OCC data breach sparks concerns over bank-regulator communication

A recent cybersecurity breach at the Office of the Comptroller of the Currency has undermined banks' trust in the agency and raised questions about the best way for them to communicate with regulators.

The OCC discovered the breach on Feb. 11 and issued a public notice on Feb. 26. However, the extent of the incursion and the information accessed were not fully known until nearly two months later, when the OCC classified it as a major incident and informed Congress.

Many banks regulated by the OCC were not aware of the breach, which the agency said involved "highly sensitive information relating to the financial condition of federally regulated financial institutions," until media reports emerged in April, according to the Wall Street Journal. Acting Comptroller Rodney Hood on April 14 sent a letter to banks regulated by the OCC regarding the incident, nearly a week after the report to Congress that spurred media coverage of the hack.

The agency's slow response and communication about the breach have made banks wary, eroding trust and prompting some to seek alternative methods for sharing sensitive information with regulators. The situation has sparked debate over the most secure and efficient methods for delivering sensitive information to regulators.

"I don't think it's crazy for the banks to take this position," Carleton Goss, who was formerly a lawyer at the OCC and is now a partner at Hunton Andrews Kurth LLP, said in an interview. Banks "have other legal and contractual obligations to parties to ensure confidentiality of information."

It remains unclear what information the hackers accessed, but depending on the severity, banks may be required to make disclosures to the Securities and Exchange Commission. The breach lasted about a year and a half, from May 2023 to February 2025, when Microsoft alerted the OCC to suspicious activity. The OCC will "notify potentially impacted parties as its review progresses," a spokesperson told S&P Global Market Intelligence on April 9.

The OCC regulates more than 1,000 of the nation's largest banks, overseeing more than $16 trillion in total assets, according to Market Intelligence data.

Banks that have paused some electronic information-sharing include JPMorgan Chase & Co., Bank of America Corp. and Bank of New York Mellon Corp., according to media reports.

Other options for sharing information with regulators include paper or flash drives, but these methods are less efficient, advisers said. Imagine "Jamie Dimon runs over an envelope himself," Goss said.

Email has been used because it is more efficient, but advisers said the risk of security breaches may not be worth more than the reward of efficiency. The situation has sparked renewed debate about whether email is a suitable method for banks to convey sensitive information to regulators.

"To the extent that we, historically, have been sharing confidential information over emails, maybe we should do something different," Goss said.

Following the OCC media reports, the FDIC released a statement confirming that electronic communication through its secure email portal is the agency's primary method of supervisory correspondence, a process established during the COVID-19 pandemic. This has raised broader concerns regarding federal regulators' security protocols.

"It just raises the question: What are their systems and what kind of protection is there?" Chip MacDonald, managing director of MacDonald Partners LLC, said in an interview.

The OCC should have utilized a more reliable method for archiving banks' data, according to a cybersecurity lawyer.

"I would have hoped the OCC would have known to move certain information to a more secure archive, but it is extremely difficult, given that we communicate so extensively by email, to ensure that all data is moved to a more secure location," Lisa Sotto, partner and chair of the global privacy and cybersecurity practice at Hunton Andrews Kurth LLP, said in an interview.

One secure option for transmitting sensitive information online is through platforms that allow for encrypted data sharing. This method is less tedious than using physical paper or flash drives but more secure than email. Other industries, such as healthcare, use these tools, as well as the Securities and Exchange Commission.

Those systems have "high levels of security safeguards," Sotto said. "Email is not among the safer ways to either transfer data or maintain data and systems."