OCC Email Breach Prompts JPMorgan & BNY Mellon to Curb Data Sharing

Key Takeaways

• JPMorgan and BNY Mellon Scale Back: Both banks have limited electronic data sharing with the OCC following a prolonged breach of the regulator’s email system.
• Sensitive Data Exposed: The year-long breach compromised over 100 OCC accounts and may have exposed cybersecurity reports, financial data, and classified National Security Letters.
• Regulatory Trust Erodes: Some banks reportedly learned the full scope of the breach only recently, raising concerns about the OCC’s transparency and response.
• Congress Steps In: Lawmakers from both the House and Senate are now pressing the OCC for answers and accountability.
• “Historic” Challenge: A former OCC enforcement official called the banks’ response a fundamental challenge to the agency’s examination authority.

Deep Dive

It’s not every day that major banks start treating a federal regulator like a cybersecurity risk. But after a quiet email breach inside the Office of the Comptroller of the Currency (OCC) stretched on for more than a year undetected, JPMorgan Chase and Bank of New York Mellon have decided to pump the brakes on how much sensitive information they’re sending.

As first reported by Bloomberg on Monday, the two banks have scaled back electronic information sharing with the OCC following the discovery of the breach, which was detected in February but had been active for over 12 months. More than 100 email accounts were compromised, many containing sensitive material from banks, including cybersecurity assessments, vulnerability reports, and even classified National Security Letters tied to counterterrorism and espionage cases.

The OCC and U.S. Treasury have labeled the incident a “major” one. But for banks already operating in a high-stakes threat environment, the bigger concern is what this says about regulator-side risk, and whether the very agency tasked with oversight can still be trusted to handle their most confidential data.

Lawmakers are taking notice. The House Financial Services Committee and the Senate Banking Committee are both pressing the OCC for answers, seeking clarity on how something this significant managed to stay in the shadows for so long.

Cybersecurity experts warn that the breach could open banks up to targeted attacks or extortion schemes, especially given the nature of the information potentially exposed. And while the OCC has reportedly told banks which staff accounts were affected, the agency hasn’t publicly detailed what types of data may have been stolen, including anything related to banks’ cybersecurity defenses.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.