The Financial Industry Prepares to Protect Our Way of Life Against Cyber-Attacks: Part 2

Greg Montana | Chief Risk Officer, FIS

August 26, 2019

Given the increase in state-sponsored cyber-attacks on financial institutions worldwide, financial institutions in the United States (U.S.) must prepare for a major data destruction attack that wreaks havoc on the U.S. financial system. As described in Part 1 of this two-part series, most current business continuity and disaster recovery plans do not sufficiently prepare for a disabling cyber-attack that would prevent customers from accessing their accounts for an extended period as most plans do not account for the attacker impacting the backup system as well as production.

Part 2 details how joining Sheltered Harbor can protect the stability of your institution and your customers’ trust.

Sheltered Harbor launched in response to cybersecurity exercises

A series of cybersecurity exercises facilitated by the U.S. Department of the Treasury in 2015 revealed potential vulnerability of the U.S. economy in the event of an increasingly likely major cyber-attack on financial institutions. As a result, Sheltered Harbor – a non-profit industry consortium – was formed and comprised of financial institutions, core service providers, national trade associates and trusted partners that provide solutions to help participants implement the Sheltered Harbor standard. Participants’ companies currently hold 71 percent of U.S. deposit accounts and 55 percent of client assets at U.S. retail brokerage firms.

Sheltered Harbor works with three core elements

The goal of Sheltered Harbor is to provide an interim solution that ensures customers have access to their financial accounts in the event of a cyber-attack until their institutions’ failed platforms and systems can be restored. Institutions will stand up a temporary, separate processing platform outside of their compromised system to take its place.

Three core elements demonstrate how Sheltered Harbor works:

  • Data vaulting. At the end of business every day, a standardized set of customer account data is archived in a secured, encrypted vault, offline from all systems including existing backups created as safeguards against Acts of God.
  • Resiliency planning. Sheltered Harbor resiliency planning outlines processes and key decisions to be put into action if an event occurs and all other options to restore systems fail. Institutions designate a restoration platfo
  • rm to retrieve data from the vault and restore customer account access as fast as possible.
  • Certification. To ensure that institutions are prepared to recover from a data destruction cyber-attack, participants adopt a prescribed set of safeguards and controls, compliant with Sheltered Harbor standards and independently audited. Completion of data vaulting requirements allows the institution to become certified, communicating that customer account data is protected and can be recovered.

Act to get ahead of the problem

As the battleground shifts to cyber-attacks, financial institutions must act to protect themselves and their customers:

  • Conduct an enterprise-wide review of software to determine what needs to be updated. Many of the recent attacks on institutions – especially the ransomware currently plaguing local governments – have been enabled by vulnerabilities inherent in outdated software.
  • Consider how long it would take for critical systems to recover from a major cyber-attack and the effect of a resulting outage upon your customers, your reputation and regulators’ expectations.
  • Talk with your core processor about joining Sheltered Harbor and how to become certified. For institutions that don’t have the bandwidth or scale to join Sheltered Harbor without a partner, core processors such as FIS are stepping up to encourage 100 percent participation and harden the country’s defenses.

Tags: Technology, Risk & Compliance