In my previous blog, I had explained the three pillars that form the foundation of the Sheltered Harbor approach to cyber resiliency. Here we discuss why your organization needs a cyber resilience plan. The primary objective for financial institutions is to maintain customer confidence, even after being debilitated by a devastating cyberattack. Preparing for a devastating scenario is not a walk in the park, and Sheltered Harbor’s early adopters learned getting everyone on board with the mission requires planning and training. I’d like to shed a little light on how we can prepare ourselves to discuss this with everyone in our institution, so that they can contribute to plans which are necessary to survive devastation.

Cybercriminals wage war against us and thousands of cybersecurity experts battle in the shadows to help us defend ourselves. We, private citizens, employed by private institutions, are being attacked by adversaries (some of which are nation states) that are determined to take advantage. And the enemy is becoming more cunning with their daily attacks. We need to recognize that we are at war in the cyber arena. If we want to reap the benefits of a highly connected world, we must face the challenges that come with it. We need to raise the stakes and elevate how we prepare ourselves.

The private sector, including much of the financial industry, has been playing defense in this cyber arena. The cracks in our armor are likely to get worse as our adversaries continue to invest in their offense. The private sector can learn from the military, which runs drills and is always preparing to go into action. In the US Navy, the concept of General Quarters refers to everyone heading to their designated station, each knowing exactly what to do and how quickly they are expected to do it. This concept can be used in the private sector, which must learn to keep functioning despite the damage from a hit. For this, people must know what is expected of them and practice regularly. This is the gist of Resiliency Planning the Sheltered Harbor way.

Some teams believe they already have disaster recovery and business continuity plans in place and wonder how the Sheltered Harbor approach is any different. The objective of maintaining customer confidence is directly linked to how promptly critical services are made available after an attack.

Most DR/BC Plans are not bound by time, as the focus is on recovering critical systems to their original state. During a major attack, those two objectives are likely to be in conflict. TIME is the fundamental difference between Sheltered Harbor Resilience Plans and traditional DR/BC Plans. Sheltered Harbor resilience plans trade off scope of business function recovery to meet the short windows available to stem the panic and maintain customer confidence, while giving the time necessary for DR/BC Plans to fully recover all operations as designed. 

To prepare to become cyber resilient the Sheltered Harbor community considered what “General Quarters” would look like for a bank and how an entire organization could adopt a new way of working overnight.

Our General Quarters is restricted to providing two critical services to the depositors of that bank:
• Access to balance information for all accounts.
• Capability to transact (access funds) against those balances.

For this, we assumed that:
• Our systems were hit by a cyberattack and are now useless piles of silicon dust.
• Any data in those systems is now gone or unreliable.

Then we considered what various stakeholders would do, including customers, tellers, customer service personnel, regulators, etc. We addressed three important questions:
• How will we communicate with different customers?
• Who will make what decisions?
• What will we tell the media?

Your Disaster Recovery efforts will likely require buying new computers, setting them up from scratch and re-implementing your networks, etc. This will take time. DR plans will have you ready for business as usual. But, for that to happen, you must still have a business. This is why you need a cyber resilience plan, like what the Sheltered Harbor community has outlined. It will buy you the time needed to survive.

Resilience planning is not a technology project. With a few hundred participating financial institutions, we have learned that resilience planning must come from the top, because it will be driven by significant decisions and agreements made by the C-Suite. It protects against an existential threat and requires critical business decisions that cannot be made during an attack.

The Sheltered Harbor community determined, and the US financial regulators have confirmed that any institution that does not have an established plan for this kind of event will not survive. Survival requires too much that must have been completed before the event. We’ve published over a dozen guides to help your organization work through what could be months of preparation to survive a devastating cyberattack. It can be done, but it takes time and effort to become resilient. It’s never too early to start cyber resilience planning.

Let’s imagine a small sample of what a General Quarters drill could look like for a typical bank. Here’s the backdrop. We are under attack. Customers are arriving at our branches in droves and phones are ringing off the hook. Twitter is alight with customers, media and countless unreliable or fake posts.

Nobody in the organization is yet sure what happened, and our staff has no clue when they will restore operations. We decide to sound General Quarters (activate the Sheltered Harbor Resilience Plan). It will look something like this.

Executive War Room
Once the Sheltered Harbor resilience plan has been activated, our bank gives our customers access to their balances and allows them to transact on the interim platform. One of the first things that our resilience plan should consider is:

• How will we communicate with our staff in this scenario? Not all communication channels may be available, and you want everyone to get common directions.
• How will we maintain command and control in this new environment?
• Who needs to be in the war room, and who needs to be in other places?

Branch Office
Since this scenario is rehearsed, our branch managers and tellers know exactly how they will access the restoration platform, and what manual processes, if any, they need to employ while the bank is in the Sheltered Harbor mode.

These plans include supplies for maintenance of memos to be recorded against accounts.
They should know if any limits apply to cash distributions during the event.

Public Relations
Our PR team opens their crisis communications playbook and starts executing the Sheltered Harbor communications plan. A pre-approved general communication is released to the media, explaining the bank is experiencing the effects of a cyberattack and has instituted a well-rehearsed plan to ensure customers have access to their funds. Other members of the team spread the word through social media about the bank’s preparations for such an event, as well as providing some idea of when customers will have access to their accounts. This team already has a series of prepared communication related to the progress of the resilience plan, each intended to convey more assurance to customers and more specific details about how they will access their accounts and funds. These communications are released through pre-approved channels on a defined schedule.

ATM Machine
If we do not own the ATM network (and therefore it is separate from whatever impacted our critical systems), it’s probably safe to expect that the ATMs will continue to operate as normal during this event. However, the ATM network accesses and refreshes account balances with our core processing systems, which are unavailable. The good news is these networks are accustomed to operating independently at times, under what are called stand-in instructions. This could give us a short reprieve from disaster, but only if we have established proper stand-in instructions for this scenario. These networks expect an overnight refresh of balances with your production systems. If those systems are not available, you will need to have them connect with your interim platform for the duration of this Sheltered Harbor event.

Your ATM Network Manager will need to contact your ATM Network Provider and initiate the transfer of your balance-keeping to the Restoration Platform, so that the ATMs will continue to work until you revert to your normal systems.

Regulatory Relations
Our designated Regulatory Relations Executive will meet with their primary regulator and make them aware of your Sheltered Harbor Resilience Plan being activated and confirms timeframes to regularly touch base during this incident. This executive will be in regular contact with all relevant regulators, as these plans were discussed with the regulator before this event. The pace and content for these discussions will be well understood.

US financial regulators have indicated their preference to keep their hands off during such a scenario, and let the institution recover with support from the rest of the financial sector, provided such a resilience plan exists. They have also indicated that, in the absence of such a plan, they will not have the flexibility to stand back.

Call Center
If we have a contracted service provider, we must make them aware that they need to go to their Sheltered Harbor playbook and use it until further notice. If this is our own staff, we may have to do a few other things to ensure they can work, even without their normal systems.

Call center representatives will have different scripts for this scenario. First, they will restrict their communication to echoing the general communications broadcasted by the PR team. As the restoration platform comes online with customer account information, the Call center will have new communication capabilities, provided they can verify the identity of customers looking for more information about their accounts. Call center staff will need to know how to access account information that is now available on the restoration platform.

Cash Management
The Treasurer will immediately contact funding sources, including possible non-standard alternates, to make them aware of the bank’s resilience state. Alternative cash distribution and forecasting models may be employed. The plan for liquidity and funding during a Sheltered Harbor event will be executed by the treasury function of the bank. This may

include restricting the amount or percentage of balances that can be withdrawn by different customer groups.

This is just a sampling of the functions to be covered by your cyber resilience plan. Every detail must be preplanned and rehearsed, so that when we sound general quarters, we can survive the devastating event. For any of the actions described above to be possible, extensive planning, testing and eventual training is needed.

For everyone to react as needed to a general quarters drill, all their actions must have been:
• Anticipated
• Planned
• Designed
• Implemented / Negotiated
• Tested
• Rehearsed
• Automatic

This is what it means to do Sheltered Harbor Resilience Planning. Everyone who can help the organization survive a debilitating cyberattack must have a clear understanding of what they will do on short notice. Sheltered Harbor has a final certification for organizations who can demonstrate these capabilities. We call it Sheltered Harbor Cyber Resilience Certified.




Carlos Recalde - President

Carlos Recalde, President & CEO
Insights into resilience against severe but plausible events, as defined by leading U.S. financial firms