Contact a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
Build Your Compliance Roadmap
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
View All Industry Solutions
Learning Center
Articles
Whitepapers
Case Studies
Events & Live Webinars
On-Demand Webinars
Visit the Learning Center
Our Process
About Us
Leadership Team
Careers
Corporate Social Responsibility
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Learning Center
Learning Center
Visit the Learning Center
Articles
Articles
Whitepapers
Whitepapers
Case Studies
Case Studies
Events & Live Webinars
Events & Live Webinars
On-Demand Webinars
On-Demand Webinars
Our Process
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Contact a Specialist

«  View All Posts

Financial Institutions Get Proactive Against Cybercrime: The Sheltered Harbor Initiative Blog Feature

By: Schellman

Print/Save as PDF

Financial Institutions Get Proactive Against Cybercrime: The Sheltered Harbor Initiative

Cybersecurity | Sheltered Harbor

The following was created and written by Carlos Recalde, CEO of Sheltered Harbor. In the spirit of our partnership, Schellman has posted it here in advance of our joint webinar with Sheltered Harbor on April 1, 2022.

On October 11, 2021, the Associated Press released the results of a joint poll conducted by the Associated Press-NORC Center for Public Affairs Research and the Pearson Institute. The subject of this poll was America’s cybersecurity. While the results are not encouraging, they are not unexpected. Ninety percent of Americans are at least somewhat concerned about hackers accessing their financial information, personal information, or certain utilities and government agencies. In addition, 66% of Americans are extremely concerned about experiencing such a situation.

In the last year, there have been several high-profile ransomware attacks. In these attacks, criminals encrypt an organization’s data, including backed-up data, so that authorized users cannot access it. Then, the criminals demand payment to decrypt the data. In the Poker Game of Ransomware, A Data Vault is Your Ace in the Hole, says Carlos Recalde, President and CEO of Sheltered Harbor. Sheltered Harbor is the industry established and led not-for-profit organization responsible for defining and maintaining the sector’s resilience standard ("Sheltered Harbor Standard"), promoting its adoption, and ensuring adherence through independent audits and certifications.

The Sheltered Harbor Standard is the only standard and best practice for the "data protection of isolated data", resilience and recovery. It was developed by hundreds of the financial industry’s subject matter experts and is as acknowledged by the financial regulators. The Sheltered Harbor Standard:

  • Offers a comprehensive approach to resilience, mitigating the effects of bad actors attempts at penetrating, proliferating, and paralyzing your business.
  • Provides peace of mind that all backups are segregated, secured and immutable, keeping bad actors from making critical data unavailable.
  • Is for U.S. financial institutions of all types.

The Sheltered Harbor approach relies on three foundational elements: data vaulting, resiliency planning and certification.

Data Vaulting

In a sense, this is an old-school solution to a new era problem. There is no need to envision acres of warehouses filled with filing cabinets. A key component is that critical data is stored offline in an air-gapped vault, which is unique in this digital-dependent world of ours. According to the Sheltered Harbor website, “Institutions back up critical customer account data in an untouchable offline archive.” At the close of business every day, the organization backs up its customer data using the Sheltered Harbor standard format. The data is stored in a vault that is “encrypted, unchangeable, and completely separated from the institution’s infrastructure, including all backups.” A financial institution can choose to manage its own vault or use one of the participating service providers. Should a catastrophic event occur, the institution can transmit the data to a restoration platform, allowing them to restore customer access quickly.

Resiliency Planning

In simple terms, this is enhanced risk management planning for critical services. A supplementary, augmentation of any financial institution's resilience strategy. The organization creates an eight-point emergency plan. This plan considers: resiliency targets, incident management, liquidity and funding, testing, funds access, crisis communications, data recovery, restoration partner agreements, and return to normal operations. In this step, the financial institution “prepares their business and technical processes and key decision arrangements to be activated in an extreme event, where all other options to restore critical systems—including backups—have failed. Sheltered Harbor Participants prepare to respond and recover, ensuring they remain connected with their customers and can continue to serve them with essential services, within hours of a catastrophic event, whilst the institution recovers normal operations.”

Certification

Participating institutions that have adopted the robust set of prescribed Sheltered Harbor safeguards and controls, which have been independently audited by a Sheltered Harbor Qualified Assessor for effectiveness and compliance are awarded certification. This informs all stakeholders and the regulators that the entity has taken additional steps to protect and secure its critical data.

Schellman & Co. is a proud Sheltered Harbor alliance partner and Qualified Assessor that will help new Sheltered Harbor Participants with adherence to the standard.

A Final Word

Imagine that you are on a road trip, and you stop for gas. Your debit card does not work. You call your financial institution and are informed that their systems are down due to a cyberattack. Whether it is a ransomware attack, or another type of malicious cyberattack, that does not change the fact you and thousands of other customers cannot access your money. You are stranded, literally and figuratively. Depending on how widespread the attack is, it may take days or weeks for all systems to be operational again. In this digital age, so much depends on a financial institution’s cyber security.

In our highly polarized political climate, there are few issues that both parties agree on. Protecting U.S. consumers from cyberattacks seems to be one. Whether foreign governments or independent gangs of cyber criminals are responsible, cyberattacks put livelihoods at risk. Sheltered Harbor protected critical data can also be valuable in response to any catastrophic event that impacts all operational systems and their backups. Financial institutions can build trust among their client base by earning Sheltered Harbor certification. The Sheltered Harbor initiative allows financial institutions to take back control and get back to business.

About the Author:

Carlos-1Carlos Recalde wrote the book on Sheltered Harbor. This financial industry consortium is working to enhance resiliency for consumer accounts in Banks and Brokerages throughout the U.S. Carlos oversees all operations of this industry funded not-for-profit organization -not the least of which is the ongoing development and implementation of the Sheltered Harbor protection scheme for U.S. deposit and brokerage accounts.

Carlos has been managing businesses and implementing technology since last century. He has successfully launched four different technology-focused businesses. Carlos served as the Executive Director of Technology for the Americas Region of KPMG, the international professional service firm.. He was Senior Vice-President for Product Management at Lehman Brothers, Prime Services business, As the CTO for SunGard’s Asset Management business, he brought market-value product and technology development together to increase revenues by over 15% in two years.

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.

Schellman

4010 W Boy Scout Boulevard, Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S. 1.813.288.8833

Services
Industries
Resources
Company

© SchellmanPrivacy PolicyTerms

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.