Wall Street aims to thwart a hacking nightmare for 401(k) accounts

U.S. financial firms plan to expand a secretive project protecting bank accounts against crippling cyberattacks so that it will also guard trillions of dollars in investment funds.

The industry-led project, called Sheltered Harbor, already is known to back up data for savings and checking accounts. But quietly, it's wrapping in data on retail brokerage accounts at some of the nation's largest firms, according to participants. And ultimately, the goal is to expand it to an even heftier pool of 401(k) accounts and pension funds, whose breach could upend global markets.

Sheltered Harbor, which began coming to light over the past year, already includes about 50 firms that collectively hold roughly two-thirds of retail bank accounts. The project relies on a "buddy system," in which companies pair off, promising to step in for their partner with a backup set of account information if hackers succeed in erasing or locking up files.

The idea came in 2014 after hackers ravaged Sony Corp.'s U.S. film unit, deleting troves of data while leaking upcoming movies and embarrassing emails. But in this case, the global financial system is at stake.

"Being able to restore a network quickly is one of the most crucial elements for coping with cyberbreaches and increasing resilience," said Edward Stroz, co-founder and co-president of Stroz Friedberg, a cybersecurity firm. "Sheltered Harbor is the financial industry's way of showing how it can perform disaster recovery and thus maintain consumer confidence."

After the Sony attack, bankers conducting periodic cybersecurity exercises realized that a similar assault, even on a relatively small firm, could damage confidence in the financial system. One worry is that consumers could be spooked by a severe attack on one bank, then rush to pull funds from their own institutions, setting off a sweeping run. A similar scenario could play out with securities accounts.

Sheltered Harbor's members include the nation's largest lenders, such as J.P. Morgan Chase, Bank of America and Citigroup, as well as U.S. regional banks and some smaller firms (other names are secret like many other details). It's a subsidiary of the Financial Services Information Sharing and Analysis Center, whose nearly 7,000 members range from multitrillion-dollar asset managers like State Street Corp. to retirement plan providers, insurers and other financial firms of all sizes.

Though a number of big firms have kept daily backups stored in secret mountain hideouts for years, that's not much help without a functioning network. So, Sheltered Harbor's members use a standard format to back up account data and collaborate with a partner company that can take over in an emergency.

If one company's computer system is devastated, the backup account data can be activated on the partner's network, giving affected customers access to their accounts within 24 hours or so. Pairs are tasked with carrying out periodic exercises, using sample data to ensure they can recreate the other's services.

The hope is that a stricken bank would soon restore its systems — hopefully within a few days — and resume control of its accounts.

The aim is to prevent a stampede of retail clients. There's no plan to expand Sheltered Harbor to wholesale, institutional clients of the firms, according to executives.

For the largest banks, whose institutional client businesses are probably just as large and important as their vast retail networks, the danger is that a disruption would still irreparably harm the company's reputation and business. But the point is to guard the broader financial system.

In fact, some executives see Sheltered Harbor as a tool for resolution not recovery — as the regulators unwind the firm that has collapsed due to a cyberattack, its partner can provide access to retail accounts quickly.

"Sheltered Harbor doesn't address the operational resiliency of member firms," said Trey Maust, who became CEO of the industry-funded operation this week. "Firms have their own continuity plans, and those typically address how to get back on one's feet after such a disruption quickly without losing clients or business."

Because some of the largest banks in the group operate major retail brokerages, data for those accounts already are included in the backups. Yet, organizers are still working out how to provide continuity for those operations.

Offering basic payments capabilities for checking and savings accounts is relatively straightforward. But practices vary among firms for helping brokerage clients buy and sell equities, fixed-income products and other instruments — making it much more complicated.

"You could have two different partners, one for your checking and savings accounts restoration, one for your brokerage accounts," said Sheltered Harbor's Mr. Maust. "But both partners need to have transaction capability."