Treasury Cites Cyber Challenges for Online Marketplace Lending Industry

May.19.2016

On May 10, 2016, the United States Department of Treasury (Treasury) became the latest federal agency to highlight the importance of cybersecurity in the financial services industry. In its white paper, which follows last year’s request for information to the online marketplace lending industry, Treasury addressed the opportunities and challenges of technological advancements and data availability that have driven change to the way in which consumers and businesses secure financing.

Although not the focus of its white paper, Treasury cited cybersecurity as an important concern for “all types of firms in the financial sector,” and offered guidance on best practices for the myriad players in the online lending ecosystem, including:

Establishing baseline cybersecurity programs that are oriented to the firm’s particular threat landscape to protect consumers and reduce cyber risk.
Developing “detailed” cybersecurity incident response and recovery plans that identify the roles and responsibilities of key stakeholders, including the board and management, regulators, law enforcement, vendors and customers.
Developing cyber threat information sharing relationships and protocols, including through the Financial Services Information Sharing and Analysis Center (FS-ISAC).

These core recommendations echo the cybersecurity frameworks and guidance issued by many financial sector regulators over the past 18 months. For example, in February 2015, the Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) issued reports following extensive industry investigations, which detailed common pitfalls and best practices in cybersecurity for the brokerage and advisory sector. The Federal Financial Institutions Examination Council (FFIEC) followed in June 2015 by unveiling its long-anticipated cybersecurity assessment tool (CAT) to assist financial institutions in identifying and assessing risks, weaknesses, and overall maturity levels of their enterprise cybersecurity programs, and in preparation for regulator examinations. Then in October 2015, the SEC announced its first cybersecurity enforcement action against an investment adviser, and promised a second round of investigations by the Office of Compliance Inspections and Examinations (OCIE) to focus on cyber issues.

Firms involved in online marketplace lending are well advised to take Treasury’s note as an early signal that investigations and enforcement in this innovative space is around the corner. Moreover, industry should prepare for the significant likelihood that the scrutiny will focus not only on traditional financial institutions, but also on the diverse array of entities in the online lending ecosystem, including marketing companies, payment processors, loan servicers, credit scoring agencies, data analytics shops, etc. Companies need look no further than the Consumer Financial Protection Bureau’s recent enforcement proceeding against Dwolla, Inc., an online payments processor, as evidence that regulators are laser focused on all of the players within the industries they regulate.

Developing an incident response plan and threat information-sharing protocol are good places to start, but they are by no means sufficient. A comprehensive and effective cybersecurity program requires a blend of administrative, physical and technical safeguards and processes, many of which are laid out in recent guidance from SEC and FINRA and others that are the focus of FFIEC’s CAT, and include (at a minimum):

Defining a governance framework that supports intelligent, fact-based decision making by senior management and/or the Board that is based on risk appetite and assessment.
Identification and inventory of data (including the flow of such data through the enterprise and its uses) and physical assets that access the company’s network.
Defense-in-depth strategies that rely on overall network architecture and individual controls, with emphasis on identify access management policies, data encryption, and carefully scoped penetration testing.
Cybersecurity standards for, and assessments and due diligence of, vendors, from inception and throughout the lifecycle of the engagement.
Employee training that include interactive sessions, regularly refreshed, and indexed to the particular cybersecurity risks of the enterprise, along with regular tests of employee awareness, such as with mock phishing exercises.
Cyber insurance that provides coverage for key risks, as identified by the company through the above assessments.

Financial sector regulators have taken the lead in developing useful frameworks and best practices to guide the industry, but as new technologies and connectivity converge in online marketplace lending, being “prepared” will require continued diligence and investment.

Author

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.