U.S. financial firms plan to expand a secretive project protecting bank accounts against crippling cyberattacks so that it will also guard trillions of dollars in investment funds.
The industry-led project, called Sheltered Harbor, already is known to back up data for savings and checking accounts. But quietly, it’s wrapping in data on retail brokerage accounts at some of the nation’s largest firms, according to participants. And ultimately, the goal is to expand it to an even heftier pool of 401(k) accounts and pension funds, whose breach could upend global markets.
Sheltered Harbor, which began coming to light over the past year, already includes about 50 firms that collectively hold roughly two-thirds of retail bank accounts. The project relies on a “buddy system,” in which companies pair off, promising to step in for their partner with a backup set of account information if hackers succeed in erasing or locking up files.
The idea came in 2014 after hackers ravaged Sony Corp.’s U.S. film unit, deleting troves of data while leaking upcoming movies and embarrassing emails. But in this case, the global financial system is at stake.
“Being able to restore a network quickly is one of the most crucial elements for coping with cyber breaches and increasing resilience,” said Edward Stroz, co-founder and co-president of Stroz Friedberg, a cybersecurity firm. “Sheltered Harbor is the financial industry’s way of showing how it can perform disaster recovery and thus maintain consumer confidence.”
After the Sony attack, bankers conducting periodic cybersecurity exercises realized that a similar assault, even on a relatively small firm, could damage confidence in the financial system. One worry is that consumers could be spooked by a severe attack on one bank, then rush to pull funds from their own institutions, setting off a sweeping run. A similar scenario could play out with securities accounts.
Sheltered Harbor’s members include the nation’s largest lenders, such as JPMorgan Chase & Co., Bank of America Corp. and Citigroup Inc., as well as U.S. regional banks and some smaller firms (other names are secret like many other details). It’s a subsidiary of the Financial Services Information Sharing and Analysis Center, whose nearly 7,000 members range from multitrillion-dollar asset managers like State Street Corp. to retirement plan providers, insurers and other financial firms of all sizes.
Though a number of big firms have kept daily backups stored in secret mountain hideouts for years, that’s not much help without a functioning network. So, Sheltered Harbor’s members use a standard format to back up account data and collaborate with a partner company that can take over in an emergency.
If one company’s computer system is devastated, the backup account data can be activated on the partner’s network, giving affected customers access to their accounts within 24 hours or so. Pairs are tasked with carrying out periodic exercises, using sample data to ensure they can recreate the other’s services.