Wall Street aims to protect 401(k)s from hacking nightmare

A system for backing up bank accounts is expanding to include other nest eggs.
JAN 04, 2018
U.S. financial firms plan to expand a secretive project protecting bank accounts against crippling cyberattacks so that it will also guard trillions of dollars in investment funds. The industry-led project, called Sheltered Harbor, already is known to back up data for savings and checking accounts. But quietly, it's wrapping in data on retail brokerage accounts at some of the nation's largest firms, according to participants. Ultimately, the goal is to expand it to an even heftier pool of 401(k) accounts and pension funds, whose breach could upend global markets. Sheltered Harbor, which began coming to light over the past year, already includes about 50 firms that collectively hold roughly two-thirds of retail bank accounts. The project relies on a "buddy system," in which companies pair off, promising to step in for their partner with a backup set of account information if hackers succeed in erasing or locking up files. The idea came in 2014 after hackers ravaged Sony Corp.'s U.S. film unit, deleting troves of data while leaking upcoming movies and embarrassing emails. But in this case, the global financial system is at stake. "Being able to restore a network quickly is one of the most crucial elements for coping with cyber breaches and increasing resilience," said Edward Stroz, co-founder and co-president of Stroz Friedberg, a cybersecurity firm. "Sheltered Harbor is the financial industry's way of showing how it can perform disaster recovery and thus maintain consumer confidence." After the Sony attack, bankers conducting periodic cybersecurity exercises realized that a similar assault, even on a relatively small firm, could damage confidence in the financial system. One worry is that consumers could be spooked by a severe attack on one bank, then rush to pull funds from their own institutions, setting off a sweeping run. A similar scenario could play out with securities accounts. Sheltered Harbor's members include the nation's largest lenders, such as JPMorgan Chase & Co., Bank of America Corp. and Citigroup Inc., as well as U.S. regional banks and some smaller firms (other names are secret like many other details). It's a subsidiary of the Financial Services Information Sharing and Analysis Center, whose nearly 7,000 members range from multitrillion-dollar asset managers like State Street Corp. to retirement plan providers, insurers and other financial firms of all sizes. Though a number of big firms have kept daily backups stored in secret mountain hideouts for years, that's not much help without a functioning network. So Sheltered Harbor's members use a standard format to back up account data and collaborate with a partner company that can take over in an emergency. If one company's computer system is devastated, the backup account data can be activated on the partner's network, giving affected customers access to their accounts within 24 hours or so. Pairs are tasked with carrying out periodic exercises, using sample data to ensure they can recreate the other's services. The hope is that a stricken bank would soon restore its systems — hopefully within a few days — and resume control of its accounts.

Systemic Focus

The aim is to prevent a stampede of retail clients. There's no plan to expand Sheltered Harbor to wholesale, institutional clients of the firms, according to executives. For the largest banks, whose institutional client businesses are probably just as large and important as their vast retail networks, the danger is that a disruption would still irreparably harm the company's reputation and business. But the point is to guard the broader financial system. In fact, some executives see Sheltered Harbor as a tool for resolution, not recovery — as the regulators unwind the firm that has collapsed due to a cyberattack, its partner can provide access to retail accounts quickly. "Sheltered Harbor doesn't address the operational resiliency of member firms," said Trey Maust, who became CEO of the industry-funded operation this week. "Firms have their own continuity plans, and those typically address how to get back on one's feet after such a disruption quickly without losing clients or business."

Complicated Accounts

Because some of the largest banks in the group operate major retail brokerages, data for those accounts already are included in the backups. Yet, organizers are still working out how to provide continuity for those operations. Offering basic payments capabilities for checking and savings accounts is relatively straightforward. But practices vary among firms for helping brokerage clients buy and sell equities, fixed-income products and other instruments — making it much more complicated. "You could have two different partners, one for your checking and savings accounts restoration, one for your brokerage accounts," said Mr. Maust of Sheltered Harbor. "But both partners need to have transaction capability." (More: Data breaches ratchet up risks for financial advisory firms)

Latest News

Estate planning becomes a client retention issue for financial advisors, survey finds
Estate planning becomes a client retention issue for financial advisors, survey finds

Clients are saying they would consider switching advisors if another professional offered estate planning services, according to a new Trust & Will survey.

Candidly adds AI agents for Trump Accounts, workplace benefits
Candidly adds AI agents for Trump Accounts, workplace benefits

CEO Laurel Taylor says the fintech's composable AI stack helps workers optimize dollars across Trump Accounts, 529s, 401(k)s, and other employee benefits.

BMO adds three advisors in Dallas amid Y'all Street wealth boom
BMO adds three advisors in Dallas amid Y'all Street wealth boom

The bank has swiped three private banking veterans from BNY as the city climbs the ranks of America's fastest-growing wealth hubs.

UBS moves toward full-service US bank as plans to extend wealth business
UBS moves toward full-service US bank as plans to extend wealth business

Employee accounts, crypto trials and job cuts frame a pivotal year for the Swiss lender.

$5B broker-dealer NBC Securities has a new name after almost 30 years
$5B broker-dealer NBC Securities has a new name after almost 30 years

New name draws on founder's family history as consolidation reshapes the broker-dealer landscape.

SPONSORED Who builds the income when the pension disappears?

Dan Biagini of American Equity says the steady decline of pensions, longer lifespans and a reset in interest rates are rewriting how advisors build retirement income

SPONSORED Why direct indexing stopped being optional

Direct indexing is on pace to outgrow ETFs and mutual funds. Northern Trust's Ken Lassner explains why the advisors who get it wish they had started sooner.