Restricting the set of allowed company name characters (and also forcibly renaming this company) is a bodge of a solution to this problem which is caused by developer negligence.
@michaeltandy has done the right thing here (with responsible disclosure) and given all of these third party data ingesters a wake up call.
Frankly everyone responsible for a site that was vulnerable to this should be embarrassed that they weren't doing proper output encoding (as HTML character entities in this case), embarrassed that they had no strict Content-Security-Policy in place and embarrassed that (most likely) they had to be told about this by a third party.
Come on, it's 2020. Preventing stored XSS is basic stuff. And it's not just XSS that should be a concern, as has been pointed out elsewhere in the thread, there are company names with SQLi payloads inside. Company names are user input and should be treated as such.