Greg Montana, Chief Risk Officer, FIS
August 05, 2019
Bad actors committing cyber-attacks are no longer antagonists in works of fiction, but instead, real-world gang members and individuals employed by nation states. Their common denominator is residence in countries from which they won’t be extradited. With no after-the-fact recourse, the onus falls on prevention. Todays threat actors are not always financially motivated but have political aims to not only steal data but to attack and destroy systems to impact institutions or economies.
All financial institutions – 100 percent of them – need to prepare for a destructive cyber-attack that could threaten the nation’s financial stability. What some may not know is their redundant system securing their data against Acts of God does not equate to a resilient system that prepares institutions against a cyber-attack that focuses on impacting both the production and backup systems. An online redundant system is as vulnerable to takeover as the system it’s protecting. A resilient system is immune to cyber-attack because it’s offline and separate from the institution.
The good news is that installing a resilient backup system for cyber-attacks is much easier than building the redundant backup system that protects institutions’ data in the event of natural disasters.
The certainty of cyberthreats in uncertain times
Ransomware attacks are rising and shifting from individuals to businesses and government agencies– more likely to pay ransom to recover data, according to findings from Recorded Future and reported recently by CNN. About 25 attacks – including the recent one wreaking havoc on Baltimore – have been reported this year so far, outpacing 2018. Companies and agencies with outdated software are particularly vulnerable to attacks fueled by a 2017 NSA breach, which unleashed its EternalBlue cyberweapon.
It’s no surprise that leading Western financial authorities from G7 nations are conducting a cross-border simulation of a major cross-border cyber security attack on the financial sector in June 2019, according to Reuters. The exercise is based on the scenario of a technical component widely used in the financial sector becoming infected with malware.
In an interview on 60 Minutes, Federal Reserve Chairman Jerome Powell explained what keeps him up at night is how to build resiliency to survive a cyber-attack on an institution or a financial market utility that takes down that institution or utility for an extended amount of time. He questions, “How do we build the resilience, the redundancy in case that does happen? And even more, how do we do everything we possibly can to make our institutions and our utilities resilient against that activity, so that kind of an attack…doesn't succeed?”
In Janet Napolitano’s new book “How Safe Are We?” she sums up the importance of acting now, “It is impossible to overstate the urgency of improving our country’s cyber security.”
Sheltered Harbor acts to build resiliency
Sheltered Harbor, a not-for-profit industry initiative comprised of a consortium of United States clearing houses, financial institutions, core processors and industry associations, states it mission as:
“To protect public confidence in the U.S. financial system if a devasting event like a cyberattack causes an institution’s critical systems – including backups – to fail.”
The first step in executing its mission relies on financial institutions adopting the Sheltered House data vaulting system. The way it works on a high level is that financial institutions back up their customer account data each night at the close of business in the Sheltered Harbor format. Participants transmit encrypted data to a secure data vault – their own, another institution’s or their core processor’s vault.
Key elements of the data vault include:
FIS supports Sheltered Harbor’s goal of reaching 100 percent participation by banks and credit unions as soon as possible to protect the integrity of the U.S. financial industry and is currently in the process of rolling out the Sheltered Harbor data vaulting solution to customers.
Stay tuned for Part 2, which discusses the background of Sheltered Harbor in more detail, explains how it works and informs bankers about how to satisfy resiliency requirements through certification.
Tags: Technology, Risk & Compliance