By 
A coalition of leading U.S. financial industry associations has raised alarm over growing cybersecurity vulnerabilities within federal regulatory agencies, urging immediate action to fortify defences against sophisticated cyber threats.
In a strongly worded letter addressed to Treasury Secretary Scott Bessent, the Bank Policy Institute (BPI), American Bankers Association (ABA), Managed Funds Association (MFA), and the Securities Industry and Financial Markets Association (SIFMA) highlighted rising threats from hostile nation-states targeting U.S. critical infrastructure, including the financial sector.
“Government agencies are increasingly the target of persistent and sophisticated nation-state attacks that could disrupt financial markets and our economy,” the letter warned.
“It is imperative that federal regulators recognize that they are equally a target of malicious actors and implement the same or substantially similar cybersecurity and incident response protocols that they expect financial institutions to maintain.”
The groups emphasized that financial institutions are mandated to submit vast amounts of sensitive, proprietary, and non-public data to regulators during supervisory processes — ranging from capital adequacy and liquidity metrics to cybersecurity frameworks. However, centralizing such data without robust protection mechanisms, they argue, creates a high-value target for malicious actors intent on undermining U.S. economic resilience.
Their concerns are underscored by recent incidents. Over the past two years, both the U.S. Treasury Department and the Office of the Comptroller of the Currency (OCC) have suffered notable cybersecurity breaches. In the OCC’s case, attackers were active within its systems for over 18 months before being detected. Following the breach, major financial institutions such as JPMorgan Chase and Bank of New York Mellon significantly reduced their electronic data-sharing activities with the agency.
To mitigate further risk, the associations are calling for the Treasury Department to implement a more stringent cybersecurity posture across regulatory bodies. Recommendations include limiting data collection to only what is operationally necessary, avoiding centralized data storage, and enabling regulated firms to maintain greater control over their data access.
“As firms are required to share non-public, highly sensitive information with regulators as part of the supervisory process, compromises at regulatory agencies could expose institutions’ vulnerabilities and business information to malicious actors, putting them at a strategic disadvantage,” the letter added.
The appeal comes amid heightened global awareness of the role regulatory technology (RegTech) and cyber-resilienceplay in safeguarding national financial infrastructure. Industry experts believe aligning government cybersecurity standards with private sector best practices is now more crucial than ever to bolster the financial system’s integrity and trust.
Comments