(Bloomberg) - Financial-sector trade groups are urging the US Treasury Department to bolster its cybersecurity in response to hackers intercepting the sensitive emails of more than 100 bank regulators for more than a year.
In a letter sent Monday to Treasury Secretary Scott Bessent, the associations urged federal regulators to strengthen their data-protection standards and inform organizations they oversee about security breaches affecting their data within three days. They also suggested that regulators stop requiring banks and other financial institutions to submit sensitive information through online portals or email.
The American Bankers Association, Bank Policy Institute, Managed Funds Association and Securities Industry and Financial Markets Association signed the letter.
“We are deeply concerned about the cybersecurity risk management practices at federal regulatory agencies, and the need for critical reforms to ensure the supervisory process does not introduce unnecessary risk to firms through regulators’ own security weaknesses,” the groups said in the letter, which was reviewed by Bloomberg News.
The letter to Bessent comes two months after Bloomberg News first reported that hackers had spied on the email inboxes of employees of the Office of the Comptroller of the Currency, accessing roughly 150,000 emails. An official with the OCC, an independent bureau of Treasury, concluded in a letter informing Congress of the breach that “the highly sensitive bank information contained in the emails and attachments is likely to result in demonstrable harm to public confidence.”
Representatives for the Treasury Department and OCC didn’t immediately respond to emails seeking comment on the letter.
The hackers, who have not been publicly identified, got in by exploiting an administrative account that lacked a basic cybersecurity protection, Bloomberg previously reported. The OCC previously declined to comment on the absence of the multifactor-authentication safeguard.
“It is imperative that federal regulators recognize that they are equally a target of malicious actors and implement the same or substantially similar cybersecurity and incident response practices that they expect financial institutions to maintain,” the groups said in the letter.
After the breach became public, some of America’s biggest banks took the remarkable step of limiting the sharing of information with their regulator, Bloomberg previously reported. As well as standard financial information, the material banks regularly provide to the OCC includes reports about their cybersecurity protections, vulnerability assessments and even the content of National Security Letters which often include highly confidential information about terrorism, espionage and other investigations.
The trade associations are now urging regulators to allow banks and other financial firms to retain such data on their own systems and have government inspectors examine the information via “on-site review or on firm computers with security controls in place to limit downloading, copying or printing the information.”
The Treasury suffered its own, separate breach last year. In December, the department revealed that Chinese state-sponsored hackers had gotten into their network through a third-party provider, giving them access to some unclassified documents and former Secretary Janet Yellen’s computer.
By Jake Bleiberg
With assistance from Hannah Levitt
