The Third-Party Code Liability Trap

Across 2 sectors, 2 filers are signaling rising disclosed risk. First observed in 2025Q4; no trajectory yet. Almost entirely a risk story (100%). Forward-leaning — companies are guiding to this, not just explaining the past. One disclosure notes "at risk from critical third-party information security and open-source or proprietary software defects and vulnerabilities." Too early to confirm a trajectory.

Companies face mounting material risk from embedded open-source software, third-party dependencies, and compatibility failures they cannot fully control or remediate.

DISTINCT NEW FILERS PER QUARTER

NEW FILERS THIS QUARTER

— QoQ

SPREADING ACROSS

2 industries

Financials, Information Technology

FIRST SURFACED

2024Q1

of recorded history

✦ WHAT THE DIFF CAUGHT

Language shifts from abstract forward-looking compatibility concerns (AVGO) to present-tense operational vulnerability exposure (BAC), signaling recognition that the threat is now embedded in current systems.

REPRESENTATIVE SIGNAL FROM FILINGS

“at risk from critical third-party information security and open-source or proprietary software defects and vulnerabilities”

The company is at risk from critical information security flaws and open-source or proprietary software defects in third-party systems.

—BANK OF AMERICA CORP /DE/$BACSEC.GOV ↗10-K Item 7 · filed 2026-02-25

“when deployed, has contained in the past and may contain in the future errors, defects or security vulnerabilities”

Complex software products may contain undiscovered errors, defects, or security vulnerabilities before release and during customer deployment.

—Broadcom Inc.$AVGOSEC.GOV ↗10-K Item 7 · filed 2025-12-18

DRIVERS

+ FINANCIALS+ INFORMATION TECHNOLOGY