U.S. banks have quietly launched a doomsday project they hope will prevent a run on the financial system should one of them suffer a debilitating cyberattack.
The effort, which went live earlier this year and is dubbed Sheltered Harbor, currently includes banks and credit unions that have roughly 400 million U.S. accounts. The effort requires member firms to individually back up data so it can be used by other firms to serve customers of a disabled bank.
While most people worry about their money being stolen in a hack, banks fear something more sinister: an attacker destroying, or even simply locking, data.
Such moves could cripple a bank, leaving it unable to operate for hours, days, or perhaps much longer. If people suddenly can’t access their accounts and money at one bank, customers at other banks could panic, thinking they might be vulnerable, too. This could prompt them to withdraw funds as a precaution and, in a worst-case scenario, spark a run on the wider banking system.
“So far, most people think about cyber in terms of having a credit card stolen,” said Stuart Madnick, a professor of information technologies at the MIT Sloan School of Management. “What you’re talking about now is a nuclear attack: If you can’t get to the ATM and get it to work.”
While data was stolen rather than destroyed in the Equifax Inc. hack disclosed in September, that breach was a reminder of how vulnerable consumers are. The Equifax hack exposed vital personal information of potentially 145.5 million Americans.
Especially troubling for banks is the possibility that the government could have difficulty tamping down a hack-induced panic.
Agencies like the Federal Reserve and Federal Deposit Insurance Corp. have long had mechanisms meant to restore confidence in the banking and financial system. These include the Fed’s discount window, which allows banks to borrow money in times of trouble, and the FDIC’s deposit insurance guarantees, which assure many bank customers won’t be left in the lurch by a failure.
These mechanisms, however, were designed to counter bank failures typically induced by questions about a firm’s solvency or liquidity. They don’t address the fear that a bank’s ATMs might one day stop working because of a cyberattack.
U.S. officials have long acknowledged they remain fearful of — and find it hard to prepare for — the potential confidence effect of an attack on financial data. Jerome Powell, President Donald Trump’s pick as the next head of the Federal Reserve, said recently of cyberrisk: “There can never be any sense of comfort that we’ve got this nailed.”
Banks and regulators have been trying to devise responses. One method is to conduct “war games,” such as Quantum Dawn in the U.S., or Operation Waking Shark in the U.K.
In a 2015 exercise run by the U.S. Treasury known as the Hamilton Series, bankers learned that data disruptions at even small banks could shatter confidence in the broader system. The informal “buddy bank” system, in which two local branches agree to help each other’s customers in a crisis, wasn’t sufficient to stem systemic fears.
For big banks, in particular, such experiences reinforced the reality that while some institutions can spend huge amounts on cybersecurity, they can still be vulnerable if there is an overall loss of confidence. And the proliferation of technology companies using small banks to facilitate billions of dollars in mobile payments or digital loans means any institution can become a key cog in the system.
“This level of vulnerability to cyberattack didn’t exist in 2008,” said Paul Bracken, a professor at the Yale School of Management who has developed war-game scenarios with banks since the 1990s. “The question is how you handle…new ports to enter the system.”
One answer was Sheltered Harbor, whose participants range from small, local institutions to giants such as Bank of America Corp., Citigroup Inc., and JPMorgan Chase & Co. Its 34-member board is composed of representatives of individual big banks, groups of smaller firms, trade associations, clearinghouses and broker-dealers.
The project was hatched by Phil Venables, chief operational risk officer at Goldman Sachs, and James Rosenthal, Morgan Stanley’s former chief operating officer. Both are now co-chairs of Sheltered Harbor.
The idea is to ensure that every U.S. bank has the kind of backups that some of the biggest banks have been using since the 1990s: protected in vaults, whether digital or physical, and unalterable once recorded.
To participate, banks pay fees ranging from $250 to $25,000 a year, depending on their size. Members must follow specific guidelines on formatting data, creating a backup vault and submitting to audits. The goal is to make it feasible for backed-up data to start being used to cover an affected institution’s customers within 48 hours.
Steven Silberstein, former chief technology officer of SunGard, a bank-tech provider, who now heads the staff at Sheltered Harbor, likened the effort to seed banks, the Arctic vaults where governments keep basic material for agriculture, to be accessed in case a nuclear attack devastates the planet.
“For all the protection we have in place, what if the worst and unimaginable happened?” he said.
Of course, no defense is foolproof. Mr. Madnick, whose Cybersecurity at MIT Sloan center has studied industry groups that share security information, said such efforts have had mixed success in the past, sometimes because smaller firms find the costs of handling data to be shared prohibitive. There is also a risk that backups are compromised.
“You have to ensure the backup copy is not a copy of already scrambled data,” he said.