A year-long email hack targeting U.S. bank regulators has prompted major financial groups to call for urgent reforms in federal cybersecurity practices.
Four major financial trade associations, the American Bankers Association, Bank Policy Institute, Managed Funds Association, and Securities Industry and Financial Markets Association, have formally urged the U.S. Treasury Department to improve its cybersecurity standards. Their joint letter to Treasury Secretary Scott Bessent comes in the wake of revelations that hackers intercepted emails belonging to more than 100 regulators at the Office of the Comptroller of the Currency (OCC) for over a year.
The breach reportedly exposed approximately 150,000 emails, many containing sensitive information from banks, including cybersecurity reports and intelligence-related disclosures. The trade groups are now calling for stricter incident notification rules, improved data protection standards, and an end to reliance on unsecured digital submission methods like email and portals.
The OCC, which oversees national banks, confirmed to Congress earlier this year that the breach could erode public confidence due to the nature of the data exposed. Hackers reportedly gained access by exploiting an administrative account that lacked multi-factor authentication, an omission the OCC has not publicly addressed.
In response, several large U.S. banks took the unusual step of limiting what information they shared with regulators. The trade groups are now pushing for a shift in protocol: instead of uploading data to federal systems, firms would retain control of sensitive reports and only allow access during secure, controlled inspections.
The call for reform echoes broader concerns about systemic cybersecurity vulnerabilities across government agencies. In a separate 2024 incident, the Treasury itself was breached by Chinese state-sponsored hackers via a third-party provider.
“We are deeply concerned about the cybersecurity risk management practices at federal regulatory agencies,” the trade groups wrote. “Federal regulators must implement the same cybersecurity and incident response standards they expect financial institutions to follow.”
The OCC declined to comment on the letter. The trade groups also recommended that regulators notify affected institutions of security breaches within three days.
Multi-factor authentication adds an extra layer of protection beyond a password, often preventing unauthorized access even if login credentials are compromised.
Banks submit detailed reports covering financial stability, cybersecurity practices, vulnerability scans, and sometimes national security-related information under subpoena.
If adopted, regulators would need to conduct more on-site reviews or access firm data through tightly controlled systems, potentially slowing routine audits but improving data security.