Treasury Cites Cyber Challenges for Online Marketplace Lending Industry

On May 10, 2016, the United States Department of Treasury (Treasury) became the latest federal agency to highlight the importance of cybersecurity in the financial services industry.  In its white paper, which follows last year’s request for information to the online marketplace lending industry, Treasury addressed the opportunities and challenges of technological advancements and data availability that have driven change to the way in which consumers and businesses secure financing.

Although not the focus of its white paper, Treasury cited cybersecurity as an important concern for “all types of firms in the financial sector,” and offered guidance on best practices for the myriad players in the online lending ecosystem, including:

  • Establishing baseline cybersecurity programs that are oriented to the firm’s particular threat landscape to protect consumers and reduce cyber risk.
  • Developing “detailed” cybersecurity incident response and recovery plans that identify the roles and responsibilities of key stakeholders, including the board and management, regulators, law enforcement, vendors and customers.
  • Developing cyber threat information sharing relationships and protocols, including through the Financial Services Information Sharing and Analysis Center (FS-ISAC).

These core recommendations echo the cybersecurity frameworks and guidance issued by many financial sector regulators over the past 18 months.  For example, in February 2015, the Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) issued reports following extensive industry investigations, which detailed common pitfalls and best practices in cybersecurity for the brokerage and advisory sector.  The Federal Financial Institutions Examination Council (FFIEC) followed in June 2015 by unveiling its long-anticipated cybersecurity assessment tool (CAT) to assist financial institutions in identifying and assessing risks, weaknesses, and overall maturity levels of their enterprise cybersecurity programs, and in preparation for regulator examinations.  Then in October 2015, the SEC announced its first cybersecurity enforcement action against an investment adviser, and promised a second round of investigations by the Office of Compliance Inspections and Examinations (OCIE) to focus on cyber issues.

Firms involved in online marketplace lending are well advised to take Treasury’s note as an early signal that investigations and enforcement in this innovative space is around the corner.  Moreover, industry should prepare for the significant likelihood that the scrutiny will focus not only on traditional financial institutions, but also on the diverse array of entities in the online lending ecosystem, including marketing companies, payment processors, loan servicers, credit scoring agencies, data analytics shops, etc.  Companies need look no further than the Consumer Financial Protection Bureau’s recent enforcement proceeding against Dwolla, Inc., an online payments processor, as evidence that regulators are laser focused on all of the players within the industries they regulate.

Developing an incident response plan and threat information-sharing protocol are good places to start, but they are by no means sufficient.  A comprehensive and effective cybersecurity program requires a blend of administrative, physical and technical safeguards and processes, many of which are laid out in recent guidance from SEC and FINRA and others that are the focus of FFIEC’s CAT, and include (at a minimum):

  • Defining a governance framework that supports intelligent, fact-based decision making by senior management and/or the Board that is based on risk appetite and assessment.
  • Identification and inventory of data (including the flow of such data through the enterprise and its uses) and physical assets that access the company’s network.
  • Defense-in-depth strategies that rely on overall network architecture and individual controls, with emphasis on identify access management policies, data encryption, and carefully scoped penetration testing.
  • Cybersecurity standards for, and assessments and due diligence of, vendors, from inception and throughout the lifecycle of the engagement.
  • Employee training that include interactive sessions, regularly refreshed, and indexed to the particular cybersecurity risks of the enterprise, along with regular tests of employee awareness, such as with mock phishing exercises.
  • Cyber insurance that provides coverage for key risks, as identified by the company through the above assessments.

Financial sector regulators have taken the lead in developing useful frameworks and best practices to guide the industry, but as new technologies and connectivity converge in online marketplace lending, being “prepared” will require continued diligence and investment.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Orrick - Trust Anchor | Attorney Advertising

Written by:

Orrick - Trust Anchor
Contact
more
less

Orrick - Trust Anchor on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.