Following a successful cyber-security simulation exercise between public and private sectors, called the “Hamilton Series,” industry leaders set out to conduct exercises led by the Financial Services Sector Coordinating Council, in coordination with the U.S. Treasury Department and with support from the Financial Services Information Sharing and Analysis Center.  Based on lessons learned from the Hamilton Series, Sheltered Harbor was created.

Sheltered Harbor is a voluntary initiative providing financial institutions and their customers with an additional layer of protection in the event of a damaging cyber-attack. From the smallest to the largest institutions, Sheltered Harbor members collectively represent much of the retail banking and brokerage accounts in the United States.

Resiliency standards established by Sheltered Harbor ensure that customers receive timely access to their accounts if their bank or brokerage firm becomes inoperable due to a major cyber event. Participating institutions make a daily copy of their customers’ account data in a standard format, which in the event of disrupted operations, enables the restoration of customer accounts at a recovery partner like another institution or service provider.

The customer account data is archived in a secure data vault that is protected from alteration and deletion.  The data will stay intact and accessible if needed, exactly as when it was archived.  To facilitate the implementation, Sheltered Harbor provides three maturity phases—Ready, Set and Go—which correspond to the progressive milestones of Sheltered Harbor implementation.

Adherence Framework

Sheltered Harbor’s Adherence Framework is the voluntary standard that helps make the distributed model of resiliency effective.  The framework ensures conformity in a distributed and cooperative model. In other words, each member firm agrees to adhering with the Sheltered Harbor specifications, internal controls and system safeguards, and in doing so, ultimately supports a timely restoration of customer information in the event of a cyberattack.

In the absence of specific regulations, Sheltered Harbor has created a unique voluntary compliance program ensuring conformity in a distributed model that enables interoperability and recovery of customer account data in the event of a damaging cyber event.

Sheltered Harbor’s Adherence Framework is comprised of three basic components:

A governance model where Sheltered Harbor sets standards, controls and monitors adherence,

A controls element where members adopt and implement internal controls supporting Sheltered Harbor processing, and

An audit verification process where members perform self-assertions and audits covering Sheltered Harbor specifications and controls.

Sheltered Harbor members adopt and implement internal controls, including:

General controls over the infrastructure supporting the Sheltered Harbor processing environment,

Application controls over the customer file creation, formatting and vaulting, and

Daily attestation messages (sent to Sheltered Harbor) indicating that the daily production of the customers’ archive was successfully completed.

As part of the audit verification process, members self-assert adherence to Sheltered Harbor Specifications in the initial “Ready” phase. Formal audits are performed along the final implementation stages—the “Set” and “Go” phases—and annually, attesting to adherence with the Sheltered Harbor specifications and the effectiveness of internal controls. The audits can be conducted by internal audit following standards of the Institute of Internal Auditors, or by an external assurance firm following AICPA Attestation Standards.

In the absence of specific regulations, Sheltered Harbor has created a unique voluntary compliance program ensuring conformity in a distributed model that enables interoperability and recovery of customer account data in the event of a damaging cyber event.

 

Tim Ryan is managing director at Sheltered Harbor.

Topics