Industry associations highlight cybersecurity risks at US regulatory agencies

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

In a letter addressed to Treasury Secretary Scott Bessent, The Bank Policy Institute, American Bankers Association, MFA and Sifma say that growing threats from hostile nation-states targeting US critical infrastructure serve as a reminder of the urgency to address vulnerabilities.

“Government agencies are increasingly the target of persistent and sophisticated nation-state attacks that could disrupt financial markets and our economy,” the organizations wrote. “It is imperative that federal regulators recognize that they are equally a target of malicious actors and implement the same or substantially similar cybersecurity and incident response practices that they expect financial institutions to maintain.”

Financial institutions are legally required to share sensitive, proprietary and non-public information with their regulators as part of the supervisory process. This information can range from capital and liquidity management to cybersecurity protocols. However, centralizing large amounts of data can create a prime target for illicit actors seeking to harm US economic security, says the organisations.

They point out that over the past two years, both the Treasury Department and the OCC have suffered significant cyber incidents.

At the OCC, hackers were at work inside its systems for over a year-and-a-half before the intrusion were discovered. Immediately after the breach was reported both JPMorgan Chase and Bank of New York Mellon scaled back electronic information sharing with the agency.

To mitigate risk and prevent similar problems in the future, the groups are urging the Treasury to hold federal agencies to the same security and data protection standards as private companies.

They want to limit data collection to only what is necessary and avoid centralisation of sensitive data, allowing companies to maintain control and access to their data.

The letter states: “As firms are required to share non-public, highly sensitive information with regulators as part of the supervisory process, compromises at regulatory agencies could expose institutions’ vulnerabilities and business information to malicious actors, putting them at strategic disadvantage.”