Finding shelter as cyber threats escalate


Boost resilience with Sheltered Harbor 


Despite all the cybersecurity safeguards and systems that financial institutions have put into place over the past several years, bank leaders understand that there’s never an end to the new techniques that criminal elements will employ to attack them. The threats, it seems, pose a never-ending challenge to banking leaders.


Cybersecurity was the No. 1 challenge identified by finance leaders in data aggregated over the course of three years of Grant Thornton’s quarterly CFO surveys through the end of 2023.



“Cybersecurity preparedness has become increasingly important for banks,” Federal Reserve Board Vice Chair for Supervision Michael S. Barr said in January 2024. “Banks must take action to uncover vulnerabilities in their systems and remedy those vulnerabilities before attacks occur. But focusing on cyber defense is not sufficient. It is important that banks also focus on resilience to successful cyberattacks, including by developing and regularly testing business continuity plans.”


Building resilience for the continuity of business services is the objective of Sheltered Harbor’s standards, designed by the financial community to promote the stability and resiliency of the financial sector and preserve public confidence in the financial system by protecting customers’ access to their accounts even when a crisis, such as a “zero-day” cyberattack, data corruption, or data deletion event occurs.




Welcome to Sheltered Harbor


Sheltered Harbor was founded to protect customers, financial institutions and public confidence in the financial system when a catastrophic event such as a cyberattack causes critical systems — including backups — to fail. Implementing Sheltered Harbor’s standards augments an institution’s disaster recovery and business continuity plans, with industry-developed crisis and emergency management processes. This enables institutions to proactively plan for and recover from crisis  and continue to provide essential services for its customers while it reestablishes normal operations. Sheltered Harbor is a not-for-profit, industry-led “standards setting and certification” organization comprised of financial institutions, core service providers, national trade associations, alliance partners and solution providers dedicated to enhancing financial sector stability and resiliency.




Three keys to Sheltered Harbor resiliency


Sheltered Harbor’s standards are based on three core pillars:

  1. Data vaulting. Each night, financial institutions participating in Sheltered Harbor back up their critical data sets. (Banks and brokers back up their industry-defined critical account data in a standard format.) The data is then encrypted and transferred to a data vault. The data vault is completely isolated from the bank’s systems, and attackers cannot reach the vault. Sheltered Harbor participants either manage their own vault or use a participating service or solution provider. The data vault is encrypted, unchangeable and completely separated from the institution’s infrastructure, including all backups. In the event of a crisis, natural disaster or other severe system failure, the financial institution’s data is transmitted to their own restoration platform, or participating service provider, where it is decrypted, restoring essential services such as customer access to accounts and funds.
  2. Resiliency planning. Sheltered Harbor participants must complete a rigorous and disciplined plan to address all business and technical steps necessary to restore essential services in the event of a cyberattack where all options to restore critical systems, including backups, cannot be completed in time to maintain customer confidence. Sheltered Harbor has defined specific playbooks that must be developed and tested by the institution before applying for and receiving Sheltered Harbor Cyber Resilience Certification. These include:
    • Resilience targets
    • Incident management
    • Crisis communications
    • Liquidity and funding
    • Failback to normal
    • Funds access
    • Testing
    • Data recovery
    • Restoration Platform Implementation
  3. Certification. Every Sheltered Harbor participant must institute a robust set of prescribed industry-developed safeguards and controls, all of which are independently assessed and/or audited annually to ensure compliance with Sheltered Harbor’s standards. Participants must also conduct an annual data recovery and data verification test. Only then will participants receive Sheltered Harbor certification and be allowed to display the certification seal. Testing, validation and independent assessments will also be required to prove that resiliency plans are in place and the participant’s organization is up to the task when a crisis arises.

Given the growing attention paid to cyber threats and the increasingly virtual nature of most customers’ banking relationships, concern over a potentially catastrophic cyberattack is ever increasing, and those institutions that have proactively planned will have a higher likelihood of surviving. Sheltered Harbor provides financial institutions of all types and sizes a lifeline to survival in an extreme crisis. Grant Thornton is a Sheltered Harbor Qualified Assessor, ready to help you prepare for, assess and test your compliance with the sector’s purpose-built resilience standards. If you would like to learn more about Sheltered Harbor, we would be happy to speak with you.



Content disclaimer

This Grant Thornton LLP content provides information and comments on current issues and developments. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton LLP. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.

For additional information on topics covered in this content, contact a Grant Thornton LLP professional.


Our fresh thinking