By Telis Demos
U.S. banks have quietly launched a doomsday project they hope
will prevent a run on the financial system should one of them
suffer a debilitating cyberattack.
The effort, which went live earlier this year and is dubbed
Sheltered Harbor, currently includes banks and credit unions that
have roughly 400 million U.S. accounts. The effort requires member
firms to individually back up data so it can be used by other firms
to serve customers of a disabled bank.
While most people worry about their money being stolen in a
hack, banks fear something more sinister: an attacker destroying,
or even simply locking, data.
Such moves could cripple a bank, leaving it unable to operate
for hours, days, or perhaps much longer. If people suddenly can't
access their accounts and money at one bank, customers at other
banks could panic, thinking they might be vulnerable, too. This
could prompt them to withdraw funds as a precaution and, in a
worst-case scenario, spark a run on the wider banking system.
"So far, most people think about cyber in terms of having a
credit card stolen," said Stuart Madnick, a professor of
information technologies at the MIT Sloan School of Management.
"What you're talking about now is a nuclear attack: If you can't
get to the ATM and get it to work."
While data was stolen rather than destroyed in the Equifax Inc.
hack disclosed in September, that breach was a reminder of how
vulnerable consumers are. The Equifax hack exposed vital personal
information of potentially 145.5 million Americans.
Especially troubling for banks is the possibility that the
government could have difficulty tamping down a hack-induced
panic.
Agencies like the Federal Reserve and Federal Deposit Insurance
Corp. have long had mechanisms meant to restore confidence in the
banking and financial system. These include the Fed's discount
window, which allows banks to borrow money in times of trouble, and
the FDIC's deposit insurance guarantees, which assure many bank
customers won't be left in the lurch by a failure.
These mechanisms, however, were designed to counter bank
failures typically induced by questions about a firm's solvency or
liquidity. They don't address the fear that a bank's ATMs might one
day stop working because of a cyberattack.
U.S. officials have long acknowledged they remain fearful of --
and find it hard to prepare for -- the potential confidence effect
of an attack on financial data. Jerome Powell, President Donald
Trump's pick as the next head of the Federal Reserve, said recently
of cyberrisk: "There can never be any sense of comfort that we've
got this nailed."
Banks and regulators have been trying to devise responses. One
method is to conduct "war games," such as Quantum Dawn in the U.S.,
or Operation Waking Shark in the U.K.
In a 2015 exercise run by the U.S. Treasury known as the
Hamilton Series, bankers learned that data disruptions at even
small banks could shatter confidence in the broader system. The
informal "buddy bank" system, in which two local branches agree to
help each other's customers in a crisis, wasn't sufficient to stem
systemic fears.
For big banks, in particular, such experiences reinforced the
reality that while some institutions can spend huge amounts on
cybersecurity, they can still be vulnerable if there is an overall
loss of confidence. And the proliferation of technology companies
using small banks to facilitate billions of dollars in mobile
payments or digital loans means any institution can become a key
cog in the system.
"This level of vulnerability to cyberattack didn't exist in
2008," said Paul Bracken, a professor at the Yale School of
Management who has developed war-game scenarios with banks since
the 1990s. "The question is how you handle...new ports to enter the
system."
One answer was Sheltered Harbor, whose participants range from
small, local institutions to giants such as Bank of America Corp.,
Citigroup Inc., and JPMorgan Chase & Co. Its 34-member board is
composed of representatives of individual big banks, groups of
smaller firms, trade associations, clearinghouses and
broker-dealers.
The project was hatched by Phil Venables, chief operational risk
officer at Goldman Sachs, and James Rosenthal, Morgan Stanley's
former chief operating officer. Both are now co-chairs of Sheltered
Harbor.
The idea is to ensure that every U.S. bank has the kind of
backups that some of the biggest banks have been using since the
1990s: protected in vaults, whether digital or physical, and
unalterable once recorded.
To participate, banks pay fees ranging from $250 to $25,000 a
year, depending on their size. Members must follow specific
guidelines on formatting data, creating a backup vault and
submitting to audits. The goal is to make it feasible for backed-up
data to start being used to cover an affected institution's
customers within 48 hours.
Steven Silberstein, former chief technology officer of SunGard,
a bank-tech provider, who now heads the staff at Sheltered Harbor,
likened the effort to seed banks, the Arctic vaults where
governments keep basic material for agriculture, to be accessed in
case a nuclear attack devastates the planet.
"For all the protection we have in place, what if the worst and
unimaginable happened?" he said.
Of course, no defense is foolproof. Mr. Madnick, whose
Cybersecurity at MIT Sloan center has studied industry groups that
share security information, said such efforts have had mixed
success in the past, sometimes because smaller firms find the costs
of handling data to be shared prohibitive. There is also a risk
that backups are compromised.
"You have to ensure the backup copy is not a copy of already
scrambled data," he said.
(END) Dow Jones Newswires
December 03, 2017 07:14 ET (12:14 GMT)
Copyright (c) 2017 Dow Jones & Company, Inc.
JP Morgan Chase (NYSE:JPM)
Historical Stock Chart
From Mar 2024 to Apr 2024
JP Morgan Chase (NYSE:JPM)
Historical Stock Chart
From Apr 2023 to Apr 2024