A cyberattack on the US Office of the Comptroller of the Currency (OCC) has alarmed big banks, regarding both what was accessed by the hackers and what was (or wasn't) communicated by the regulator to affected institutions.
Several of the country's largest banks, including JPMorgan and Bank of America, have scaled back electronic information-sharing with the OCC following a breach of the regulator's email system. While the OCC conducts a third-party assessment, banks remain in the dark about what sensitive data may have been exposed.
The prudential regulator is accused of failing to proactively notify supervised entities, leaving some to learn about the breach through media reports. This has led to concerns of a possible misalignment between expectations placed on financial institutions and practices within regulators themselves. Notably, the OCC faced scrutiny last year after Confidential Supervisory Information (CSI) regarding banks' operational risk management ratings was leaked to the press.
This episode lands at a delicate moment. The OCC is under interim leadership, and the White House has signaled an intent to consolidate regulatory agencies, raising questions about governance, accountability, and coordination across the supervisory landscape. If financial resilience starts with trust, then the trust gap exposed here is more than a cyber risk concern — it's a governance one. Should banks now treat regulators as third-party risk vectors in their own right?
Join The Discussion