On May 10, 2016, the United States Department of Treasury (Treasury) became the latest federal agency to highlight the importance of cybersecurity in the financial services industry. In its white paper, which follows last year’s request for information to the online marketplace lending industry, Treasury addressed the opportunities and challenges of technological advancements and data availability that have driven change to the way in which consumers and businesses secure financing.
Although not the focus of its white paper, Treasury cited cybersecurity as an important concern for “all types of firms in the financial sector,” and offered guidance on best practices for the myriad players in the online lending ecosystem, including:
These core recommendations echo the cybersecurity frameworks and guidance issued by many financial sector regulators over the past 18 months. For example, in February 2015, the Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) issued reports following extensive industry investigations, which detailed common pitfalls and best practices in cybersecurity for the brokerage and advisory sector. The Federal Financial Institutions Examination Council (FFIEC) followed in June 2015 by unveiling its long-anticipated cybersecurity assessment tool (CAT) to assist financial institutions in identifying and assessing risks, weaknesses, and overall maturity levels of their enterprise cybersecurity programs, and in preparation for regulator examinations. Then in October 2015, the SEC announced its first cybersecurity enforcement action against an investment adviser, and promised a second round of investigations by the Office of Compliance Inspections and Examinations (OCIE) to focus on cyber issues.
Firms involved in online marketplace lending are well advised to take Treasury’s note as an early signal that investigations and enforcement in this innovative space is around the corner. Moreover, industry should prepare for the significant likelihood that the scrutiny will focus not only on traditional financial institutions, but also on the diverse array of entities in the online lending ecosystem, including marketing companies, payment processors, loan servicers, credit scoring agencies, data analytics shops, etc. Companies need look no further than the Consumer Financial Protection Bureau’s recent enforcement proceeding against Dwolla, Inc., an online payments processor, as evidence that regulators are laser focused on all of the players within the industries they regulate.
Developing an incident response plan and threat information-sharing protocol are good places to start, but they are by no means sufficient. A comprehensive and effective cybersecurity program requires a blend of administrative, physical and technical safeguards and processes, many of which are laid out in recent guidance from SEC and FINRA and others that are the focus of FFIEC’s CAT, and include (at a minimum):
Financial sector regulators have taken the lead in developing useful frameworks and best practices to guide the industry, but as new technologies and connectivity converge in online marketplace lending, being “prepared” will require continued diligence and investment.