Imagine this scenario: the financial sector suffers a massive cyber-attack, affecting institutions of all sizes across the United States. The objective of the attack was successful: destroy each institution’s financial records and data backups, ultimately crashing the US financial system and disrupting economies around the world. Extreme scenarios like this may sound like fiction (Mr. Robot, anyone?), but theory has turned to reality in the world of cybersecurity very often in the recent past. An attack such as this would be extremely devastating, but a similar outcome may also occur in the event of war, widespread natural disasters, or many other scenarios.
Prepare for The Worst and Hope for the Best
Sheltered Harbor is a relatively new concept that is being realized today to address these doomsday-like scenarios, including new and existing cybersecurity threats that could affect the financial sector on a massive scale. This not-for-profit, industry-led initiative was founded by 34 financial institutions and is owned by FS-ISAC Inc. The idea behind Sheltered Harbor is to create extremely secure (and segmented) backups of financial data across the financial sector with the goal of preventing an industry-wide catastrophe. The FS-ISAC fact sheet states that it “enables financial institutions to securely store and rapidly reconstitute account information” which decreases the downtime of recovery from a cyber-attack or disaster.” This program significantly increases the number of security controls and protections when compared to other backup solutions.
How Does Sheltered Harbor Work?
When a financial institution joins Sheltered Harbor, critical financial information is extracted from accounts and converted into Sheltered Harbor’s industry-standard format. The information is then validated, and encryption is applied before the information is transmitted to Sheltered Harbor’s secure data vault for storage.
Customers participating in Sheltered Harbor have the option to store data directly to a data vault in-house that follows Sheltered Harbors standards or to utilize the data vault as an outsourced service. Sheltered Harbor has specific ownership and operation requirements which do not change regardless of whether the vault is operated in-house or utilized as a service. Sheltered Harbor’s website states that “the model assumes no central repository for protected accounts.”
The data vault is where many of these additional security controls are applied. According to the Sheltered Harbor website, the data vault must be:
- Survivable and accessible
- Secure to allow only authorized retrieval of data.
- Owned by each participant
Unfortunately, access to full details on the security control process are only available to members of the project.
Information is securely stored until needed by the financial institution or organization. If needed, the information is transmitted back to the institution as encrypted data to be decrypted. In the case of financial institutions, the data loads back into its core platform and will allow for basic account functions to ensure the institution is able to provide continued service to its customers. Many of the big-name service providers have announced their intention to provide Sheltered Harbor capabilities to their clients including:
- Jack Henry
- Thomson Reuters – Wealth Management
How Much Does it Cost?
Participation fees are charged to Banks, Credit Unions, and Brokers based on the type of institution and its size according to the Sheltered Harbor Fees page. These are defined by:
- Number of US depository accounts and US banking assets for Participants which are banking firms
- Client assets and number of clearing clients for Participants which are securities firms
- Assets under management or plan-assets under administration for Participants which are asset managers, transfer agents, or retired plan recordkeepers
For financial institutions, annual fees are assigned based on asset size and number of accounts. Fees can range from $250 to $25,000 a year depending on those factors. Additional information on fees for other organizations can be viewed on the Sheltered Harbor website.
Is It Worth It?
There is no mistaking that the project of Sheltered Harbor offers a rock-solid backup solution that can be used if the institution, or more appropriately, the entire financial industry, suffers a major disruption. The idea of virtually indestructible backups can make any organization sleep better at night.
However, the Sheltered Harbor initiative is not feasible for all organizations, specifically small financial institutions. Each institution must weigh the cost of implementing the program with what their current backup solution offers for [likely] a fraction of the cost.
The most appropriate question to ask of your organization might be where to best spend the next security dollar to provide the most value and risk reduction?
Keep in mind, data backups are typically the last line of defense for attacks like malware and ransomware. Backups must have adequate controls in place to protect the data. If the backups are lost or corrupted, a financial institution and its customers will likely suffer a devastating loss. At the end of the day, the greatest benefit the Sheltered Harbor project provides is a strong insurance policy that may or (hopefully) may never have a chance to be utilized.
Written by: Eric Chase
Information Security Consultant - SBS CyberSecurity, LLC
SBS Cybersecurity offers a wide range of services covering the subject of Business Continuity and Incident Response. The SBS Institute has developed a specific certification known as the CB Business Continuity Professional with its course objectives defined as:
- Developing a clear understanding of a business continuity plan, which will make your work more efficient and effective.
- Increasing confidence in implementing and managing a strong business continuity plan.
- Preparing your institution for the worst-case scenario.
- Gaining practical solutions for FFIEC Appendix J requirements.
Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.