC-104 (covers #11) Score decomposable by dimension. No black box like BitSight or SecurityScorecard. You see exactly what contributes to the risk, you can dispute it with evidence, and the vendor can explain or fix it.

From first vendor added to first alert: 7 days

Where an annual questionnaire takes 3 months between sending and analysis, FortaRisks gives you: • Initial score on 100% of your vendors in less than 7 days • Continuous detection of posture changes (drift, new CVEs, expirations) • Alerts prioritized by business criticality + actual exposure • Audit-ready report exportable for DORA, ISO 27001, SOC 2, Quebec Law 25

Conclusion

The 2 US banks that fell on April 20 probably knew their shared vendor was critical. What they didn't know is that it had a critical CVE unpatched for 9 days. This information was public. No one was looking at it.

→ See your vendors' 11 vulnerabilities in less than 7 days. Request a FortaRisks demo: https://www.fortarisks.com/en/contactez-nous