Sheltered Harbor

Sheltered Harbor was founded to protect customers, financial institutions, and public confidence in the financial system when a catastrophic event such as a cyberattack causes critical systems — including backups — to fail. Implementing Sheltered Harbor’s standards augments an institution’s disaster recovery and business continuity plans, with industry-developed crisis and emergency management processes. This enables institutions to proactively plan for and recover from crisis and continue to provide essential services for its customers while it reestablishes normal operations. Sheltered Harbor is a not-for-profit, industry-led “standards setting and certification” organization comprised of financial institutions, core service providers, national trade associations, alliance partners and solution providers dedicated to enhancing financial sector stability and resiliency.

To learn more, please visit shelteredharbor.org.

How It Works: Three Pillars

Data Vaulting

Institutions back up critical data regularly in accordance with Sheltered Harbor standards, either managing their own vault or using a participating service provider. The data vault is completely isolated from the institution’s production systems, and attackers cannot reach the vault. The data vault is encrypted, unchangeable and completely separated from the institution’s infrastructure, including all backups.

Resiliency Planning

Sheltered Harbor participants must complete a rigorous and disciplined plan to address all business and technical steps necessary to restore essential services in the event of a cyberattack where all options to restore critical systems, including backups, cannot be completed in time to maintain customer confidence. Sheltered Harbor has defined specific playbooks that must be developed and tested by the institution before applying for and receiving Sheltered Harbor Cyber Resilience Certification.

Certification

Every Sheltered Harbor participant must institute a robust set of prescribed industry-developed safeguards and controls, all of which are independently assessed and/or audited annually to ensure compliance with Sheltered Harbor’s standards. Participants must also conduct an annual data recovery and data verification test. Only then will participants receive Sheltered Harbor certification and be allowed to display the certification seal. Testing, validation, and independent assessments will also be required to prove that resilience plans are in place and the participant’s organization is up to the task when a crisis arises.

Frequently Asked Questions

Why Sheltered Harbor?

Sheltered Harbor helps companies survive a crisis, like a major technology disruption caused by a cyber incident. Even if all critical systems, including backups fail, the company will be able to restore critical business services. This helps maintain customer confidence and buys the company time to restore normal operations.

Why Sheltered Harbor Certification?

Regulators around the globe recognize Sheltered Harbor as the financial industry’s standards setting and certification body for cyber resilience. Implementing Sheltered Harbor’s standards is critical for any financial institution planning to survive a crisis, like a “zero-day” cyber-attack, data corruption, or data deletion event. The Sheltered Harbor standards and certification:

  • Provide evidence that a financial institution has taken additional measures to protect their customers, business, and the industry from cyber threats.
  • Prove that a financial institution has adopted the prescribed industry-developed safeguards and controls, which have been independently assessed for compliance.
  • Enhance a financial institution’s resilience, reputation, and customer trust that their critical data supporting key business processes will survive a cyber event.

Why now?

Boards want assurances that when their businesses are impacted by an extreme crisis, that they can survive “to trade another day”, by providing essential services for their clients despite the setback. Following Sheltered Harbor’s standards, provides those assurances, as early adopters who have implemented and certified will attest.

Who is eligible to join?

Participation is open to financial institutions of all types and sizes including Banks, Credit Unions, Brokerages, Industry Associations, Service Providers Asset Managers, Transfer Agents, Recordkeepers, Insurers, Custodians, Payment Processors and Enablers, Loan Processors and Originators, Hedge Funds, Private Equity, and any other organizations hosting private financial information. Sheltered Harbor plans to expand to other critical sectors globally over time.

Are financial institutions required to join Sheltered Harbor?

Sheltered Harbor is a not-for-profit, industry-led organization. While participation is voluntary, it is highly regarded and recommended by the regulators. Please see the FFIEC Cybersecurity Resource Guide for more information. We can best protect our customers, ourselves, and the entire U.S. financial system when every financial institution joins.

Herewith some links to additional regulatory guidance outlining where Sheltered Harbor’s standards help satisfy certain regulatory expectations:

How hard is it to implement?

The standards are not difficult to implement. The level of effort required varies according to the institutions size and complexity, as well as pre-existing infrastructure, operations, and skills base, and whether you use a core service provider, or manage everything in-house. Typically, for small- mid-size institutions, certification can be achieved in as little as 3-6 months, while for large, more complex institutions, anywhere from 12-18 months.

The key factors are prioritization by top leadership and building a cross-functional team to manage the process. Your team should include operations, technology, information security, risk management, audit and compliance, and other relevant departments.

If I use a Service Provider for core processing, do I still need to join Sheltered Harbor?

Yes! If you use a Service Provider for core processing and elect to use their Data Vaulting Solution, you still need to join Sheltered Harbor to receive the services. You also need to develop your own Sheltered Harbor Resilience Plan to achieve Sheltered Harbor Resilience Certification. The following core providers are offering Sheltered Harbor Vaulting Solutions today:

If you use a different service provider and they haven’t joined Sheltered Harbor yet, please ask them to do so, or send us a note with their contact information and we will reach out to them about joining.

How do I learn more or join Sheltered Harbor?

To learn more or to join Sheltered Harbor, access the fact sheet or visit shelteredharbor.org.

Participation fees are minimal. Implementation costs vary by size and complexity of institution as well as infrastructure, operations, and skills base. Learn more about Sheltered Harbor’s annual participation fees.