A group of financial industry associations, led by the Bank Policy Institute (BPI), are calling on federal financial regulators to reform how sensitive data is handled.
This request follows a series of data breaches that exposed over 148,000 private correspondences containing sensitive supervisory information about U.S. financial institutions.
In a letter addressed to Treasury Secretary Scott Bessent, BPI, along with the American Bankers Association, Managed Futures Association, and SIFMA identified concerns with regulators’ data management practices.
“[G]overnment agencies are increasingly the target of persistent and sophisticated nation-state attacks that could disrupt financial markets and our economy,” the organizations wrote in the letter to Bessent. “It is imperative that federal regulators recognize that they are equally a target of malicious actors and implement the same or substantially similar cybersecurity and incident response practices that they expect financial institutions to maintain.”
Financial institutions are required to share sensitive, proprietary and non-public information with their regulators as part of the supervisory process. However, this makes the sensitive data a prime target for illicit actors seeking to harm U.S. economic security.
Government agencies, including regulatory agencies, are increasingly the target of cyberattacks. Over the past two years, both the Treasury Department and the Office of the Comptroller of the Currency have been exposed to significant cyber incidents. Most recently, hackers compromised the OCC’s systems in May 2023, and the OCC did not learn of the suspicious activity until February 2025. The breach exposed an estimated 148,000 emails, some of which may have contained highly sensitive supervisory information.
To mitigate risk and prevent similar breaches, the groups made the following recommendations:
- Hold agencies to the same security and data protection standards as private companies.
- Avoid centralizing sensitive data that could affect entire economic sectors and instead allow companies to maintain control and access to their data.
- Require regulatory agencies to notify affected companies when things go wrong.
- Limit data collection to only what is necessary.