Are U.S. banks preparing for datapocalypse? A look at ‘Sheltered Harbor’.
Over the weekend, the Wall Street Journal released an article about an initiative among U.S. banks called “Sheltered Harbor.” The project aims to equip banks with impenetrable data backups that could be shared with each other in the event of a major cyberattack.
A few questions immediately emerge here:
- How is this different from any other bank data backup system?
- Don’t banks already have such BDR systems in place?
- Why would banks need to share their backups with each other?
- Wouldn’t the sharing of data actually increase risk, rather than mitigate it?
On closer inspection, we discovered this project is different from your everyday business continuity strategy…
Sheltered Harbor isn’t really intended to save one bank from a data breach. It’s meant to save the whole darn banking system.
Here’s what we know so far.
The threat is real, folks.
First, let’s discuss why banks are suddenly getting more defensive about their data.
If you have been paying attention to the news over the last year, then you know that companies without dependable backup systems are screwed.
The threat of business-crippling ransomware and other sophisticated cyberattacks has never been greater. The attacks are getting smarter, and the hackers behind them are getting greedier.
- Earlier this year, NBC News said banks were among a growing list of institutions being attacked by ransomware and that paid hackers to get their data back.
- 2017’s biggest ransomware attacks hurt banks across the globe. Most notably, the NotPetya attack in June wreaked havoc on Ukraine’s central bank.
- A 2016 report revealed that cyberattacks on banks are on the rise, including both small and large banks, as well as credit unions.
- Threats like ransomware are increasingly outsmarting top cybersecurity software, which is why data backups have become so critical.
Financial institutions have a reason to be worried. These threats aren’t going away—they’re only getting worse.
So, here’s what the financial industry is doing about it…
What is the Sheltered Harbor project?
Sheltered Harbor is an initiative among U.S. banks to ensure that every bank “has a protected, unalterable backup that can be used to serve customers in case of a major hack.”
Here’s how it works, in a nutshell:
- Each member bank that participates in the initiative must maintain their own secure data backups.
- The backups must be implemented, formatted and monitored according to specific guidelines and security protocols.
- In the event of a debilitating data breach, the data backups can be used by other member firms to serve the affected bank’s customers on their behalf.
That’s where it gets interesting. Why would a bank want or need to serve another bank’s customers?
What kind of data breach are we talking about?
To understand the seriousness of Sheltered Harbor, you need only to look at the seriousness of its objective.
This isn’t your ordinary, run-of-the-mill defense against typical ransomware and other common cyberattacks. Sheltered Harbor is a failsafe designed to prevent our financial system from crumbling after an attack unlike any we’ve seen in the United States.
A datapocalypse, if you will.
Imagine a hypothetical scenario …
Pretend that a major U.S. bank—let’s say Bank of America—suffers a crippling cyberattack that leaves it unable to serve its customers for days. Imagine the media frenzy and widespread fear that would follow such an event.
An attack like this (which is certainly plausible, mind you) would kill the confidence in American account holders. Customers of Bank of America might start to freak out—and wouldn’t you, too? Regardless of which bank you use, you’d be concerned.
If you had any inkling that your own account could somehow be “lost,” you’d probably try to pull your money out of the bank, right?
That’s exactly what the banks are afraid of
“Experts project that when data breaches disable banks and prevent customers from accessing their accounts, it could cause a disastrous domino effect – panicking customers with unaffected banks to withdraw their funds en-masse, potentially sparking a run on the wider banking system,” explains Lyle Adriano of Insurance Business.
A run on the banking system could indeed be catastrophic, potentially setting off a disastrous chain of events on global financial markets.
So, let’s just say bankers would prefer to avoid that scenario.
Who’s behind the project?
Sheltered Harbor is a 34-member board that is comprised of a wide range of entities within the financial sector, including large banks, financial groups, trade associations and clearinghouses, to name a few. The group’s website states that “The people who make up Sheltered Harbor are mostly volunteers from our founding members, who share their expertise and work efforts.”
Cumulatively, participating institutions control about 400 million accounts in the United States – roughly 70 percent of U.S. retail accounts and 60 percent of U.S. brokerage accounts, according to Bloomberg.
The project was reportedly initiated in 2016 by the Financial Services Information Sharing and Analysis Center. It went live earlier this year.
How banks join the project
The added layer of data protection comes at a cost, of course.
Depending on the bank’s size, participating members must pay a fee to be part of the Sheltered Harbor initiative. The fee is annual, ranging anywhere from $250 to $50,000 for large global banks.
From what we can tell, that fee is aside from the costs for actually buying, implementing and managing the required BDR infrastructure, not to mention revising business continuity plans, complying to the required protocols and so on. In many cases, it’s likely that banks will be able to partially use their existing backup systems to participate, only making a few extra tweaks to format the data and make it available to the other entities. The big difference is the addition of a required “data vault.”
How it works
The website for Sheltered Harbor explains that the concepts behind the project are “simple,” but that “the devil is in the details.”
The text provides a high-level overview of the backup process, explaining that each step is spelled out in detail in The Sheltered Harbor Specification.
Here’s how the process is explained:
- Build Data Vault
Financial institutions must build and operate an in-house data vault or utilize a “data vault as a service” through approved service providers that adhere to Sheltered Harbor standards.The vault must be:
- Survivable and accessible
- Secured to allow only authorized retrieval of data
- Owned by each participant
- Extract Account Data
Financial institutions must prepare account data for transmission to the vault via these steps:
- Extract critical account data per the specifications
- Convert data to industry-standard format
- Validate data
- Apply standard strong encryption to data
- Transmit data to data vault
- After Disaster, Send and Restore Data
- In the event of data loss or service interruption, the affected participant must retrieve data from the vault and send it to another bank, referred to as a “Restoring Institution.”
- The Restoring Institution takes the data, decrypts it and “loads it onto its core platform.”
- The website says that the restored data “allows for basic account functions to ensure consumer confidence.”
The website also provides some high-level information on the framework for adhering to the required specifications, reporting and auditing. In short, the process appears to be well thought out.
The full specification is available only to participating members.
Why haven’t you heard of this before?
We wondered that too. There’s been little talk of Sheltered Harbor until this week.
The folks behind Sheltered Harbor address this on the website. Because the program is still relatively new, members have been working to finalize standards and initiate a testing phase among its first participating banks.
The website states, “Sheltered Harbor’s goal is to enhance the protection of the retail financial services industry. Until recently, we have been operating quietly to get our standards complete, and to get early adopters testing the process.”
What’s with the name, Sheltered Harbor?
If “Sheltered Harbor” sounds like a military operation, it was probably intended to sound that way.
Matt Levine of Bloomberg wrote an amusing piece on how IT-minded folks often give their initiatives provocative names as a way of getting company executives excited about “boring back-office technology.”
Levine generalizes the experience with a mock conversation between IT and upper management:
IT person: “We need to spend more time and money backing up our data.”
CEO: “That is literally the most boring sentence anyone has ever said to me.”
IT person: “Let me try that again. The Sheltered Harbor team has instructed us to launch Operation Waking Shark.”
CEO: [pumps fist] “Yesssssss.”
IT person: “We have ordered team fleeces for Operation Waking Shark; you can have one. There’s a picture of a shark on it.”
CEO: “Here is all of the money.”
All jokes aside, the project name Sheltered Harbor alone points to the seriousness of the mission: sheltering our nation’s critical financial data from an attack that could indirectly bring the whole system down.
At a time when many companies still remain vulnerable to today’s growing cyber-threats, it’s reassuring to see at least one industry being proactive about defending themselves and their customers.
For information on protecting your data from a cyberattack and other disasters, talk to our business continuity experts at Invenio IT. Request a free demo of today’s best solutions for data backup and recovery, or contact us by calling (646) 395-1170 or by emailing [email protected].