A group of financial industry associations are urging federal financial regulators to reform rules protecting sensitive data following a series of data breaches.
Financial institutions are legally required to share sensitive, proprietary and non-public information with their regulators as part of the supervisory process. This information can range from capital and liquidity management to cybersecurity protocols. However, this makes government agencies, including regulatory agencies, a prime target for cyberattacks.
Over the past two years, both the Treasury Department and the Office of the Comptroller of the Currency have suffered significant cyber incidents. In May 2023, hackers compromised the OCC’s systems, and the OCC did not learn of the suspicious activity until February 2025. The breach exposed an estimated 148,000 emails, some of which may have contained highly sensitive supervisory information.
In a letter addressed to Treasury Secretary Scott Bessent, the organizations outlined their concerns with regulators’ data management practices.
“[G]overnment agencies are increasingly the target of persistent and sophisticated nation-state attacks that could disrupt financial markets and our economy,” the organizations wrote in the letter. “It is imperative that federal regulators recognize that they are equally a target of malicious actors and implement the same or substantially similar cybersecurity and incident response practices that they expect financial institutions to maintain.”
The letter was signed by representative from the Bank Policy Institute, American Bankers Association, MFA and SIFMA.
To mitigate risk and prevent similar problems in the future, the groups made four recommendations:
- Hold agencies to the same security and data protection standards as private companies.
- Avoid centralizing sensitive data that could affect entire economic sectors and instead allow companies to maintain control and access to their data.
- Require regulatory agencies to notify affected companies when things go wrong.
- Limit data collection to only what is necessary.