Finding shelter as cybersecurity threats grow


Despite all the cybersecurity safeguards and systems that financial institutions have put into place over the past several years, bank leaders understand that there’s never an end to the new techniques that criminal elements will put into place to attack them. The threats, it seems, have never been greater.


“We cannot be complacent,” Acting Comptroller of the Currency Michael J. Hsu said in an urgent plea to financial sector leaders in recent (August 2022) remarks to the FBIIC and FSSCC.


Hsu complimented industry leaders on their building of strong cyber defenses and their work with law enforcement and regulators to guard against attacks. But he also cautioned against a false sense of security.


In a society that is intensely interconnected online, threats are evolving as quickly as the safeguards that are developed to keep data and systems safe. Opportunities increased dramatically for cyberthieves when the COVID-19 pandemic led to a huge rise in virtual activity. Meanwhile, the geopolitical instability sparked by Russia’s war with Ukraine created additional motivation for state-sponsored actors to use their considerable resources to wreak havoc on systems and data worldwide.


“The increasing interconnectedness and complexity of today’s operating environment and the continued cyberthreats pose a growing safety and soundness risk to banks and the broader financial sector if not properly managed,” Hsu said. “It is essential that financial institutions continue both to invest in building a secure and resilient infrastructure and to collaborate.”




Welcome to Sheltered Harbor


Sheltered Harbor was created to protect customers, financial institutions and public confidence in the financial system if a catastrophic event like a cyberattack causes critical systems—including backups—to fail. Implementing the Sheltered Harbor standard prepares institutions to provide customers timely access to balances and funds in such a worst-case scenario, one that traditional disaster recovery programs cannot adequately satisfy for the financial services industry. Sheltered Harbor is not a vendor, product or service. It is a not-for-profit, industry-led initiative comprised of financial institutions, core service providers, national trade associations, alliance partners, and solution providers dedicated to enhancing financial sector stability and resiliency.




Three keys to Sheltered Harbor resiliency


Sheltered Harbor is based on three core elements:

  • Data vaulting. Each night, financial institutions participating in Sheltered Harbor back up critical customer account data in a standard format. The data is then encrypted and transferred to a data vault. This vault is completely separate from the institution’s systems, so no matter how effective a cyberattack, the attackers can’t reach the vaulted data. The data vault is air-gapped, meaning it is completely isolated from the bank’s systems. Sheltered Harbor participants either manage their own vault or use a participating service provider. The data vault is encrypted, unchangeable, and completely separated from the institution’s infrastructure, including all backups. In the event of a breach, natural disaster or other system failure, the financial institution’s data is transmitted to a restoration platform, where it is decrypted, restoring customer access to accounts and funds.

  • Resiliency plan. All Sheltered Harbor participants must complete a rigorous and disciplined plan to address all business and technical steps necessary to restore service in the event of a cyberattack where all options to restore critical systems, including backups, have failed. This includes designating a Sheltered Harbor partner or developing a plan that can help restore customer data to a Restoration Platform as quickly as possible. The resiliency plan must address eight key areas:
    • Resiliency targets
    • Incident management
    • Liquidity and funding
    • Testing
    • Funds access
    • Crisis communications
    • Data recovery
    • Restoration Platform agreements
    • Failback Playbook

  • Certification. Every Sheltered Harbor participant must institute a robust set of safeguards and controls, all of which are independently audited annually to ensure compliance with Sheltered Harbor standards. Participants must also conduct an annual data recovery and customer verification test. Only then will participants be certified and allowed to display the Sheltered Harbor Data Protected seal. Testing and validation will also be required to prove that Resiliency Plans are in place and the participant’s organization is up to the task, for when a Sheltered Harbor event arises.

Given the growing attention paid to cyberthreats and the increasingly virtual nature of most customers banking relationships, concern over a potentially catastrophic cyberattack is continually growing. Sheltered Harbor offers your institution a significant safeguard, and one that will likely resonate with your market. Grant Thornton is a Sheltered Harbor Qualified Assessor, ready to help you prepare for, assess, and test your compliance with the sectors purpose-built resilience standards. If you would like to learn more about Sheltered Harbor, we would be happy to speak with you.




Our featured advisory services insights