Major financial trade associations sent a joint letter Monday to U.S. Treasury Secretary Scott Bessent calling for reforms to address what they called "preparedness gaps" and "security weaknesses" at federal financial regulatory agencies.
The trade associations highlighted recent cybersecurity incidents at the Office of the Comptroller of the Currency and the
The associations asserted that it is "imperative that federal regulators recognize that they are equally a target of malicious actors and implement the same or substantially similar cybersecurity and incident response practices that they expect financial institutions to maintain."
The letter notes that inadequate security at regulatory agencies has been a long-standing issue. Firms are legally required to share sensitive, proprietary and nonpublic information with regulators as part of the supervisory process. The groups contend that centralizing large amounts of this data can create a prime target for malicious actors. Compromises at regulatory agencies could expose institutions' vulnerabilities and business information.
Details of the OCC email breach
The letter specifically referenced the
Hackers compromised the OCC's systems in May 2023, and the OCC learned of the suspicious activity in February 2025, meaning hackers likely had access for over a year and a half.
Microsoft Global Hunting Oversight and Strategic Triage, or GHOST, notified the OCC on February 11 about unusual interactions, and the OCC confirmed the activity was unauthorized on February 12.
The OCC initially communicated in its first public notice in February 2025 that there was "no indication of any impact to the financial sector." However, during subsequent reviews, the OCC learned the incident impacted sensitive information. On April 7, 2025, the OCC determined the incident qualified as a major incident under the Federal Information Security Modernization Act, or FISMA.
The OCC notified Congress on April 8, stating the compromise included unauthorized access to "highly sensitive information relating to the financial condition of federally regulated financial institutions."
Information accessed included financial supervision information provided by supervised institutions and nonpublic OCC information. Efforts to determine if any bank customer information was compromised were ongoing as of
Once informed of the incident, financial institutions activated their third-party risk management procedures, including disconnecting from the OCC and pausing the transfer of sensitive information.
Recommendations for reform
To mitigate risk and prevent similar problems, the trade groups made four recommendations to Bessent in the Monday letter:
- Ensure agencies are held to the same or substantively similar security and data protection standards expected of financial institutions, including transparency and accountability. They recommended experienced examiners who review regulated entities also review internal agency systems.
- Enable firms to retain and house their own sensitive data needed for regulatory engagement on their own secure systems. Regulators should stop requiring firms to submit sensitive data through online portals or email and instead access data via on-site review or on firm computers with security controls.
- Improve regulatory agencies' incident response processes to include notification and communication with regulated institutions. They urged agencies to notify affected entities within 72 hours, consistent with recommendations from a 2022 Data Protection Working Group report and upcoming requirements under the Cyber Incident Reporting for Critical Infrastructure Act. They noted the OCC's response did not come close to meeting the 36-hour notification requirement imposed on financial institutions.
- Consolidate and streamline examinations conducted by financial regulatory agencies to reduce the amount of data being shared. They suggested requests for data be subject to consistent review by senior supervisory officials to minimize unnecessary data collection.
The letter concludes by stating the financial services industry is ready to partner with the administration and regulators to ensure financial markets are guarded against adversaries and protect the vitality of the U.S. economy.
