Financial Institutions Get Proactive Against Cybercrime: The Sheltered Harbor Initiative

The following was created and written by Carlos Recalde, CEO of Sheltered Harbor. In the spirit of our partnership, Schellman has posted it here in advance of our joint webinar with Sheltered Harbor on April 1, 2022.

On October 11, 2021, the Associated Press released the results of a joint poll conducted by the Associated Press-NORC Center for Public Affairs Research and the Pearson Institute. The subject of this poll was America’s cybersecurity. While the results are not encouraging, they are not unexpected. Ninety percent of Americans are at least somewhat concerned about hackers accessing their financial information, personal information, or certain utilities and government agencies. In addition, 66% of Americans are extremely concerned about experiencing such a situation.

In the last year, there have been several high-profile ransomware attacks. In these attacks, criminals encrypt an organization’s data, including backed-up data, so that authorized users cannot access it. Then, the criminals demand payment to decrypt the data. In the Poker Game of Ransomware, A Data Vault is Your Ace in the Hole, says Carlos Recalde, President and CEO of Sheltered Harbor. Sheltered Harbor is the industry established and led not-for-profit organization responsible for defining and maintaining the sector’s resilience standard ("Sheltered Harbor Standard"), promoting its adoption, and ensuring adherence through independent audits and certifications.

The Sheltered Harbor Standard is the only standard and best practice for the "data protection of isolated data", resilience and recovery. It was developed by hundreds of the financial industry’s subject matter experts and is as acknowledged by the financial regulators. The Sheltered Harbor Standard:

  • Offers a comprehensive approach to resilience, mitigating the effects of bad actors attempts at penetrating, proliferating, and paralyzing your business.
  • Provides peace of mind that all backups are segregated, secured and immutable, keeping bad actors from making critical data unavailable.
  • Is for U.S. financial institutions of all types.

The Sheltered Harbor approach relies on three foundational elements: data vaulting, resiliency planning and certification.

Data Vaulting

In a sense, this is an old-school solution to a new era problem. There is no need to envision acres of warehouses filled with filing cabinets. A key component is that critical data is stored offline in an air-gapped vault, which is unique in this digital-dependent world of ours. According to the Sheltered Harbor website, “Institutions back up critical customer account data in an untouchable offline archive.” At the close of business every day, the organization backs up its customer data using the Sheltered Harbor standard format. The data is stored in a vault that is “encrypted, unchangeable, and completely separated from the institution’s infrastructure, including all backups.” A financial institution can choose to manage its own vault or use one of the participating service providers. Should a catastrophic event occur, the institution can transmit the data to a restoration platform, allowing them to restore customer access quickly.

Resiliency Planning

In simple terms, this is enhanced risk management planning for critical services. A supplementary, augmentation of any financial institution's resilience strategy. The organization creates an eight-point emergency plan. This plan considers: resiliency targets, incident management, liquidity and funding, testing, funds access, crisis communications, data recovery, restoration partner agreements, and return to normal operations. In this step, the financial institution “prepares their business and technical processes and key decision arrangements to be activated in an extreme event, where all other options to restore critical systems—including backups—have failed. Sheltered Harbor Participants prepare to respond and recover, ensuring they remain connected with their customers and can continue to serve them with essential services, within hours of a catastrophic event, whilst the institution recovers normal operations.”


Participating institutions that have adopted the robust set of prescribed Sheltered Harbor safeguards and controls, which have been independently audited by a Sheltered Harbor Qualified Assessor for effectiveness and compliance are awarded certification. This informs all stakeholders and the regulators that the entity has taken additional steps to protect and secure its critical data.

Schellman & Co. is a proud Sheltered Harbor alliance partner and Qualified Assessor that will help new Sheltered Harbor Participants with adherence to the standard.

A Final Word

Imagine that you are on a road trip, and you stop for gas. Your debit card does not work. You call your financial institution and are informed that their systems are down due to a cyberattack. Whether it is a ransomware attack, or another type of malicious cyberattack, that does not change the fact you and thousands of other customers cannot access your money. You are stranded, literally and figuratively. Depending on how widespread the attack is, it may take days or weeks for all systems to be operational again. In this digital age, so much depends on a financial institution’s cyber security.

In our highly polarized political climate, there are few issues that both parties agree on. Protecting U.S. consumers from cyberattacks seems to be one. Whether foreign governments or independent gangs of cyber criminals are responsible, cyberattacks put livelihoods at risk. Sheltered Harbor protected critical data can also be valuable in response to any catastrophic event that impacts all operational systems and their backups. Financial institutions can build trust among their client base by earning Sheltered Harbor certification. The Sheltered Harbor initiative allows financial institutions to take back control and get back to business.

About the Author:

Carlos-1Carlos Recalde wrote the book on Sheltered Harbor. This financial industry consortium is working to enhance resiliency for consumer accounts in Banks and Brokerages throughout the U.S. Carlos oversees all operations of this industry funded not-for-profit organization -not the least of which is the ongoing development and implementation of the Sheltered Harbor protection scheme for U.S. deposit and brokerage accounts.

Carlos has been managing businesses and implementing technology since last century. He has successfully launched four different technology-focused businesses. Carlos served as the Executive Director of Technology for the Americas Region of KPMG, the international professional service firm.. He was Senior Vice-President for Product Management at Lehman Brothers, Prime Services business, As the CTO for SunGard’s Asset Management business, he brought market-value product and technology development together to increase revenues by over 15% in two years.

About the Author

Schellman Compliance

Schellman is a leading global provider of attestation, compliance, and certification services. Operating as an alternative practice structure as Schellman & Company, LLC, a top 100 CPA firm, and Schellman Compliance, LLC, a globally accredited compliance assessment firm, we are able to offer clients services as a CPA firm, an ISO Certification Body, a PCI Qualified Security Assessor Company, a HITRUST assessor, a FedRAMP 3PAO, and as one of the first CMMC Authorized C3PAOs. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Schellman's approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives using a single third-party assessor. For more information, please visit

More Content by Schellman Compliance
Previous Article
Are Passwords Still Useful?
Are Passwords Still Useful?

FIDO's painting a picture where passwords are a thing of the past. Read about their proposed alternative au...

Next Article
Do You Need a Ransomware Preparedness Assessment?
Do You Need a Ransomware Preparedness Assessment?

Don't want to fall victim to the growing threat of ransomware? Find out how Schellman's Ransomware Prepared...

Now Providing C5 Examinations

Learn about C5