by Jordan Robertson, Jake Bleiberg, Hannah Levitt and Todd Gillespie
Some of America’s biggest banks are limiting the sharing of information with the Office of the Comptroller of the Currency because they are concerned about potential security risks to their computer networks following a major hack of the regulator’s emails.
JPMorgan Chase & Co. and Bank of New York Mellon Corp. have paused sharing information with the agency electronically, according to people familiar with the matter. The moves follow a major breach of the OCC’s email system where hackers spied on more than 100 accounts over the course of more than a year, Bloomberg reported this month.
The OCC and the US Treasury deemed the breach a “major incident” that gave hackers access to highly-sensitive information about the financial health of federally-regulated financial firms. As well as standard financial information, the material banks regularly provide to the OCC includes reports about their cybersecurity protections, vulnerability assessments and even the content of National Security Letters which often include highly-confidential information about terrorism, espionage and other investigations, some of the people said.
Representatives for JPMorgan and BNY declined to comment. A spokesperson for the OCC said it’s working with independent third-party cybersecurity experts to review the hack and evaluate its IT security policies for cyber incidents.
“This work is ongoing, and the OCC is engaged with its supervised institutions to keep them informed as these investigations progress,” the spokesperson said. “OCC’s onsite examiners continue to retain access to bank information as necessary to conduct supervisory activities, while ensuring the security of the data.”
Citigroup Inc., which remains under tighter oversight than its peers due to an OCC consent order, has not limited the information it’s sharing with the regulator, according to people familiar with the matter. A spokesperson for the bank declined to comment.
It wasn’t immediately clear if Bank of America Corp., Wells Fargo & Co. and Goldman Sachs Group Inc. had taken the same course of action. Representatives for those banks declined to comment.
The breach was first detected in mid-February, but some of the banks didn’t learn of its extent and impact until Bloomberg reported the hack this month, according to some of the people. That’s raised questions about the adequacy of the OCC’s response and the lack of safeguards that would have prevented the incident in the first place, some of the people said, asking not to be identified discussing private information.
The OCC is yet to review all the contents of the emails and attachments to determine exactly what was taken, according to some of the people. It’s also yet to determine if it needs to alert any banks that their information may have been stolen, those people said.
Initially, officials at the agency believed the breach was less extensive than it turned out to be, some of the people said. But after working with Microsoft Corp. — which first detected the hack on Feb. 11 — and cybersecurity firm CrowdStrike Holdings Inc., officials decided it met the conditions of a major incident, which it detailed in a statement last week. The OCC also brought in cybersecurity company Mandiant to investigate, according to people familiar with the matter.
The OCC has disclosed the names of some staff whose accounts were hacked to the banks — which themselves operate under strict regulator disclosure and security requirements. But the agency is yet to disclose to those firms the kinds of data stolen. It has also not shared whether the hacked emails included cybersecurity-related information — data that could be used to identify weak points in the banks’ computer networks and provide a roadmap for hackers, according to some of the people.
The incident has also raised concerns in Washington. The US House Financial Services Committee and US Senate Committee on Banking, Housing, and Urban Affairs are seeking more information from OCC about the breach, spokespeople for the groups said.
David P. Weber, a professor of fraud and forensic accounting at Salisbury University and former special counsel for enforcement at the OCC, said he’s sympathetic to the banks’ security concerns but said their limiting how they share information represents a “historic” bucking of the regulator.
“It signals a fundamental breakdown of the examination authority of the OCC,” said Weber. “It’s a big deal.”
The incident spotlights a danger that bank leaders concede keeps them up at night — the prospect of a cyberattack that compromises their data. Multiple high-profile breaches targeting the financial sector have surfaced in recent years. In December, the Treasury revealed that Chinese state-sponsored hackers had accessed their network through a third-party provider, giving them access to some unclassified documents and former Secretary Janet Yellen’s computer.
The US unit of Industrial & Commercial Bank of China Ltd. was hit by a cyberattack in late 2023 that prevented it from clearing swathes of trades.
It’s still unclear who was responsible for the recent breach at the OCC.
Some bank officials worry that hacked OCC emails could include sensitive data about their firms’ security and operations, as the documents exchanged between the parties include the results of examinations that ensure the institutions are meeting regulators’ security requirements.
They’re also concerned about the information from National Security Letters — which banks receive from government agencies and can contain the identities of the confidential targets of federal counterterrorism, counterespionage and other secret investigations — having been potentially caught up in the breach.
In a draft letter from the OCC to Congress seen by Bloomberg News, the agency said its staff were reviewing the compromised emails and attachments to determine the severity of the hack.
Experts from the OCC’s “bank supervision policy, large bank supervision, midsize and community bank supervision, and supervision risk and analysis lines of business” convened to review the hacked emails, according to the letter.
The compromised material could be used to launch targeted, follow-on cyberattacks on banks or to try to extort them, according to Marc Bleicher, chief technology officer at Surefire Cyber Inc.
“Banks rely on secure communication with regulators, so the erosion of trust here is the biggest concern,” said Bleicher, whose firm has clients in the financial industry. “This event showed a weak link in the financial sector’s cybersecurity.”
Copyright Bloomberg News
With growth topping succession as the leading M&A driver, referral programs are a top of mind consideration for advisory firms making moves as Goldman Sachs, Pershing and Robinhood consider entering the referral market.
The $8 billion RIA is getting more fuel for geographic expansion and recruit top talent through a minority investment partnership.
The rush of SEC applications, which also includes JPMorgan and Schwab, reflect growing optimism over the tax-busting fund structure.
The half-dozen teams who joined the hybrid RIA in the early innings of 2025 have lifted it past a key asset milestone.
Meanwhile, GPB senior executives' sentencing for fraud pushed to May.
RIAs face rising regulatory pressure in 2025. Forward-looking firms are responding with embedded technology, not more paperwork.
As inheritances are set to reshape client portfolios and next-gen heirs demand digital-first experiences, firms are retooling their wealth tech stacks and succession models in real time.
