Jump to Content
ABA: The American Bankers Association
Skip Section Navigation

In This Section

Sheltered Harbor

Sheltered Harbor is the not-for-profit, industry-led standard for protecting and recovering customer account data if a catastrophic event causes critical systems - including backups - to fail. A subsidiary of the Financial Services Information Sharing and Analysis Center (FS-ISAC), its purpose is to promote the stability and resiliency of the financial sector and to preserve public confidence in the financial system in the face of an extended systems outage or destructive cyberattack. The Sheltered Harbor standard combines secure data vaulting of critical customer account information and a resiliency plan to provide customers timely access to their data and funds in a worst-case scenario. Financial institutions that successfully implement the standard become eligible for Sheltered Harbor certification.

To join the Sheltered Harbor community or for more information, visit ShelteredHarbor.org.

Why Sheltered Harbor?

  • Built collaboratively by hundreds of the top subject matter experts in the financial industry
  • The industry-developed standard for customer data protection and recovery of access to funds when critical systems fail
  • Broad industry backing includes major industry associations, service providers, advisory and assurance firms, and regulator support
  • Participating institutions already hold the majority of U.S. deposit accounts and brokerage client assets. To protect the entire industry, 100% participation is optimal
  • Participation is low-cost and scaled to institution size and scope
  • At all times, participants maintain control of their own customer data, plans and processes.

Industry Adoption

Sheltered Harbor is currently open to U.S. banks, credit unions, broker-dealers, asset managers, industry associations, and core service providers.

  • ~70% of U.S. deposit accounts
  • ~55% of U.S. retail brokerage client assets

How It Works: Three Pillars

Data Vaulting

Institutions back up critical customer account data each night in the Sheltered Harbor standard format, either managing their own vault or using their service provider.

The data vault is encrypted, unchangeable, and completely separated from the institution’s infrastructure, including all backups.

Sheltered Harbor Resiliency Planning

Institutions prepare the business and technical processes and key decision arrangements to be activated in the case of a Sheltered Harbor event; where all other options to restore critical systems - including backups - have failed.

They also designate a restoration platform so that if the Sheltered Harbor Resiliency Plan is activated, the platform can recover data from the vault to restore customer funds access as quickly as possible while the institution works to get back online.

Certification

Certification is a critical component of the Sheltered Harbor initiative. Participants adopt a robust set of prescribed safeguards and controls, which are independently audited for compliance with the Sheltered Harbor standard.

Upon completing the requirements for Data Vaulting, the institution will be awarded Sheltered Harbor certification and an accompanying seal, communicating that their customer account data is protected.

FAQs

Who is eligible to join Sheltered Harbor?

Participation is open to U.S. financial institutions of all sizes including banks, credit unions, brokerages, asset managers, industry associations, and service providers.

Sheltered Harbor’s vision is to expand to other asset classes and geographies over time.

Are financial institutions required to join Sheltered Harbor?

Sheltered Harbor is a not-for-profit, industry-led initiative. Participation is voluntary. We can best protect our customers, ourselves, and the entire U.S. financial system when every financial institution joins.

Regulators support the initiative. Please see the FFIEC Cybersecurity Resource Guide for more information.

How do I get the Sheltered Harbor Specification?

The Specification, as well as many resources to help with implementation, is available only to participants.

Join Sheltered Harbor today.

How much does it cost?

Participation fees to join Sheltered Harbor are minimal. Implementation costs vary by size and complexity of institution as well as infrastructure, operations and skills base.

Learn more about annual participation fees.

How hard is it to implement Sheltered Harbor?

While effort required varies according to size and complexity as well as pre-existing infrastructure, operations, and skills base, Sheltered Harbor is not especially difficult to implement. Smaller institutions have declared their first Sheltered Harbor milestone in as little as three months, while it takes longer for large, complex institutions.

The key factors are prioritization by top leadership and building a cross-functional team to manage the process. Your team should include operations, technology, information security, risk management, audit and compliance, and other relevant departments.

We’ve developed many resources to help you get Sheltered Harbor Certified as quickly as possible, which you can access as soon as you join:

  • Guides for every step of the process
  • Forums for support and collaboration
  • Training through webinars and live events
  • Reference Architectures to see how others have implemented
  • Technology Solutions such as encryption software (additional fees may apply)
  • Alliance Partners to help build the right plan for your institution

How can I get help implementing Sheltered Harbor?

In addition to the resources available to all participants on our content portal, we have entered into alliance partnerships with advisory and assurance firms to help you plan and implement the standard.

We are also currently developing a solution provider program to help with technology and implementation tools. We will update as they come online.

If I use a Service Provider for core processing, do I still need to join Sheltered Harbor?

Yes. If you use a Service Provider for core processing and elect to use their Data Vaulting Solution, you still need to join Sheltered Harbor to receive the services. You also need to develop your own Sheltered Harbor Resiliency Plan in order to achieve Sheltered Harbor Certification.

The following providers are currently developing Sheltered Harbor Vaulting Solutions:

If you do not see your provider, please contact them directly. They may have joined Sheltered Harbor, but not yet made public announcements. If they haven't joined Sheltered Harbor yet, either ask them to do so or send us a note with their contact information and we will reach out to them about joining the initiative.

How do I contact someone for more details about Sheltered Harbor?

Check out our Fact Sheet for answers to many questions.

Don't hesitate to get in touch for more information.

Email us at [email protected] Phone: +1 (347) 797-1230

Mailing address:  12020 Sunrise Valley Drive, Suite 230, Reston, VA 20191

Our Experts

Heather Wyson

Heather Wyson-Constantine

Vice President, Cyber & Physical Security

Security

Contact Heather
Paul Benda

Paul Benda

Executive Vice President, Risk, Fraud & Cybersecurity

Contact Paul
Krista Shonk

Krista Shonk

SVP & Senior Counsel, Regulatory Compliance & Policy

Contact Krista
John Carlson

John Carlson

Senior Vice President, Cybersecurity

Contact John
Thomas J. Rosenkoetter

Tom Rosenkoetter

SVP, Executive Director, Card Policy Council

Contact Tom