Several of our banking clients have reached out to us in the past couple weeks to ask our thoughts on Sheltered Harbor. My guess is that the common thread was attendance at the recent ABA Risk Management Conference, where the concept was presented in one of the break-out sessions. This post is intended to give a quick overview of Sheltered Harbor and what we think of it.
Quick Overview
Sheltered Harbor is a not-for-profit formed last year by FS-ISAC and its members to provide a solution to improve cyber resilience at banks, credit unions, brokerage firms, and insurance companies. Their website claims to have membership representing 60 percent of all U.S. retail banking and brokerage accounts (my guess is that they get this number by some very large members and service bureau core processors because most banks I've talked to have never heard of it).
Citing concerns with cyberthreats and maintaining consumer confidence, the concept that they propose is relatively simple: create a data backup and recovery standard that ensures that customer account balances are still accessible in the event of a major outage such as a disaster or cyber attack.
The standards created by Sheltered Harbor are to be applied and maintained by each of its members on privately owned solutions. It also includes utilizing other processors and/or financial institutions to host the data if the participating member is unable to recover.
Some key points of the Sheltered Harbor backup system:
- Standard data formatting
- Encryption
- Air Gapped (not connected to the internet)
- Immutable (unable to be changed)
- Decentralized (stored in more than one location)
Compliance with the standard will be self-audited by each member (the adherence approach) for both upfront and on-going attestation. Once on-boarded, members will receive certification that they are "Sheltered-Harbor-Ready", and will be able display this on their website as a marketing tool.
My Thoughts
I do like the 5 concepts outlined in the standard as part of a solid backup and recovery plan. And I do like the idea of improved cyber resilience in financial institutions. But I'm a little skeptical at what Sheltered Harbor is trying to accomplish.
For starters, there seems to be a lot of hype for what I consider to be a solid backup and recovery plan that every financial institution should have in place to begin with. In one ABA article (link below), one founding board member was quoted: “At least I know that I can tell my customers their information on their account balances is safe.” If you are a bank president, and you can't say the previous line out loud, right now, you need to take immediate action. Call me, call somebody!
My second concern is the idea that banks would use Sheltered Harbor as a marketing tool, with the certification being posted on their websites. It doesn't make me feel any better that certification will merely be a self-audit and attestation. When you combine the two, it starts to lose some credibility and feel more like a pay-to-play (and this is supposed to be not-for-profit).
Lastly, the lack of details on their website leaves me with several questions. I couldn't quite figure on why this is better than any other backup solution or standard out there. And pricing for membership at the time of writing this was also unclear. A list of questions in an email to Sheltered Harbor resulted in a fast response, but only a vague answers:
"I can’t go into the details of the specification, but it’s a decentralized, collaborative model that includes not only the standard but operating principles. While many institutions may have a strong BPC plan in place, this adds another layer of resiliency."
"Our fees range from the largest paying $50K to $250 for smaller institutions. More details will be available on the site shortly."
But this could just be the case due to it being a new website, and newly released offering, only time will tell...
Conclusion
I'm a skeptic by nature. I like to know the "how" and "why" to go with the "what" for any new product, standard, initiative, etc. before I make up my mind. And right now, Sheltered Harbor hasn't quite given me either of those at a level that's satisfying. In an industry as heavily regulated as banking, it's weird to me to have standards set by private entities. But maybe they are on to something that will set the new standard for cyber resilience in FIs. Either way, it will be interesting to keep an eye on this to see how it develops.
Are you a member of Sheltered Harbor? Would you be willing to have a quick phone chat for me and my team to learn more? If so, email us at: support@bedelsecurity.com
Sources:
http://bankingjournal.aba.com/2017/03/how-sheltered-harbor-provides-safety-from-the-cyber-storm/
http://shelteredharbor.org/