Suppose the worst. A natural disaster, malware attack, or even a glitch takes down a bank's major systems, including backup and disaster recovery. What happens to customers' data – and, for that matter, their money?
Several financial industry groups have come up with a plan. They think each financial institution should create a secure and portable vault for its customer data. The data would be formatted to a standard all banks would adopt. The vault would be cordoned off from the rest of the bank's systems, so that cyberinfections would not be able to spread from one place to another.
If something took down a bank's entire infrastructure, including its backup and disaster recovery, somebody could dig through the rubble and pluck out the vault. They could then truck it over to another bank, which would load it into its system and start serving those customers as normal (or as close to normal as possible) .
"The data is encrypted, it's immutable, it's in storage, should another firm need to have access to it," said Tom Wagner, managing director of financial services operations at the Securities Industry and Financial Markets Association, one of the groups behind the initiative, which is called Sheltered Harbor.
The concept is a bit radical. It's also sensible for our times, when ransomware – malware capable of completely freezing companies' systems until they fork over a hefty payment – is on the rise and generally cyberattacks on banks get ever more effective.
U.S. banks already spend a fortune on data protection, backup and disaster recovery, due to regulation and the need to stay in business.
But an ugly and seldom-talked-about truth is that a devastating cyber or physical attack could take down backup and disaster recovery, too. We saw that on 9/11, when some Wall Street firms' backup servers were destroyed. And we're bound to see it in cyberspace. There's little to stop invasive malware from moving from a production system to a hot backup.
"We're trying to imagine the unimaginable here," Wagner said. "Some kind of cyberattack that impacts the ability for a customer to access their account at their bank or brokerage institution – that's what we're really preparing for."
Sheltered Harbor would provide a backup to the backup.
"This is about having more secure copies of data in a standardized format so if something really, really bad happened, there would be the ability to restore somewhere," said Steven Silberstein, Sheltered Harbor's CEO.
Sheltered Harbor is not designed to help banks or brokerage firms, which would need to do far more than restore customer data to survive cyberdisaster. It's intended to protect customers' data and life savings.
"This is focused on Main Street and the consumer and protection for them," Silberstein said.
Lesson from War Games
The groups behind Sheltered Harbor include the Financial Services – Information Sharing and Analysis Center, the Financial Services Roundtable, the Credit Union National Association, the American Bankers Association, the Independent Community Bankers of America and Sifma. They say the idea came out of cyberexercises with banks and brokerage firms in which they tried to assess vulnerabilities and the industry's ability to respond to attacks.
They point especially to the lessons from cybersecurity exercises led by the Treasury Department that took place this summer, which simulated a banking system collapse resulting from a cyberattack.
In the past three years, bank regulators have been getting tougher on disaster recovery, backup and encryption in their cybersecurity and vendor management guidelines. Asked if Sheltered Harbor goes further than the regulators do, Silberstein said: "It goes a little bit further. We're spiritually aligned with where regulation is going."
The key will be getting banks to use Sheltered Harbor's data format specification in their data backups. (Details of the spec, and of the overall initiative, are not being shared publicly yet.)
"Backups are usually specific to the infrastructure, programs and data formats a bank uses," Silberstein said. "If something bad happens and I need to move my data to a different bank, if it's not in an understandable format, you're going to spend weeks trying to program it."
Financial institutions tend to be slow to adopt new data standards (for examples, look at STIX, TAXII and FIBO) and tend to resist major changes to their systems, which are in many cases aged and hard to change.
Wagner says banks would not have to change their customer databases. "What would be required of each firm is a simple translation program to convert it from the database format to the Sheltered Harbor format," he said. "That makes it a little easier."
Silberstein said Sheltered Harbor probably wouldn't require banks to buy new technology. "Most of it is in place in the banks," he said. "It's a combination of which elements of technology and how collectively they're used together that makes the magic."
Bill Nelson, president and CEO of the Financial Services – Information Sharing and Analysis Center, said Sheltered Harbor incorporates a defense in depth strategy. "You're not relying on one aspect – layered security and resilience are the keys," he said.
If it works, it's a concept that could give consumers some peace of mind and return much-needed trust and goodwill to the financial services industry.
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.