Industry News

Reexamining Regulator Cybersecurity: Data Risks and Oversight Gaps in the Financial System

Recent cyber breaches at the OCC and U.S. Treasury have exposed gaps in federal data handling practices. This article from NETBankAudit explores the risks centralized supervisory data poses to financial institutions, highlights oversight inconsistencies, and outlines key audit actions to mitigate exposure.
Quick Links:
No items found.
No items found.

Federal regulators have long expected financial institutions to uphold stringent cybersecurity and data governance standards. Yet, recent breaches at regulatory agencies themselves have revealed a troubling paradox: institutions are being held to standards their overseers cannot meet.

In this article, NETBankAudit examines the industry’s growing concern over federal data handling practices, the risks introduced by centralization of supervisory data, and practical implications for compliance and audit teams tasked with safeguarding confidential supervisory information.

Cybersecurity Breaches Undermine Regulatory Trust

A June 2025 joint letter from leading trade associations, including the American Bankers Association (ABA), Bank Policy Institute (BPI), Managed Funds Association (MFA), and Securities Industry and Financial Markets Association (SIFMA), called for sweeping reforms to federal data handling practices. Their concerns were prompted by a series of breaches, including:

  • A prolonged compromise at the Office of the Comptroller of the Currency (OCC), where hackers accessed 148,000 internal emails between May 2023 and February 2025. These communications contained sensitive financial data on supervised institutions.
  • A December 2024 attack on the U.S. Treasury involving Chinese state-sponsored actors, compromising documents and devices used by senior leadership.

These incidents prompted the trade groups to call for regulators to meet the same cybersecurity expectations imposed on the private sector and to reassess how supervisory data is collected, centralized, and retained¹.

The Cybersecurity Double Standard Between FI's and Regulators

Audit Risk Introduced by Centralized Supervisory Data

For financial institutions, the fallout extends beyond the direct regulatory scrutiny following a breach. The centralized storage of confidential supervisory information (CSI) by federal agencies introduces new operational and reputational risks:

  • Lack of Control: Once CSI is submitted to a regulator, institutions lose control over its protection and transmission, leaving them exposed to third-party vulnerabilities.
  • Regulatory Delay in Notification: In some recent incidents, affected entities were not informed of regulator-side breaches for weeks or months¹. This impairs risk response and may hinder compliance with third-party risk management standards.
  • Data Aggregation Risks: Large-scale aggregation of sensitive financial data in centralized regulatory systems makes them high-value targets. The attack surface expands with every institution required to upload full supervisory files.

As the June 2025 joint letter argued, agencies should permit more on-premise review of sensitive data, limiting unnecessary duplication or transfer of CSI¹. From a compliance and audit perspective, this model would align with least-privilege access principles and help financial institutions maintain better control of risk.

Current Gaps in Oversight and Policy Alignment

Despite advancements in industry-side third-party risk frameworks, federal agencies remain outside the scope of many security expectations they themselves promote. While the 2023 Interagency Guidance on Third-Party Relationships outlines clear responsibilities for institutions in managing vendor risk, the same rigor has not been mirrored in regulator-side cyber governance².

Auditors should note the following asymmetries:

  • Breach Notification Standards: Institutions are often required to notify regulators within 36 to 72 hours of an incident. Yet, no reciprocal obligation currently compels regulators to notify institutions after agency-side breaches.
  • Vendor Oversight Practices: Financial institutions are subject to scrutiny for the performance and controls of all vendors with access to customer or supervisory data. However, regulators themselves often operate opaque contracting and system management processes, without public vendor assessments or third-party attestations.
  • Incident Response Planning: While institutions must regularly test response playbooks and conduct tabletop exercises, agency processes are not uniformly transparent or standardized across regulatory bodies.

For audit and compliance teams, these inconsistencies create blind spots. CSI that leaves your institution may be unknowingly at risk due to downstream weaknesses in regulator systems.

Harmonization Efforts and the Need for Sector-Wide Reform

In parallel with the industry’s June 2025 advocacy letter, other agencies have acknowledged the need for more cohesive policy. The Cybersecurity and Infrastructure Security Agency (CISA), in its harmonization report to the Office of the National Cyber Director, emphasized the fragmented and duplicative reporting requirements facing critical infrastructure entities, including financial services. The report encouraged standardized reporting, centralized intake, and shared threat intelligence mechanisms³.

Yet, the harmonization effort has largely focused on regulated entities, not the regulators themselves. This remains a critical gap.

The CFPB’s May 2025 notice on confidential supervisory information similarly signals growing tension. The Bureau proposed changes that would limit the disclosure of CSI even in internal investigations or litigation. Critics argue that such restrictions, absent clear data protection reforms on the agency side, may further erode industry trust⁴.

Implications for Financial Institutions and Auditors

In light of these developments, NETBankAudit recommends financial institutions and their audit teams consider the following actions:

  1. Review CSI Handling Procedures: Confirm what types of supervisory data your institution submits to regulators, in what formats, and through which systems. Evaluate whether you have appropriate documentation of access logs, data minimization efforts, and retention policies.
  1. Enhance Regulator Risk Assessments: Treat regulators and federal agencies as third-party data recipients. Conduct risk assessments accordingly, identifying exposure points and evaluating whether agency-side breaches may trigger disclosure obligations under state or contractual privacy rules.
  1. Advocate for Secure On-Site Review: Where possible, request or support policies that allow for sensitive supervisory data to be reviewed securely on-site rather than uploaded to regulator-controlled systems. This aligns with zero-trust principles and helps limit the aggregation of risk.
  1. Include Regulatory Cyber Risk in Board Reports: Provide updates to boards or risk committees about risks introduced by regulator-side data exposure. Clear communication can help prioritize policy engagement and internal contingency planning.
  1. Track Ongoing Policy Developments: Monitor Treasury and agency responses to the June 2025 letter and related cybersecurity harmonization efforts. Future updates may change data handling expectations or lead to interagency guidance.

Protect Your Institution with NETBankAudit Expertise

The cybersecurity risk landscape is not limited to financial institutions and their vendors. As breaches at the OCC and Treasury have shown, federal agencies themselves can introduce systemic vulnerabilities. Compliance and audit professionals must reassess their frameworks to account for these risks and push for consistent, reciprocal standards in data protection.

As the lines blur between internal and external risk domains, financial institutions must remain vigilant, adaptive, and engaged in policy reform. NETBankAudit will continue monitoring regulatory developments and supporting institutions in building resilient, risk-aware audit and compliance programs.

Our team brings deep expertise in FFIEC compliance, BSA/AML reviews, and IT risk assessments — with a focus on helping institutions meet rising expectations while staying operationally resilient.

To learn how NETBankAudit can support your institution in navigating emerging data governance risks, complete our form here.

References

  1. "US financial groups call for reforms in regulators’ handling of sensitive data," Retail Banker International, June 10, 2025.
  2. "Interagency Guidance on Third-Party Relationships: Risk Management," Federal Deposit Insurance Corporation, June 2023.
  3. "Harmonization of Cyber Incident Reporting to the Federal Government," Cybersecurity and Infrastructure Security Agency (CISA), June 2023.
  4. "Proposed Rule on Confidential Supervisory Information," Consumer Financial Protection Bureau, May 2025.
  5. Joint Trades Letter to Treasury Secretary Scott Bessent, June 9, 2025.
 
class SampleComponent extends React.Component { 
  // using the experimental public class field syntax below. We can also attach  
  // the contextType to the current class 
  static contextType = ColorContext; 
  render() { 
    return <Button color={this.color} /> 
  } 
}
Table of Contents
This is also a heading
This is also a heading
This is a heading

Mitigate Risks with Comprehensive Audits & Assessments

Request For Proposal
NEWS & ARTICLES

Explore Our Learning Center

View All Articles
Industry News
Reexamining Regulator Cybersecurity: Data Risks and Oversight Gaps in the Financial System
Recent cyber breaches at the OCC and U.S. Treasury have exposed gaps in federal data handling practices. This article from NETBankAudit explores the risks centralized supervisory data poses to financial institutions, highlights oversight inconsistencies, and outlines key audit actions to mitigate exposure.
Read more
Industry News
OCC Rejects Call to Rescind Preemption Rule: What It Means for the Dual Banking System
Understand the OCC’s reaffirmation of federal preemption and its impact on the dual banking system, including legal context, industry response, and audit implications for financial institutions navigating federal and state oversight.
Read more
Industry News
Insights From BSA Coalition’s AI and Fraud Webinar
Explore key takeaways from the BSA Coalition’s AI and Fraud webinar, including deepfake risks, synthetic ID fraud, governance gaps, and practical strategies for financial institutions to stay secure and compliant.
Read more
Industry News
NETBankAudit Announces Elaine Rudolph-Carter as Regulatory Oversight and BSA Specialist
NETBankAudit welcomes Elaine Rudolph-Carter as Regulatory Oversight and BSA Specialist. With decades of experience at the Federal Reserve and as a BSA Coalition co-founder, Elaine enhances our compliance and audit expertise.
Read more
Cybersecurity
Social Engineering Testing: Safeguarding Financial Institutions from Human-Centric Cyber Threats
Discover how financial institutions can protect against social engineering attacks through phishing, vishing, pretexting, and more. Learn the value of internal and third-party testing to strengthen employee awareness and regulatory compliance.
Read more
Compliance
Flood Disaster Protection Act: Lender Compliance, Insurance Requirements, and Regulatory Oversight
Understand lender obligations under the Flood Disaster Protection Act, including flood insurance purchase requirements, force placement, escrow management, and private policy acceptance. Essential guidance for financial institutions.
Read more
Compliance
Regulation B – Equal Credit Opportunity Act: Practical Guide for Fair Lending Compliance
Explore key requirements of Regulation B and the Equal Credit Opportunity Act, including fair lending rules, prohibited practices, application standards, and recent enforcement actions. Essential for compliance professionals in financial services.
Read more
Compliance
Right to Financial Privacy Act: Safeguarding Customer Financial Records from Unwarranted Government Access
Learn how the Right to Financial Privacy Act (RFPA) protects customer financial records from unwarranted government access. This guide explains RFPA procedures, exceptions, enforcement actions, and how financial institutions can stay compliant.
Read more
Risk Assessments
Independent Network Testing Requirements And Recommendations
Explore essential network testing protocols and best practices to ensure optimal performance, reliability, and compliance in modern IT infrastructures.
Read more
Cybersecurity
Assessing It Department Performance And Staffing
Learn how to evaluate IT department efficiency and staffing needs using key performance indicators and strategic assessment methodologies.
Read more
Cybersecurity
Artificial Intelligence: Opportunities And Threats for Financial Institutions
Understand the risks and benefits of AI in financial institutions, with actionable strategies to ensure ethical use, regulatory compliance, and resilience.
Read more
Compliance
Regulatory Landscape Shift: What is the Status of CFPB and Other Regulatory Agencies?
Stay ahead of U.S. regulatory changes impacting financial institutions, including CFPB restructuring, OCC priorities, and Basel III Endgame considerations.
Read more
Cybersecurity
Vulnerability & Patch Management in Financial Institutions
Discover a compliance-first approach to vulnerability and patch management, minimizing security risks within financial organizations.
Read more
Compliance
Understanding Customer Identification Program (CIP) Requirements
Gain insights into CIP mandates for financial institutions, ensuring compliance with KYC regulations and enhancing customer verification processes.
Read more
Cybersecurity
Ransomware in 2025: A Persistent Threat in a Shifting Landscape
Analyze the diminishing influence of ransomware groups and understand the factors contributing to their reduced impact in the cybersecurity landscape.
Read more
Cybersecurity
Generative AI Controls and Risk Assessments for Financial Institutions 
Uncover potential risks of generative AI, including ethical, legal, and operational challenges, and learn strategies to mitigate them effectively.
Read more
Risk Assessments
Enhanced Due Diligence: A Practical Guide for Compliance Officers in Financial Institutions
Explore how Enhanced Due Diligence protects financial institutions from high-risk clients by meeting FATF, FinCEN, and FFIEC compliance expectations.
Read more
Risk Assessments
The CRI Cyber Profile: A Guide for Financial Institutions
Learn how the CRI Cyber Profile helps financial institutions meet FFIEC standards through scalable risk assessments and enhanced regulatory alignment.
Read more
Compliance
Protecting Elderly Customers: NETBankAudit's Elder Fraud (EFE) Audit Services
NETBankAudit offers specialized Elder Fraud Audit Services designed to help financial institutions detect, prevent, and respond effectively to EFE, ensuring compliance with regulatory standards and reinforcing trust with their customers.
Read more
Compliance
Key Findings from NETBankAudit’s 2024 BSA/AML Audits and MIS Verification Audits
View results of over 30 Bank Secrecy Act (BSA) Compliance Audits across community banks, credit unions, and other financial institutions in 2024.
Read more
Compliance
Guide to Currency Transaction Reports (CTRs): Strategies and Best Practices
Currency Transaction Reports (CTRs) serve as critical tools in the fight against money laundering, terrorist financing, and other financial crimes.
Read more
Compliance
Enhancing Transaction Monitoring and Suspicious Activity Reporting: Strategies for Effective Compliance
Learn about Transaction Monitoring and Suspicious Activity Reporting best practices for Financial Institutions.
Read more
Compliance
Risk Assessment Best Practices for BSA/AML/CFT and OFAC Compliance
Fortify your institution’s BSA AML risk assessment processes by weaving together best practices, real-world examples, and authoritative guidance from global regulatory entities.
Read more
Compliance
Emerging Threats to BSA/AML/CFT and OFAC Compliance: Navigating AI, Cryptocurrency, and Machine Learning Risks
Understand the impact of emerging technologies such as AI, Machine Learning, Crypto and more on BSA, AML and CFT compliance.
Read more
Industry News
Key Cybersecurity Deadlines and New DFS Requirements Coming in 2025
Updates on The New York Department of Financial Services (DFS) new requirements under its amended Cybersecurity Regulation (23 NYCRR Part 500).
Read more
Industry News
FFIEC CAT Sunset Prep: A Guide to NIST CSF 2.0, CRI Cyber Profile & CIS Controls
With the Federal Financial Institutions Examination Council (FFIEC) announcing the sunset of the Cybersecurity Assessment Tool (CAT) by August 31, 2025, financial institutions must pivot to new resources to manage cybersecurity risks effectively.
Read more
Compliance
FCA Final Rule on Cyber Risk Management: The 2025 Guide for Financial Institutions
The Farm Credit Administration (FCA) has issued a groundbreaking final rule on Cyber Risk Management, reshaping how institutions within the Farm Credit System (FCS) address cybersecurity.
Read more
Cybersecurity
Farm Credit Administration Guidance on Navigating AI and Emerging Cybersecurity Risks
Discover how the Farm Credit Administration's guidance helps financial institutions navigate AI integration and emerging cybersecurity risks. Learn key strategies for compliance and effective risk management.
Read more
Industry News
2024 Annual Audit and Exam Issues: Insights from NETBankAudit
A 2024 survey of examination and audit issues collected from over 250 audit engagements to assist our clients in identifying commonly reported examination and audit issues.
Read more
Compliance
Understanding Placement, Layering, and Integration: The Core Stages of Money Laundering
This guide delves into each stage of money laundering—Placement, Layering, and Integration— highlighting common methods, red flags, and the challenges inherent in detection.
Read more
Compliance
Structuring and Smurfing Explained: Strengthening AML Compliance
This guide delves into the definitions, methods, legal implications, real-world examples, and best practices associated with structuring and smurfing, providing actionable insights to bolster compliance programs.
Read more
Compliance
Circular Transactions & Funnel Accounts: Unveiling Money Laundering Tactics
This guide delves into the methodologies of circular transactions and funnel accounts, highlights red flags for their identification, and provides actionable best practices for robust compliance.
Read more
Compliance
Navigating BSA, AML, CFT and OFAC: An Overview of Finance Regulations
This guide provides an overview of the Bank Secrecy Act (BSA), Anti-Money Laundering (AML) protocols, and Office of Foreign Assets Control (OFAC) regulations.
Read more
Cybersecurity
Elder Financial Exploitation and Fraud: What You Need to Know
This article delves into the scope, trends, and impacts of elder fraud, highlighting red flags and strategies to protect one of society’s most vulnerable groups.
Read more
Risk Assessments
Understanding Gift Card Scams: Regulations, Risks, and Tips for Safe Usage
Learn about gift card scams including essential regulations, common risks, and actionable tips to ensure you can use gift cards wisely and securely.
Read more
Risk Assessments
FFIEC Development, Acquisition, and Maintenance (DA&M) Booklet: What You Need to Know
Understand the FFIEC's Development, Acquisition, and Maintenance (DA&M) Booklet including key updates and their implications on financial entities.
Read more
Cybersecurity
Phishing in Financial Services: Protecting Your Institution Against Cyber Threats
Phishing Attacks on financial institutions are increasing in frequency and complexity. We explain the tactics, regulations and strategies to protect your institution from cyber threats.
Read more
Cybersecurity
Penetration Testing Methodology and Procedures for Financial Institutions
Learn the process, methodologies, tools, and best practices for conducting effective penetration tests in financial institutions.
Read more
Cybersecurity
IT Governance: Aligning Technology with Business Strategy for Optimal Performance
Explore how financial institutions can implement effective IT governance frameworks to align their technology initiatives with business objectives, manage risks, and ensure regulatory compliance.
Read more
Cybersecurity
Common Cybersecurity Attacks and Penetration Testing Solutions For Financial Institutions
Understand common cybersecurity attacks and penetration testing solutions to mitigate risk in an increasingly sophisticated environment.
Read more
Industry News
Bank-Fintech Partnerships: Analysis of the Federal Reserve Board's 2024 Guidance
Analysis of bank-fintech partnerships, risks, and regulatory programs with a focus on the Federal Reserve Board's 2024 guidance.
Read more
Industry News
Risks and Strategies for AI Cybersecurity Risks: Key Takeaways from NY DFS Letter
Learn key AI cybersecurity risks and controls from the October 2024 letter from New York Department of Financial Services
Read more
Cybersecurity
IT Risk Management Solutions for Financial Services: Safeguarding Your Digital Assets
This article explores key IT risk management solutions for the financial sector, offering practical insights to help institutions protect their digital assets and maintain regulatory compliance.
Read more
Cybersecurity
IT Business Continuity Plans for Financial Institutions
This article explores the essential components of IT business continuity planning, emphasizing the unique needs of financial institutions drawing from FFIEC guidance.
Read more
Cybersecurity
IT Change Management for Financial Services
This guide covers IT change management for financial services, providing insights, best practices, and strategies for successfully navigating the complexities of managing IT changes.
Read more
Cybersecurity
Data Assurance in Financial Services: Ensuring Integrity of Financial Information
This guide delves into the critical aspects of data assurance in financial services, offering insights, best practices, and forward-looking perspectives to help you navigate this complex field.
Read more
Cybersecurity
IT Crisis Management Guide for Financial Services: Protecting Your Institution
This guide explores the critical aspects of IT crisis management in financial services, offering insights and strategies to help financial institutions navigate through disasters.
Read more
Industry News
2023 Annual Audit and Exam Issues: Insights from NETBankAudit
Read NETBankAudit's insights from the 2023 audit season, based on over 250 audit and over 750 technical testing engagements with financial institutions.
Read more
Compliance
Customer Due Diligence (CDD) Guide for Financial Institutions
Learn best practices for of Customer Due Diligence (CDD) for financial institutions, designed to prevent money laundering, terrorist financing, and other financial crimes.
Read more
Risk Assessments
Ransomware Assessment Facilitation for Financial Institutions
Get an in-depth look at ransomware assessment facilitation, focusing on the tools and strategies available to financial institutions to protect themselves against this pervasive threat.
Read more
Risk Assessments
URSIT Analysis – A Six Part Whitepaper Series
Learn about the the Uniform Rating System for Information Technology (URSIT) and the importance for financial services risk management.
Read more
Compliance
CECL Model and Validation: Ensuring Compliance with Regulatory Requirements
Learn about the Current Expected Credit Loss (CECL) model, introduced by the Financial Accounting Standards Board (FASB) with best practices for model validation.
Read more
Cybersecurity
IT Network Security Management: Protecting Your Digital Assets
Explore the key components of IT network security management, best practices for implementation, and emerging trends that are shaping the future of cybersecurity.
Read more
Cybersecurity
IT Security Incident Reporting: A Guide for Financial Institutions
Explore the critical aspects of IT security incident reporting, tailored specifically for smaller financial institutions.
Read more
Cybersecurity
Guide to Cybersecurity Assessments for Financial Institutions
A guide to cybersecurity assessments for financial institutions including guidance for the discontinuation of the CAT in 2025 and the shift to NIST 2.0 and CISA CPGs.
Read more
NETBankAudit Logo PNG
2024 NETBankAudit. All Rights Reserved.
Privacy PolicyTerms of Service
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept