Four industry trade associations are advocating for major reforms in how federal financial regulators manage sensitive data. This call to action follows a data breach at the Office of the Comptroller of the Currency (OCC), which exposed over 148,000 private communications containing critical supervisory information regarding U.S. financial institutions.
In a letter to Treasury Secretary Scott Bessent, the Bank Policy Institute, American Bankers Association, MFA, and SIFMA highlighted the increasing threats from hostile nation-states targeting U.S. critical infrastructure. They emphasized the urgent need to address vulnerabilities, stating, “Government agencies are increasingly the target of persistent and sophisticated nation-state attacks that could disrupt financial markets and our economy.” The organizations insisted that federal regulators must implement the same stringent cybersecurity and incident response practices they require of financial institutions.
Financial institutions are legally obliged to share sensitive, proprietary, and non-public information with their regulators, encompassing areas like capital and liquidity management and cybersecurity measures. However, centralizing this large quantity of sensitive data creates a prime target for malicious actors. The associations noted that both the Treasury Department and the OCC have experienced significant cyber incidents in the past two years.
At the OCC, hackers exploited the system for over a year and a half before the breach was detected. Following the incident, major banks, including JPMorgan Chase and Bank of New York Mellon, reduced their electronic information sharing with the agency.
To mitigate risk and avert future breaches, the groups are urging the Treasury to apply the same security and data protection standards to federal agencies as those expected of private companies. They recommend limiting data collection to what is strictly necessary and avoiding the centralization of sensitive information to allow companies to maintain control over their data. The letter cautioned that regulatory compromises could threaten the vulnerabilities and business information of financial institutions, potentially placing them at a strategic disadvantage.