Cyber Resilience a la Sheltered Harbor
How did the industry solve for the challenge around maintaining public confidence, even when a devastating outage causes all of a bank's operations to fail?
As Chief Executive Officer of Sheltered Harbor, I previously introduced the cyber resilience triad. In 2015, the industry foresaw the risk of a devastating cyber-attack and the potential for a significant loss of public confidence in the United States financial system. In June of that year, 33 organizations representing the financial industry joined the United States financial regulators and other government agencies at The U.S. Department of the Treasury building for what is called a Hamilton Exercise. The exercise took an example out of the headlines and applied it to a bank. A cyber-attack knocked out the operations of Sony Entertainment. It took the Sony staff 27 days to rebuild servers and restore basic operations. Imagine if that was a bank. Imagine how depositors would react. Imagine if it was your bank and you lost access to your assets - possibly forever. Who would help? How would they help? How long would it be before you could access your funds? What would happen to the bank? How would you pay for what you need? How would you get paid? How much trust would you continue to have in the banking system if everything you had suddenly disappeared?
The Hamilton Exercise participants all agreed, their biggest fear would be the loss of public confidence in the financial system. They all began to realize no one had a clue about how to deal with such an event. Back in 2015 regulators knew they had no plan for such an event and neither did the bankers, brokers, clearing houses, core service providers, or industry association representatives. This fear was accentuated by the realization that the public had never experienced the complete loss of a financial institution due to a cyber-attack. Something like this would likely cause people to panic.
SHELTERED HARBOR BECAME THE SOLUTION
A significant action item coming out of the Hamilton Exercise was the formation of Sheltered Harbor as an industry led not-for-profit initiative. The founding 33 industry organizations contributed funding and subject matter experts to figure out how to maintain public confidence should a bank, broker or credit union suffer a devastating cyber-attack that knocked out all its operational capabilities. Sheltered Harbor was founded in November 2015 as an independent entity, with a 33-member Board of Directors. The newly formed Board was a true cross-section of the industry including small, medium, and large banks, brokers and credit unions, major clearing houses, large core processors, and the industry's trade associations.
When Sheltered Harbor was formed, the only things the collective group knew were:
- The problem it was trying to solve was too big for any one organization to solve alone.
- The solution would require the concept of mutual aid because the institution suffering the outage would need some kind of help.
- It was essential that the identities and balances of all the stricken institution's accounts be available, in spite of the complete loss of all systems and data. This was considered 'critical account data'.
- Equally essential was that this data be completely secure throughout the incident and beyond.
- The solution would have to be something everyone in the industry could trust.
- The solution was to reconnect customers with their assets very quickly (within 24 hours was the standing assumption).
- Everything else was a blank slate.
A PROBLEM LIKE NO OTHER
Some of the early discussions focused on determining exactly what it means to maintain public confidence. The collection of hundreds of experts had to agree on the scenario they were trying to address, and they had to learn to think completely outside of their comfort zone, because no one had ever encountered the conditions for which they were looking to find a solution. It quickly became apparent that the scenario envisioned - all systems are silicon dust, and all data is either gone or unreliable - was dire. The group recognized that for such an extreme case, a good solution did not have to be perfect. It just had to be available very quickly, and it had to be reliably trusted so that the rest of the industry could support the stricken entity. They came to agree that maintaining public confidence required that two critical business functions had to be recovered very quickly:
- Customers had to see that their financial institution knew their balances.
- They must be able to transact against those balances within 24 hours of the attack.
In those early days many of the subject matter experts assumed the new Sheltered Harbor entity was going to become a utility where all financial institutions would send their critical account data. This assumption expired as the group realized that putting all their eggs in one basket was too risky. (Plus, it could have violated a litany of responsibilities.)
THE THREE PILLARS OF SHELTERED HARBOR CYBER RESILIENCE
Sheltered Harbor developed a solution to this problem by creating three pillars. If each pillar is followed, it would ensure any financial institution could achieve cyber resilience and maintain the public’s confidence by having the ability to restore the critical services within a day.
1-Data Vaulting
Institutions back up both critical customer account data and their other vital data sets each night in the Sheltered Harbor standard format, either managing their own vault or using their service provider. The data vault is encrypted, unchangeable, completely separated from the institution’s infrastructure, including all backups, and it’s controlled by the financial institution.
2-Resiliency Planning
Along with vaulting their data, an organization simultaneously creates a plan to be cyber resilient. Sheltered Harbor has laid out specific playbooks that must be developed and tested before achieving cyber resiliency. This takes time as leadership must make decisions, plan communications, and complete other important steps before a restoration platform is selected.
3-Certification
Participants adopt a robust set of prescribed safeguards and controls which are independently audited for compliance every year. For example, once an organization’s data vaulting is certified, they will receive a seal communicating their customer data is protected, and they will be placed on Sheltered Harbor’s Certification Registry.
MORE DATA PROTECTED
In addition to protecting what the industry deems critical data sets, Sheltered Harbor built a new specification which now allows businesses to protect more of their data using the Sheltered Harbor process. Financial institutions and other businesses will be able to use the new specifications to vault more data. This will allow them to protect data they deem necessary to bring back more functions of their business.
GET PROTECTED TODAY
It’s been a long road to discovering how to effectively protect financial institutions from being wiped out by a cyber-attack. Narrowing the focus to protecting the public’s confidence in the United States financial institutions made it possible for Sheltered Harbor to complete the roadmap to achieve its mission. It is possible today to protect your customer’s critical data, and plan for cyber-resilience. I urge every financial institution to start becoming cyber-resilient today by using the Sheltered Harbor approach. It’s a method recognized by the United States regulators as the industry’s standard for cyber-resilience.