Banks open data-protection vault to other financial businesses
A group of banks has adopted the idea of a vault for the age of the cyberattack, building a tool to encrypt and lock away the most critical customer-account data at the end of each workday. Now they’re expanding it to other financial businesses.
Participants in Sheltered Harbor store key information in a vault that’s separated from the institution’s infrastructure. They also must devise a plan to restore operations and services as quickly as possible in the event of a cyberattack or other crippling event. That includes designating a restoration platform-which could be another financial institution or a service provider that can recover data from the vault and quickly provide services to customers.
“Something we can all trust is better than nothing,” says Carlos Recalde, president and chief executive officer of Sheltered Harbor, a nonprofit industry initiative. “Time is of the essence. We can only maintain public confidence if we react in a very short window.”
Sheltered Harbor is intended as a last resort in case computer networks and backups are mostly wiped out, an increasingly real possibility in an era of so-called wiper malware and ransomware attacks that have disrupted energy supplies, factories and healthcare systems. Started in 2015 by 34 banks, its initial goal was to find a way to maintain public confidence by restoring balance information and access to cash within 24 hours in the event of a devastating event such as a cyberattack. About 160 institutions now participate in the initiative. So far, none have had to tap their data vault, Recalde says.
He declined to identify the institutions involved, but, according to the group’s website, Sheltered Harbor participants hold 72 per cent of deposit accounts and 71 per cent of brokerage client accounts in the US. Now the program is adding insurance companies, asset managers, payment processors and others to the mix. Those institutions can define the data they consider critical that needs to go in the vault. The auditing and certification process is largely the same as for the earlier participants.
The idea of Sheltered Harbor came after a massive hack of Sony Pictures Entertainment in 2014. That attack, blamed on North Korea, resulted in unreleased movies and embarrassing information about Sony employees and movie stars being dumped onto the internet. At the same time, malware wiped out swaths of Sony’s digital network.
Industry analysts say the Sheltered Harbor program does have its drawbacks. There’s still a chance of malware sneaking into the vault when data is transmitted to it. The system doesn’t address the threat of hackers stealing sensitive data from financial institutions and either selling it or otherwise sharing it. And restoring data to what existed on the previous day isn’t ideal in industries that back it up several times a day or even every few seconds.
“Sheltered Harbor is a bit behind the times for rapid ransomware response,” says Brent Ellis, a senior analyst at Forrester Research. “For that kind of functionality, businesses are building rapid recovery systems that give more granularity than a once-a-day vault.”
Recalde says multiple processes that validate the data before it goes into the vault ensure it’s not infected. As for the time element, he says, Sheltered Harbor is intended for worst-case scenarios, including when regular backups fail. At Sheltered Harbor, the annual cost to participate is roughly US$250 for small institutions and up to US$50,000 for the biggest ones.
“Our industry runs on data,” said Katherine Wetmur, co-chief technology officer of Morgan Stanley, a co-founder and early adopter of Sheltered Harbor, in a statement. “Preserving and protecting sensitive client and business data is not only the right thing to do, it’s a business necessity.” BLOOMBERG
Decoding Asia newsletter: your guide to navigating Asia in a new global order. Sign up here to get Decoding Asia newsletter. Delivered to your inbox. Free.
Share with us your feedback on BT's products and services
