On May 10, 2016, the United States Department of Treasury (Treasury) became the latest federal agency to highlight the importance of cybersecurity in the financial services industry. In its white paper, which follows last year’s request for information to the online marketplace lending industry, Treasury addressed the opportunities and challenges of technological advancements and data availability that have driven change to the way in which consumers and businesses secure financing.
Although not the focus of its white paper, Treasury cited cybersecurity as an important concern for “all types of firms in the financial sector,” and offered guidance on best practices for the myriad players in the online lending ecosystem, including:
- Establishing baseline cybersecurity programs that are oriented to the firm’s particular threat landscape to protect consumers and reduce cyber risk.
- Developing “detailed” cybersecurity incident response and recovery plans that identify the roles and responsibilities of key stakeholders, including the board and management, regulators, law enforcement, vendors and customers.
- Developing cyber threat information sharing relationships and protocols, including through the Financial Services Information Sharing and Analysis Center (FS-ISAC).
These core recommendations echo the cybersecurity frameworks and guidance issued by many financial sector regulators over the past 18 months. For example, in February 2015, the Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) issued reports following extensive industry investigations, which detailed common pitfalls and best practices in cybersecurity for the brokerage and advisory sector. The Federal Financial Institutions Examination Council (FFIEC) followed in June 2015 by unveiling its long-anticipated cybersecurity assessment tool (CAT) to assist financial institutions in identifying and assessing risks, weaknesses, and overall maturity levels of their enterprise cybersecurity programs, and in preparation for regulator examinations. Then in October 2015, the SEC announced its first cybersecurity enforcement action against an investment adviser, and promised a second round of investigations by the Office of Compliance Inspections and Examinations (OCIE) to focus on cyber issues.
Firms involved in online marketplace lending are well advised to take Treasury’s note as an early signal that investigations and enforcement in this innovative space is around the corner. Moreover, industry should prepare for the significant likelihood that the scrutiny will focus not only on traditional financial institutions, but also on the diverse array of entities in the online lending ecosystem, including marketing companies, payment processors, loan servicers, credit scoring agencies, data analytics shops, etc. Companies need look no further than the Consumer Financial Protection Bureau’s recent enforcement proceeding against Dwolla, Inc., an online payments processor, as evidence that regulators are laser focused on all of the players within the industries they regulate.
Developing an incident response plan and threat information-sharing protocol are good places to start, but they are by no means sufficient. A comprehensive and effective cybersecurity program requires a blend of administrative, physical and technical safeguards and processes, many of which are laid out in recent guidance from SEC and FINRA and others that are the focus of FFIEC’s CAT, and include (at a minimum):
- Defining a governance framework that supports intelligent, fact-based decision making by senior management and/or the Board that is based on risk appetite and assessment.
- Identification and inventory of data (including the flow of such data through the enterprise and its uses) and physical assets that access the company’s network.
- Defense-in-depth strategies that rely on overall network architecture and individual controls, with emphasis on identify access management policies, data encryption, and carefully scoped penetration testing.
- Cybersecurity standards for, and assessments and due diligence of, vendors, from inception and throughout the lifecycle of the engagement.
- Employee training that include interactive sessions, regularly refreshed, and indexed to the particular cybersecurity risks of the enterprise, along with regular tests of employee awareness, such as with mock phishing exercises.
- Cyber insurance that provides coverage for key risks, as identified by the company through the above assessments.
Financial sector regulators have taken the lead in developing useful frameworks and best practices to guide the industry, but as new technologies and connectivity converge in online marketplace lending, being “prepared” will require continued diligence and investment.