The Bank Policy Institute, American Bankers Association, MFA and SIFMA called for significant reforms to how federal financial regulators handle sensitive data following the latest in a series of data breaches that exposed over 148,000 private correspondences containing sensitive supervisory information about U.S. financial institutions. In a letter addressed to Treasury Secretary Scott Bessent, the organizations identified concerns with regulators’ data management practices spanning the previous administration. Weaknesses were identified in February 2025; however, growing threats from hostile nation-states targeting U.S. critical infrastructure serve as a reminder of the urgency to address vulnerabilities.
“[G]overnment agencies are increasingly the target of persistent and sophisticated nation-state attacks that could disrupt financial markets and our economy,” the organizations wrote. “It is imperative that federal regulators recognize that they are equally a target of malicious actors and implement the same or substantially similar cybersecurity and incident response practices that they expect financial institutions to maintain.”
Financial institutions are legally required to share sensitive, proprietary and non-public information with their regulators as part of the supervisory process. This information can range from capital and liquidity management to cybersecurity protocols. However, centralizing large amounts of data can create a prime target for illicit actors seeking to harm U.S. economic security. Government agencies, including regulatory agencies, are increasingly the target of cyberattacks.
Over the past two years, both the Treasury Department and the Office of the Comptroller of the Currency — the Treasury bureau responsible for supervising the U.S. banking system — have suffered significant cyber incidents. The latest dates back to 2023 and was identified in early 2025. Here are the facts:
- Hackers compromised the OCC’s systems in May 2023.
- The OCC did not learn of the suspicious activity until February 2025 — meaning, hackers likely had access to the OCC’s systems for over a year and a half.
- The breach exposed an estimated 148,000 emails, some of which may have contained highly sensitive supervisory information that could give hostile nation states ample information to harm America’s financial institutions.
These weaknesses point to a pattern of problems in how U.S. agencies secure data and are held accountable. To mitigate risk and prevent similar problems in the future, the groups made four recommendations:
- Hold agencies to the same security and data protection standards as private companies.
- Avoid centralizing sensitive data that could affect entire economic sectors and instead allow companies to maintain control and access to their data.
- Require regulatory agencies to notify affected companies when things go wrong.
- Limit data collection to only what is necessary.
To access a copy of the letter, please click here.
