My builder used to love to say that there were two kinds of concrete: concrete that has cracked and concrete that will crack. The same could be said about financial institutions: There are those that have been hit by a cyberattack and those that will be hit by a cyberattack. The difference is whether they’ll be prepared when the attack comes.
According to the International Monetary Fund, the financial sector is a high-value target for cyberattacks, with attacks on financial firms (institutions) accounting for nearly one-fifth of the total. Over the past 20 years, 20,000 cyberattacks have cost the financial sector $12 billion in losses.
Last November, just one ransomware attack caused outages at 60 credit unions across the United States, shutting down operations and cutting off members’ access to their funds. At the time, it was estimated that the outage affected approximately $912 million in aggregate assets and 93,000 members. It took more than two weeks to get systems back online and operational.
For members who couldn’t access their accounts, those two weeks were an eternity.
At Q2, we are best in class in terms of protecting our customer's data by constantly investing in evolving technology and practices. That’s why we’re so proud and honored to be the first non-bank, non-broker, non-core service provider to achieve certification for Sheltered Harbor’s Data Vaulting Process.
Sheltered Harbor is a not-for-profit subsidiary of the Financial Services Information Sharing and Analysis Center, set up by the industry following the Sony Pictures hack in 2014. Carlos Recalde, president and CEO of Sheltered Harbor, recently told me that the hack was “a wake-up call and a recognition that it doesn't matter how big or sophisticated you may be, the possibility of a cyberattack having very significant consequences is really right around the corner.”
Recalde explained that Sheltered Harbor was born when 33 private financial services companies and industry associations came together after the Sony attack with the goal of maintaining public confidence in the event that a financial institution was operationally wiped out by a cyberattack.
Their goal was to make sure that banks and credit unions could recover from a disaster and offer critical services to their end users as quickly as possible—even before the systems are restored. Working groups made up of subject matter experts developed standards for how to ensure data recovery. These standards have already been adopted by hundreds of organizations, and Sheltered Harbor continues to promote their adoption across our industry.
The standards are made up of three pillars: data vaulting, resilience planning and certification.
In keeping with our commitment to continuously innovate and lead our industry, Q2 is the first digital banking service provider to achieve certification using the Data Vaulting Process specifications.
The data vault is a concept that can be implemented in multiple ways, but it has to have specific characteristics. The data in the vault must be immutable, meaning it can’t have been modified since it was put in the vault—because if it was touched, it’s suspect. It has to be air gap isolated; the vault itself must be decentralized and separate from the organization’s infrastructure, production systems and all backups; and the data must be survivable and accessible.
The certification process itself was rigorous and required us to follow a 50-page document, implement stringent backup hygiene and meet additional criteria. We then had our external auditor RSM certify the solution we’d implemented.
We understand that in a complex security landscape, there is no single solution that guarantees a secure environment, which is why we place a premium on layers of security and defense in-depth. Our Sheltered Harbor Data Vault provides us additional assurances against any type of ransomware incident and gives us additional disaster recovery and business continuity capabilities to recover services in a tertiary location if we choose to do that.
“By implementing Sheltered Harbor’s resilience standards, Q2 has taken additional measures to protect their customers, business and the industry from cyber threats,” Recalde told me. “The company has proactively planned to survive a crisis—such as a zero-day cyberattack—including the corruption, destruction and/or loss of critical data.”
In order to maintain our certification, Q2 must have annual independent audits to ensure we’re complying with the robust standards, conduct annual data recovery and verification tests, and undergo independent assessments to prove that our resilience plans are in place and that we are fully prepared for a cyberattack or other catastrophic event. Our certification and audit reports will be published on the Q2 Customer Portal.
Q2 is committed to delivering continuous innovation to our customers—not only in features and functions but also in how we protect and secure our customer’s data. By partnering with Q2, our customers can be confident that their data is being protected—now more than ever.