The Sheltered Harbor Project: A system of private sector collaboration to improve financial resilience | Global Resilience Institute

Hacking events targeting banks and other businesses have grown in magnitude over the last several years, resulting in financial losses and reduced consumer confidence. These intrusions have impacted a variety institutions including an $81 million theft from the Bank of Bangladesh, which used $10 dollar routers, no firewalls, and relied almost entirely on the SWIFT (Society for Worldwide Interbank Financial Telecommunication) financial transaction system for its security. The illegitimate transactions have also been point of contention between the Bank of Bangladesh and the Federal Reserve Bank of New York. The Federal Reserve contests that inquiries into the transactions were never answered, though the Bank of Bangladesh insists its employees followed protocol and argues that the five transactions should not have been approved.

Other major attacks have led to financial losses across companies in a variety of sectors including Russian Energy Company Rosneft, and American pharmaceuticals company Merck.

Brass colored safe lock
(Image of a Vault Lock, Flickr/Rob Pongsajapan)

In order to improve resilience against cyber-attacks, a group of banks and credit unions accounting for roughly 400 million accounts throughout the United States have joined the Sheltered Harbor Project. The participating institutions range from small, local banks to enormous corporations such as JPMorgan Chase and Bank of America. The Sheltered Harbor project addresses the vulnerability of banks to have their data destroyed or locked, debilitating their ability to operate and provide services. The worst-case, systematic fear is that if a major hacking were to take place that leaves large numbers of people without access to their bank accounts, it could result in a loss of faith in the banking system as a whole. This could cascade into a larger run on the banking system and spark a wider financial crisis. Traditional confidence-restoring policies carried out by the Federal Reserve and FDIC address bank failure caused by insolvency, but fail to protect them against threats of a cyberattack.

The Sheltered Harbor project offers one method of reducing the risk of cyberattacks. This system works by having banks extract specifically formatted data that is validated and encrypted, and then stored within a data vault. The data vault is subject to security standards including: it must be owned by each separate participant, must be “air-gapped” meaning it has no connection to outside networks, and must be immutable, meaning that its data cannot be modified. The design of the system has the advantages of being a decentralized, distributed model, so that the failure of one data vault should not impact the failure of others. If the Sheltered Harbor system is activated, the victim of a hacking is responsible for transmitting their data to a “Restoring Institution” who will decrypt the data, load it onto its platform, and allow customers to use basic services. This system hopes to achieve the goal of allowing customers to have access to their accounts within 48 hours.

These standards are established and administered by the Sheltered Harbor non-profit, which then accredits members as being “Sheltered Harbor Ready” if they follow set standards and procedures, and audits systems in order to ensure ongoing compliance. The Sheltered Harbor non-profit is governed by a 34 member board of directors from across the industry, and is an industry-founded initiative with no regulations mandating participation. Although the Sheltered Harbor system is administered by a non-profit, the system is built on voluntary cooperation between a diverse range of banks and credit unions, as well as industry organizations such as “the American Bankers Association (ABA, the Credit Union National Association (CUNA), the Independent Community Bankers of America (ICBA),” among multiple other industry organizations.

Currently, the Sheltered Harbor Project is working towards expanding the classes of financial assets that they can help to protect.

Sources and Further Reading:

  1. Banks Build Line of Defense for Doomsday Cyberattack – Wall Street Journal
  2. How It Works A 100,000 Foot View – Sheltered Harbor Project
  3. Sheltered Harbor Fact Sheet – Financial Services Information Sharing and Analysis Center
  4. US banks prepare cyberattack contingency plan – Insurance Business America
  5. Cyberattacks Hit Major Companies Across Globe – Wall Street Journal
  6. Hackers’ $81 Million Sneak Attack on World Banking – New York Times