How ‘Sheltered Harbor’ Provides Safety from the Cyber Storm

By Charles Keenan

While he’s not ready to retire anytime soon, Trey Maust has given thought to the concept over the past few years, a vision of where he would rely in large part on his wealth that resides in brokerage and bank accounts. Yet Maust, the co-president and CEO of $170 million-asset Lewis & Clark Bank, couldn’t help but wonder: What if one day his account balances evaporated in a sweeping cyber attack?

“I’m starting to think at some point I’m going to rely on those balances to live on, whether it’s in a brokerage firm or a bank,” he says. “I want to know I can point to something and say, ‘This is my balance.’”

So when Maust was approached last year to work on an initiative in the financial industry to safeguard customer information and account balances, he quickly signed up for the job. Maust, whose bank is based in Oregon City outside of Portland, saw a chance to represent community institutions at the table with some of the world’s largest financial companies to come up with a system that would save enough information to get customer balances back in the event of a cyberattack.

That system is now becoming a reality. Dubbed “Sheltered Harbor,” it allows financial institutions to securely store and quickly retrieve account information after an incident. It acts as a firewall of sorts, supplementing the defenses financial institutions already have by separating the information away from their own networks. The consumer data is stored and kept private by each institution, and is encrypted and protected from changes. Sheltered Harbor is also distributed, with no central repository of information.

“This is about making sure the public can retain confidence in the system if a bad thing happens,” says Steven Silberstein, chief executive of Sheltered Harbor, and a former chief technology officer for SunGard. “We can’t guarantee all our protections will succeed and we have to have a fallback just in case.”

Sheltered Harbor was created by the Financial Services Information Sharing and Analysis Center and its members, which includes banks, credit unions, brokerages, processors and financial trade associations, such as the American Bankers Association. The members represent roughly 60 percent of all U.S. retail banking and brokerage accounts. The goal is to have most members of the group using the system by the end of the year, then roll it out to the rest of the financial industry. The initiative was spearheaded by one of its board members, James Rosenthal, a former COO at Morgan Stanley.

Rosenthal and other industry executives saw a need to provide a backup to customer data in age where cyberattacks have grown in severity and shown no sign of abating. When it comes to cybersecurity, banks have done a good job of safeguarding customer information, but the increasing sophistication and frequency of the attacks is enough to keep chief executives in the financial industry up at night.

While breaches of American retailers, healthcare firms and government agencies are a common occurrence, a few incidents over the years highlighted the how all companies are vulnerable to breaches. One was the attack in 2013 of Target Corp., where hackers used malware to gain access to credit card numbers and personal information of more than 100 million customers, eventually leading its chief executive to resign. Another infamous attack was of Sony Pictures in 2014, where hackers released embarrassing files and emails of executives.

“The Sony attack clearly was a huge warning,” says Albert Kendrick, who serves on the Sheltered Harbor board and is CIO at FirstBank, a $17 billion-asset institution based in Lakewood, Colo., a suburb of Denver. “There were other attacks that were clear indicators that the risk was growing quickly.”

Perhaps even more alarming for bankers have been attacks in the financial industry. Cybercriminals stole $81 million from Bangladesh Bank in February 2016 by hacking credentials to send payment messages over SWIFT, a financial messaging network used in international transfers. Russia’s central bank said that hackers stole $31 million during the last year from its correspondent banks.

In essence, while the internet has changed lives, it was never designed to withstand the type of exploitation employed by hackers today, Silberstein notes. “The internet was created to provide information sharing and assumed that all of the participants were well-intentioned and trustworthy,” he says. “We are now in this continuous race to protect legacy infrastructure from the untrusted. It’s a challenge because the untrusted are investing huge sums of money trying to circumvent our protections.”

A proactive approach

In response to this constant threat, the financial industry came together, working with regulators to come up with a private-sector solution. Sheltered Harbor gives member firms a layer of protection beyond their own backup and recovery plans and systems. It’s a way for banks, brokerages and processors to save the critical account data in a standardized format for data, encryption and architecture. The system allows for a bank to stow away a snapshot of the customer accounts, the balances and enough transaction history to do tomorrow’s business.

“There is a real concern that with cyber terrorists today, there is the possibility that a financial institution could be attacked and not be able to recover,” Kendrick says. “This is the industry’s response, and [it]provides a way to recovery.”

In the event a bank couldn’t itself get up and running quickly enough, the system allows for processors or another financial institution to host the information. “Sheltered Harbor is an additional level of resiliency,” Silberstein adds. “And about making sure there is a good copy of a consumers account data that could be moved to a different fully operating processing plant.”

In terms of compliance, Sheltered Harbor has an “adherence framework,” basically a set of controls that allows for a way to confirm that an implementation has been properly done. The system is designed to be flexible. “Each bank gets to own and manage its data using the technology and location of its choosing,” Silberstein says.

Community bank input

That flexibility is important, because of the variety of members behind Sheltered Harbor in terms of type and size. Community banks, for example, are represented to ensure their interests are taken into account as the standards are hashed out.

Maust was recruited to Sheltered Harbor in part to ensure community institutions were represented. One issue was the degree to which institutions had to show they were in compliance to get certification. One proposal called for an outside auditor, which would be unaffordable for smaller institutions, Maust says. Instead, the solution will allow banks to vouch for that they are meeting standards, such as the cryptographic storage being used, and that the encrypted files are maintained on secure, survivable and transportable media. This self-monitoring approach boils down to, “Are you doing every one of the things you are supposed to be doing?” Maust says.

Once banks get onboard, they’ll receive a certification that they’re Sheltered Harbor-ready. The goal is to eventually have the entire financial industry using the system, with banks using a certification seal as a marketing tool, to show consumers’ data are protected. “We want our customers to know we take it seriously—to make sure that we’re right there at the beginning,” says Bryan Greenbaum, a Sheltered Harbor board member who also serves as senior vice president and chief operating officer at Reading Cooperative Bank, a $504 million-asset institution in the Boston area.

Bank CEOs may never be 100 percent at ease when it comes to cybersecurity, but Sheltered Harbor marks another attempt to protect customers. “This is a way to instill confidence in the industry,” Maust says. “At least I know that I can tell my customers their information on their account balances is safe.”

Charles Keenan is a freelance writer in California.