Sheltered Harbor is the not-for-profit, industry-led standard for protecting and recovering customer account data if a catastrophic event causes critical systems - including backups - to fail. A subsidiary of the Financial Services Information Sharing and Analysis Center (FS-ISAC), its purpose is to promote the stability and resiliency of the financial sector and to preserve public confidence in the financial system in the face of an extended systems outage or destructive cyberattack. The Sheltered Harbor standard combines secure data vaulting of critical customer account information and a resiliency plan to provide customers timely access to their data and funds in a worst-case scenario. Financial institutions that successfully implement the standard become eligible for Sheltered Harbor certification.
To join the Sheltered Harbor community or for more information, visit ShelteredHarbor.org.
Sheltered Harbor is currently open to U.S. banks, credit unions, broker-dealers, asset managers, industry associations, and core service providers.
Institutions back up critical customer account data each night in the Sheltered Harbor standard format, either managing their own vault or using their service provider.
The data vault is encrypted, unchangeable, and completely separated from the institution’s infrastructure, including all backups.
Institutions prepare the business and technical processes and key decision arrangements to be activated in the case of a Sheltered Harbor event; where all other options to restore critical systems - including backups - have failed.
They also designate a restoration platform so that if the Sheltered Harbor Resiliency Plan is activated, the platform can recover data from the vault to restore customer funds access as quickly as possible while the institution works to get back online.
Certification is a critical component of the Sheltered Harbor initiative. Participants adopt a robust set of prescribed safeguards and controls, which are independently audited for compliance with the Sheltered Harbor standard.
Upon completing the requirements for Data Vaulting, the institution will be awarded Sheltered Harbor certification and an accompanying seal, communicating that their customer account data is protected.
Participation is open to U.S. financial institutions of all sizes including banks, credit unions, brokerages, asset managers, industry associations, and service providers.
Sheltered Harbor’s vision is to expand to other asset classes and geographies over time.
Sheltered Harbor is a not-for-profit, industry-led initiative. Participation is voluntary. We can best protect our customers, ourselves, and the entire U.S. financial system when every financial institution joins.
Regulators support the initiative. Please see the FFIEC Cybersecurity Resource Guide for more information.
The Specification, as well as many resources to help with implementation, is available only to participants.
Participation fees to join Sheltered Harbor are minimal. Implementation costs vary by size and complexity of institution as well as infrastructure, operations and skills base.
Learn more about annual participation fees.
While effort required varies according to size and complexity as well as pre-existing infrastructure, operations, and skills base, Sheltered Harbor is not especially difficult to implement. Smaller institutions have declared their first Sheltered Harbor milestone in as little as three months, while it takes longer for large, complex institutions.
The key factors are prioritization by top leadership and building a cross-functional team to manage the process. Your team should include operations, technology, information security, risk management, audit and compliance, and other relevant departments.
We’ve developed many resources to help you get Sheltered Harbor Certified as quickly as possible, which you can access as soon as you join:
In addition to the resources available to all participants on our content portal, we have entered into alliance partnerships with advisory and assurance firms to help you plan and implement the standard.
We are also currently developing a solution provider program to help with technology and implementation tools. We will update as they come online.
Yes. If you use a Service Provider for core processing and elect to use their Data Vaulting Solution, you still need to join Sheltered Harbor to receive the services. You also need to develop your own Sheltered Harbor Resiliency Plan in order to achieve Sheltered Harbor Certification.
The following providers are currently developing Sheltered Harbor Vaulting Solutions:
If you do not see your provider, please contact them directly. They may have joined Sheltered Harbor, but not yet made public announcements. If they haven't joined Sheltered Harbor yet, either ask them to do so or send us a note with their contact information and we will reach out to them about joining the initiative.
Check out our Fact Sheet for answers to many questions.
Don't hesitate to get in touch for more information.
Email us at [email protected] Phone: +1 (347) 797-1230
Mailing address: 12020 Sunrise Valley Drive, Suite 230, Reston, VA 20191