US financial trade associations have urged the Treasury Department to bring reforms in how federal regulatory agencies manage data.
The move follows a series of breaches that compromised the security of bank regulators.
Go deeper with GlobalData
The letter dated 9 June 2025, addressing to Treasury Secretary Scott Bessent, was signed by the American Bankers Association, Bank Policy Institute, Managed Funds Association, and Securities Industry and Financial Markets Association.
The groups made several recommendations, which include holding regulatory agencies to same security standards as private companies uniformly and avoid centralising data to prevent impact on economic sectors.
Additionally, they suggested agencies should notify affected companies when data breaches occur and limiting data collection to only necessary information.
Notably, hackers accessed approximately 148,000 emails at the Office of the Comptroller of the Currency (OCC), a Treasury bureau, from May 2023 until February 2025, when Microsoft detected unusual activity.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataThe OCC confirmed in April that the breach involved “highly sensitive information relating to the financial condition of federally regulated financial institutions.”
A report from Bloomberg highlighted another incident from December 2024 that Treasury’s own breach involving Chinese state-sponsored hackers accessing unclassified documents and former Secretary Janet Yellen’s computer.
The letter addressed concerns over federal regulatory agencies’ cybersecurity practices, stating: “We are deeply concerned about the cybersecurity risk management practices at federal regulatory agencies, and the need for critical reforms to ensure the supervisory process does not introduce unnecessary risk to firms through regulators’ own security weaknesses.”
The trade groups recommended aligning regulators’ cybersecurity standards with those of financial institutions, notifying affected firms within 72 hours of a breach, and allowing firms to retain sensitive data on their secure systems for on-site regulatory review.
