This week's Security Squawk episode isn't about phishing. It's about structural weakness. Three separate incidents. Three different industries. One uncomfortable pattern: the systems organizations trust most are expanding risk quietly — and in some cases, architecturally. First, a lawsuit that should make every board member pay attention. Marquis Software Solutions, a fintech serving 74 U.S. banks, is suing SonicWall. The allegation centers on SonicWall's cloud backup system, where firewall configuration backups were allegedly accessible and contained credentials — including MFA scratch codes. Those backups were reportedly used to compromise Marquis, leading to a ransomware incident and downstream exposure. What began as a scoped 5% customer exposure was later reported as potentially impacting all customers. This is not a misconfigured endpoint. This is a control-plane failure. For CEOs, this reframes vendor risk. It's no longer a questionnaire exercise. It's a litigation vector. If a security provider's design exposes authentication artifacts, your internal diligence may not matter. The liability chain now includes vendors and MSPs in a very direct way. For IT Directors, the operational question is simple: what exactly is inside your firewall backups? Are reusable authentication artifacts stored? Who can access vendor-hosted exports? If attackers obtain your configuration backups, can they replay your defenses? For MSPs, the exposure is real. If you manage firewall exports or MFA deployments, you are part of the architecture. And potentially part of the courtroom. Then we shift to UFP Technologies, a medical device manufacturer. Intrusion detected. Billing and shipping label systems disrupted. Data stolen or destroyed. Insurance expected to offset financial impact. But this isn't primarily a data story. Attackers disrupted order-to-cash and fulfillment velocity. In healthcare supply chains, slowing billing and labeling can create immediate executive escalation without touching the factory floor. Modern ransomware groups increasingly target business process choke points — ERP, labeling, scheduling — because leverage doesn't require full encryption anymore. For CEOs, “no material impact expected” is accounting language. Customers measure impact in delayed shipments. For IT leaders, the question becomes operational: can billing, labeling, and fulfillment functions recover independently? Are those systems segmented? Tested? Immutable? For risk managers and insurers, this represents a shift in underwriting focus — from endpoints to process resilience. Finally, the University of Hawaiʻi Cancer Center ransomware incident. Roughly 87,000 study participants directly impacted. But historical datasets, including Social Security numbers collected from driver's license and voter registration data dating back to 1998, expanded potential exposure to nearly 1.2 million individuals. They engaged the threat actors. They received a decryptor. They received “assurances” that data was destroyed. That's not verification. That's negotiation. The uncomfortable truth: legacy identity data becomes modern ransom currency. Research environments often have weaker governance than clinical systems, yet they can contain decades of sensitive identifiers. For boards, the issue isn't just security posture. It's data retention discipline. What obsolete identity data are you still holding? Why? For how long? And who owns the risk? Across these stories, three themes emerge: Control-plane trust is fragile. Operational choke points are the new leverage strategy. Data retention is compounded liability. Cybersecurity is no longer just about stopping intrusion. It's about architectural accountability and governance maturity. If you value independent, executive-level analysis without vendor spin, support the show at: buymeacoffee.com/securitysquawk The real question is this: Are your greatest cyber risks coming from external attackers — or from design decisions you haven't revisited in years?