Washington, D.C. – The Bank Policy Institute, American Bankers Association, MFA and SIFMA called for significant reforms to how federal financial regulators handle sensitive data following the latest in a series of data breaches that exposed over 148,000 private correspondences containing sensitive supervisory information about U.S. financial institutions. In a letter addressed to Treasury Secretary Scott Bessent, the organizations identified concerns with regulators’ data management practices spanning the previous administration. Weaknesses were identified in February 2025; however, growing threats from hostile nation-states targeting U.S. critical infrastructure serve as a reminder of the urgency to address vulnerabilities.

“[G]overnment agencies are increasingly the target of persistent and sophisticated nation-state attacks that could disrupt financial markets and our economy,” the organizations wrote. “It is imperative that federal regulators recognize that they are equally a target of malicious actors and implement the same or substantially similar cybersecurity and incident response practices that they expect financial institutions to maintain.”

Financial institutions are legally required to share sensitive, proprietary and non-public information with their regulators as part of the supervisory process. This information can range from capital and liquidity management to cybersecurity protocols. However, centralizing large amounts of data can create a prime target for illicit actors seeking to harm U.S. economic security. Government agencies, including regulatory agencies, are increasingly the target of cyberattacks.

Over the past two years, both the Treasury Department and the Office of the Comptroller of the Currency — the Treasury bureau responsible for supervising the U.S. banking system — have suffered significant cyber incidents. The latest dates back to 2023 and was identified in early 2025. Here are the facts:

• Hackers compromised the OCC’s systems in May 2023.
• The OCC did not learn of the suspicious activity until February 2025 — meaning, hackers likely had access to the OCC’s systems for over a year and a half.
• The breach exposed an estimated 148,000 emails, some of which may have contained highly sensitive supervisory information that could give hostile nation states ample information to harm America’s financial institutions.

These weaknesses point to a pattern of problems in how U.S. agencies secure data and are held accountable. To mitigate risk and prevent similar problems in the future, the groups made four recommendations:

1. Hold agencies to the same security and data protection standards as private companies.
2. Avoid centralizing sensitive data that could affect entire economic sectors and instead allow companies to maintain control and access to their data.
3. Require regulatory agencies to notify affected companies when things go wrong.
4. Limit data collection to only what is necessary.

To access a copy of the letter, please click here.

###

Media Contacts:

• Austin Anton, Bank Policy Institute, [email protected]
• Sarah Grano, American Bankers Association, [email protected]
• Noah Theran, Managed Funds Association, [email protected]
• Katrina Cavalli, Securities Industry and Financial Markets Association, [email protected]

About ABA

The American Bankers Association is the voice of the nation’s $24.5 trillion banking industry, which is composed of small, regional and large banks that together employ approximately 2.1 million people, safeguard $19.5 trillion in deposits and extend $12.8 trillion in loans.

About BPI

The Bank Policy Institute is a nonpartisan public policy, research and advocacy group that represents universal banks, regional banks and the major foreign banks doing business in the United States. The Institute produces academic research and analysis on regulatory and monetary policy topics, analyzes and comments on proposed regulations, and represents the financial services industry with respect to cybersecurity, fraud, and other information security issues.

About MFA

Managed Funds Association (MFA), based in Washington, D.C., New York City, Brussels, and London, represents the global alternative asset management industry. MFA’s mission is to advance the ability of alternative asset managers to raise capital, invest it, and generate returns for their beneficiaries. MFA advocates on behalf of its membership and convenes stakeholders to address global regulatory, operational, and business issues. MFA has more than 180 fund manager members, including traditional hedge funds, private credit funds, and hybrid funds, that employ a diverse set of investment strategies. Member firms help pension plans, university endowments, charitable foundations, and other institutional investors diversify their investments, manage risk, and generate attractive returns throughout the economic cycle.

About the Securities Industry and Financial Markets Association

SIFMA is the leading trade association for broker-dealers, investment banks and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s one million employees, we advocate on legislation, regulation and business policy affecting retail and institutional investors, equity and fixed income markets and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development.  SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA).