Goldman Sachs Group Inc. and Citigroup Inc. stepped up warnings to shareholders about cyber attacks as the U.S. prodded banks and government agencies to bolster their defenses.

Online and mobile banking give new points of entry that can be used to disrupt or penetrate operations, the two New York-based firms said last week in annual regulatory filings. The companies said they’re vulnerable to tactics that overload websites to shut off public access, such as assaults that disrupted the nation’s largest lenders late last year.

U.S. bank are speculating that foreign nations, organized crime or terrorists are behind efforts to cripple their websites and warning that costs to keep intruders at bay will rise.

President Barack Obama directed the government on Feb. 12 to develop voluntary security standards for companies running vital infrastructure and is pushing Congress to set formal rules.

“We are going to see more disclosures, and that’s a warning sign that things are really getting bad,” said Lawrence Ponemon, chairman of Ponemon Institute LLC, a Traverse City, Mich.-based security research firm, which predicts a 30 percent increase in expenses tied to cyber intrusions this year.

Attacks in December hit Bank of America Corp., JPMorgan Chase & Co., U.S. Bancorp, Wells Fargo & Co. and SunTrust Banks Inc., two executives at security companies said at the time. PNC Financial Services Group Inc., the second-biggest regional bank, said in its annual filing that cyber attacks may hurt customer confidence and increase costs at the Pittsburgh-based company.

Security Breaches

The intrusions aren’t limited to financial firms, with Microsoft Corp., the largest software maker, saying Feb. 22 a small number of its computers were infected by malicious software in a cyber attack similar to those experienced by Facebook Inc. and Apple Inc.

Cyber security gained renewed national attention in the past few years with revelations about a security breach of a U.S. Federal Reserve website, intrusions at the New York Times and other news organizations attributed to Chinese hackers, and a wave of so-called denial-of-service attacks that disrupted the websites of the biggest U.S. banks and payment networks.

The tactic can disable a website by flooding it with traffic. While that doesn’t give intruders access to cash or personal data, regulators warned banks in December the attacks might be used to distract staff while accounts are penetrated, or to block banks and customers from informing each other.