Imagine one morning you attempt a simple online transaction and are notified that your bank card is declined. When you check with your bank, you find that the bank has been the target of a catastrophic cyberattack. Your account has been emptied, your PIN is no longer recognized, there isn’t even an immediate way for the bank to confirm you are a customer. Now imagine you are that bank. You are scrambling to resolve the situation as quickly as possible, but the attackers have gotten so deep into your systems that they even control your backup servers. It could be days or even weeks before you can begin to restore service, and you may never be able to restore confidence. Your balance sheet and your brand could be looking at a fatal hit. While the financial services sector has not yet faced such an attack, you need look no further than the Sony Pictures breach in 2014, or the NotPetya attacks in 2017, which affected companies worldwide, to understand the potential damage.
Now imagine you are the executive team at the same bank facing the same attack. But instead of a potentially brand-crippling disaster, you engage a specialized air-gapped data protection system designed specifically to respond to such an event. Your customers and clients continue to have access to the data and funds in their accounts and your bank continues to function while you uncover and remediate the effects of the attack.
Welcome to Sheltered Harbor
Sheltered Harbor was created to protect customers, financial institutions, and public confidence in the financial system if a catastrophic event like a cyberattack causes critical systems—including backups—to fail. Implementing the Sheltered Harbor standard prepares institutions to provide customers timely access to balances and funds in such a worst-case scenario. Sheltered Harbor is not a vendor, product or service. It is a not-for-profit, industry-led initiative comprising financial institutions, core service providers, national trade associations, alliance partners, and solution providers dedicated to enhancing financial sector stability and resiliency.
Three keys to security
Sheltered Harbor is based on three core elements:
- Data vaulting. Each night, financial institutions participating in Sheltered Harbor back up critical customer account data in a standard format, which data is then encrypted and transferred to a data vault. This vault is completely separate from the institution’s systems, so no matter how effective a cyberattack, the attackers can’t reach the vaulted data. The data vault is air-gapped, meaning it is completely isolated from the bank’s systems. Sheltered Harbor participants either manage their own vault or use a participating service provider. The data vault is encrypted, unchangeable, and completely separated from the institution’s infrastructure, including all backups. In the event of a breach, natural disaster or other system failure, the financial institution’s data is transmitted to a restoration platform, where it is decrypted, restoring customer access to accounts and funds.
- Resiliency plan. All Sheltered Harbor participants must complete a rigorous and disciplined plan to address all business and technical steps necessary to restore service in the event of a cyber-attack where all options to restore critical systems, including backups, have failed. This includes designating a Sheltered Harbor partner or developing a plan that can help restore customer data to a Restoration Platform as quickly as possible. The resiliency plan must address eight key areas:
- Resiliency targets
- Incident management
- Liquidity and funding
- Funds access
- Crisis communications
- Data recovery
- Restoration Platform agreements
- Failback Playbook
- Certification. Every Sheltered Harbor participant must institute a robust set of safeguards and controls, all of which are independently audited annually to ensure compliance with Sheltered Harbor standards. Participants must also conduct an annual data recovery and customer verification test. Only then will participants be certified and allowed to display the Sheltered Harbor Data Protected seal. Testing and vailidation will also be required to prove that Resiliency Plans are in place and the Participant’s organization is up to the task, for when a Sheltered Harbor Event arises.
Given the growing attention paid to cyberthreats and the increasingly virtual nature of most customer’s banking relationships, concern over a potentially catastrophic cyberattack is continually growing. Sheltered Harbor offers your institution a significant safeguard, and one that will likely resonate with your market. Sheltered Harbor has certified certain parties, including Grant Thornton, to help you prepare for and assess and test your compliance with their standards. If you would like to learn more about Sheltered Harbor, we would be happy to speak with you.