Sheltered Harbor ensures cyber resilience for financial services firms

The 2014 hacks of Sony Pictures sent shockwaves through executive suites in every industry, but for many in the financial services industry, it was especially sobering. Pooling their resources, the industry responded with an initiative designed to step up the financial sector’s cyber resiliency.

“Thinking about what you’d do, as a financial services organization, if you went in and half your server infrastructure was wiped; your backups corrupted. And as a consumer, what happens if your bank account suddenly had a zero balance? Oh, my God — the impact on customers, on the financial institution itself, as well as the public confidence in your institution and the financial services sector in general would be awful,” says Trey Maust, Sheltered Harbor CEO.

The financial services industry regularly conducts Financial Services – Information Sharing and Analysis Center (FS-ISAC) Hamilton Series exercises, which simulate various plausible cybersecurity incidents or attacks to better prepare the industry to respond to cyberattacks. The Sheltered Harbor Specification, designed to enhance resiliency and protect financial institutions’ customer accounts and data in the event of a breach or an attack, emerged from these Hamilton Exercises, and was outlined in a white paper. Financial institutions, industry trade groups and leaders, brokerages, and core processing providers formed the non-profit Sheltered Harbor organization in 2015 to support the initiative.

The mission was to create a standardized, secure, encrypted data vaulting solution, recovery standards, and a stringent adherence framework in addition to financial services companies’ existing business continuity and disaster recovery (BC/DR) solutions. The organization has since built a collaborative industry platform, which has received a CIO100 award in IT excellence.

“We started thinking about how to put together an industry-wide initiative to address the public impact of such an event,” Maust says. “What happens if a customer goes in and suddenly there’s a zero balance? What happens if they cannot access their accounts? What they’re thinking is also, ‘Is it ever going to get restored? What if it hits other banks?’ So, the idea was to protect and secure data and allow for limited access, at least, so while it might be more inconvenient, you could still access funds, make limited transactions.”

Initially, 34 representatives from across the financial services industry signed on to develop and direct Sheltered Harbor. These included banks, brokerages, federal organizations with oversight responsibility, community banks, credit unions, clearing houses, national trade associations and core processors, Maust says. Those original 34 founding members now make up Sheltered Harbor’s governing board.

The various participants came together to develop common standards and best practices, says Bill Nelson, one of the founding members of Sheltered Harbor and now CEO of FS-ISAC. The specification set out requirements for the data vault itself, for the resiliency and recovery phase, and adherence to the correct processes for allowing access post-event, says Maust.

Spreading the word — without inviting attack

Sheltered Harbor has working groups of subject matter experts for banking, brokerage, marketing and communications, credit unions, core processors and other subsets of the financial services industry, as well as working groups dedicated to adherence to the standards requirements adopted by Sheltered Harbor and the larger industry.

These groups are responsible for enforcing the standards and making sure that members are staying true to the requirements for each part of the initiative, says Maust. The most critical component of the Sheltered Harbor protection scheme is the concept of stowing away “critical account data” in a data vault. The Sheltered Harbor Data Vault is a container or data bunker which holds a special copy of a financial institution’s customers’ account data, Maust explains. If a financial services institution is operationally wiped out, the assets it owns can then be restored by another self-selected financial institution designated to operate in its place. Immutable, air-gapped and secure, survivable and accessible when it becomes necessary, it is also distributed (rather than centralized, thus making it less attractive to additional attackers).

With no prior definition in the industry whatsoever, “critical account data” had to be defined before being collected. Getting the entire financial industry to agree on hundreds of common data elements was initially seen as difficult, but surprisingly, Nelson says, members came to an agreement within just a few days.

While it’s difficult to get 100 percent participation with so many different players, there was incredible enthusiasm for Sheltered Harbor right from the beginning, says Nelson.

“There were a lot of people digging in from many different financial institutions at first; it wasn’t a regulatory-driven initiative but getting so many different organizations on board wasn’t hard as they clearly understood the need,” Nelson says. “The surprising thing was the high level of energy, collaboration and cooperation at the highest levels of the industry. From credit unions to community banks to core processors to brokerages, their customers were saying, ‘This is really necessary.’ You don’t want to be left holding the bag if you had the opportunity to do something and didn’t.”

The most challenging part has been getting the word out more broadly to the industry, says Maust. While word-of-mouth has been effective, this year Sheltered Harbor will do more to publicly tout the benefits of the initiative without divulging information that could allow cybercriminals to learn of potential attack vectors.

“We’re spending a whole lot of time this year exposing the industry to what we do and why; this is the year we’re really bringing the awareness to more of the industry — the downside is that we know bad actors will be using this as a chance to up their game against Sheltered Harbor — but we’re ready,” Maust says.