X

Associations Push to Strengthen Federal Regulator Cyber Security

"We are deeply concerned about the cybersecurity risk management practices at federal regulatory agencies, and the need for critical reforms to ensure the supervisory process does not introduce unnecessary risk to firms through regulators’ own security weaknesses."
ABA, SIFMA, MFA and BPI Joint Letter to Treasury Department
"We are deeply concerned about the cybersecurity risk management practices at federal regulatory agencies, and the need for critical reforms to ensure the supervisory process does not introduce unnecessary risk to firms through regulators’ own security weaknesses."
ABA, SIFMA, MFA and BPI Joint Letter to Treasury Department

Four financial trade associations ("Associations") urged the Treasury Department to strengthen cybersecurity and data protection practices at federal financial regulatory agencies. 

In a joint letter, the American Bankers Association, Bank Policy Institute, Managed Funds Association and SIFMA argued that the federal financial regulators must:

  • "ensure agencies are held to the same or substantively similar security and data protection standards expected of financial institutions to include transparency and accountability for upholding these standards;
  • enable firms to retain and house their own sensitive data needed for regulatory engagement;
  • improve regulatory agencies' incident response processes to include notification and communication with regulated institutions; and
  • consolidate and streamline examinations conducted by the financial regulatory agencies to reduce the amount of data being shared."

The Associations cited a cyber failure at the OCC, where nation-state hackers gained access to nearly 150,000 emails. (See related coverage.) They described how the hack began in May 2023, but the OCC only discovered the breach in February 2025, after being alerted by Microsoft. The Associations recounted that the OCC said there was no "impact to the financial sector," but later reported that the hackers had accessed "highly sensitive information," about the financial condition of banks. The Associations highlighted that after the damage was disclosed, banks stopped transferring certain sensitive information to the regulators.  

The Associations said this incident, along with findings from a 2025 CFPB Inspector General report, underscored the need for immediate improvement of security at the regulators.

The Associations also highlighted regulators' failure to implement key recommendations from the 2022 Data Protection Working Group report. They warned that regulators' uneven incident response practices hinder firms' ability to manage third-party risks.

The Associations offered to partner with the Administration in developing an implementation plan to modernize regulator cybersecurity practices.

Primary Sources

  1. SIFMA: Letter to Scott Bessent
  2. SIFMA: Letters: Data Security (Joint Trades)

Related Articles

Tags

Regulated Activities
Data Protection / Cybersecurity
Regulated Entities
Regulatory Agencies
Body of Law
Privacy / Data Protection / Cybersecurity
Jurisdiction
US - Federal
Organization
Trade / Industry Associations
Sub-Author
American Bankers Assoc., Bank Policy Institute, Managed Funds Association, SIFMA