The catch in Trump’s new bank cybersecurity hub

  • Key insight: Treasury, the government’s lead cyber partner to banks, is one of four agencies running Gold Eagle, a new AI clearinghouse for collecting and patching software vulnerabilities.
  • What’s at stake: Gold Eagle’s mandate to coordinate and share vulnerability findings across government sits awkwardly against Treasury’s existing promise that banks’ scan results stay private and away from regulators.
  • Expert quote: Avi Gesser, a Debevoise & Plimpton partner who advises financial firms, said the biggest risk is sharing highly sensitive vulnerabilities “without knowing exactly who is going to get access to that data, and what it can be used for.”

Overview bullets generated by AI with editorial review.

Processing Content

The federal government has built a new clearinghouse to collect software vulnerabilities, rank them and coordinate their patching across critical industries. Treasury will help run it.

The White House announced the program, called Gold Eagle (stylized by the government in all caps), in a press release Tuesday. The executive order behind Gold Eagle directly names banks as intended recipients of the government’s cyber tools.

The announcement describes an operation powered by artificial intelligence that accepts reports of cyber vulnerabilities from across industries, confirms them and pushes prioritized fixes back to defenders in government and business.

The White House, the Treasury Department, the Department of Homeland Security (through the Cybersecurity and Infrastructure Security Agency, or CISA) and the Defense Department (which the Trump administration calls the Department of War) will lead the project.

Treasury is the sector risk management agency for financial services, which means it is the government’s designated lead cyber partner to banks. Pairing AI with cybersecurity for the sector predates Gold Eagle; the department has been working toward it for a while.

Gold Eagle gives the government a new way to collect and route information about the software flaws in banks’ own systems — the kind of data institutions typically guard closely.

Joining could also create regulatory compliance or legal risk for banks that choose to do so. Handing a bank’s most sensitive security data to a government system built to share it could expose the bank to heightened regulatory scrutiny or lawsuits, according to a cybersecurity lawyer who advises financial firms.

The order behind it

Gold Eagle carries out part of a June executive order that gave the Treasury secretary 30 days to form “an AI cybersecurity clearinghouse, in voluntary collaboration with the AI industry and operators of critical infrastructure.”

Per the order, that clearinghouse “coordinates and deconflicts scanning for software vulnerabilities, discovers and validates such vulnerabilities, and coordinates and prioritizes remediation and distribution of vulnerability patches.”

The order also tells CISA to open access to government cybersecurity tools, “including, where appropriate, covered frontier models,” to critical-infrastructure operators “such as rural hospitals, community banks, and local utilities.”

The government has not named which frontier models (the current most advanced AI models from major vendors) are covered.

Built on plumbing Treasury already runs

Under Project Fortress, Treasury’s “whole-of-sector” program for financial services, banks can already get free scanning of their internet-facing systems for known vulnerabilities through CISA’s Cyber Hygiene service, plus government threat feeds and intelligence collaboration. Gold Eagle augments that program.

Treasury’s own Project Fortress materials assure banks that the results of CISA’s vulnerability scans stay confidential, are “not shared with regulators,” and cannot be used by examiners in audits.

But the Tuesday order says the Gold Eagle program will distribute vulnerability findings throughout the federal government.

None of the public materials about the new program say whether the scan data banks already share through Project Fortress will feed Gold Eagle. There is also no word on, if the scan data is shared, how the confidentiality promise of Project Fortress survives.

Treasury did not immediately respond to a request for comment.

That gap should give banks pause, according to Avi Gesser, a partner at Debevoise & Plimpton who co-chairs the firm’s data strategy and security group and advises financial-services companies on cybersecurity.

When considering participation in Gold Eagle, the biggest risk banks face is sharing highly sensitive vulnerabilities “without knowing exactly who is going to get access to that data, and what it can be used for,” he said.

He noted that the information a bank might turn over could include how long it has known about a given flaw, and he invoked the possibility that the government might use such information in a regulatory action or lawsuit against the bank.

Gesser sees a potential tension with the confidentiality promise, too. Project Fortress assures firms that their specific vulnerabilities stay confidential and are not shared with regulators, “but I haven’t seen that kind of assurance about Gold Eagle,” he said.

Operational and short on specifics

The White House says Gold Eagle has already started the process that will “intake and prioritize” vulnerabilities. It has not said who is taking part, how a bank would join or how the clearinghouse relates to the Project Fortress services banks already use.

The announcement names no company partners and describes no way to enroll. It is also silent on how Gold Eagle relates to the vulnerability-tracking infrastructure the government already backs.

Through CISA (one of Gold Eagle’s four leads), the government already sponsors the Common Vulnerabilities and Exposures program, or CVE, the 25-year-old catalog that software makers and defenders worldwide use as the common reference for security flaws. MITRE has run it for decades under federal funding.

That backbone nearly went dark last year. In April 2025, MITRE warned its board that the contract sustaining CVE was about to expire and the program would stop operating the next day.

CISA renewed it for 11 months only hours before the deadline. Board members, rattled by the near-miss, launched a nonprofit to cut the program’s reliance on a single government funder.

Gold Eagle appears positioned to fast-track private dissemination of vulnerabilities that would eventually land in the public CVE database.

The frontier AI behind it

Gold Eagle depends on frontier AI for identifying vulnerabilities, and the June order (the one that presaged Tuesday’s order) tells the government to build a framework for identifying those “covered frontier” models and getting early access to them.

The government has not named the developers Gold Eagle will draw on, but the usual suspects would be Anthropic and OpenAI, which are the current U.S. leaders in large language models.

In mid-June, the Commerce Department ordered Anthropic to cut off all foreign access to its newest models, Mythos 5 and Fable 5, citing national security.

Anthropic had said its Mythos model could find and exploit previously unknown software flaws, and it offered the model to financial institutions, among others. That is the kind of vulnerability-hunting Gold Eagle is meant to coordinate.

The government restored access for Mythos and Fable later in June after Commerce Secretary Howard Lutnick said his team had “worked closely” with Anthropic to review and approve the models. White House Chief of Staff Susie Wiles tied the resolution to that June executive order.

Also in June, the White House asked OpenAI to hold back its newest model, GPT-5.6, and release it only to a small group of government-approved partners, citing the model’s cybersecurity capabilities. The unusual move appeared to be the first time the government had preemptively asked a U.S. AI company to restrict a model before release.

What a bank should ask first

For a bank weighing whether to take part in Gold Eagle, Gesser said its general counsel or chief information security officer should get written answers first to questions such as: Who can see findings that identify the bank? Can that data be used in regulatory investigations?

He would also want to know whether the sharing qualifies for the liability protections of the Cybersecurity Information Sharing Act of 2015, and what becomes of them after the law’s September sunset.

The effect on banks’ disclosure duties is murkier. Gesser pointed out their existing obligations under the banking agencies’ 36-hour breach-notification rule and the Securities and Exchange Commission’s rules on disclosing material cyber incidents.

The open question, he said, is whether learning of a serious flaw through the clearinghouse (say, confirmation that attackers are already exploiting it in a bank’s systems) starts the clock on those obligations sooner than the bank might expect.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *