Andrew Beckett and William Rimington, managing directors at Kroll’s EMEA cyber risk practice, reveal the cybersecurity issues that peer-to-peer lending platforms must address
Peer-to-peer lending platforms need to take a more proactive approach to cyber risk management, according to Andrew Beckett (pictured left) and William Rimington, (pictured right) managing directors at Kroll’s EMEA cyber risk practice. “We’ve worked with fintechs in the past who have employed incredibly talented people in their start-up years, but we have been able to drive a bus through their security,” says Rimington.
“Having a testing mentality from a functional design perspective is very different than having a functional design mentality. This is where our team comes in.”
Kroll, a division of Duff & Phelps, has been on the frontline of cyber risk management for years. Last year, Rimington and Beckett helped more than 2,000 companies bolster their cyber security, and since the beginning of this year, Kroll has seen an increase in companies asking them to test their apps and platforms.
The normalisation of remote working is set to make cyber risk management an even higher priority for all companies – and P2P lending platforms should take note. “The P2P world might find the regulator is an awful lot more interested in the industry as a whole than it has been in the past,” says Rimington. “I know it’s something that the FCA hasn’t really focused on, so that regulatory environment might find itself shifting in order to keep transactions secure.”
The dangers of ineffective cyber risk management reach far beyond regulatory concerns. It is surprisingly easy for a hacker to access a company’s internal database through the smallest crack in the system. Furthermore, cyber-attacks are becoming more sophisticated. “It’s an arms race,” says Beckett.
“Hackers are always getting better at what they do and we’re trying to keep the industry at least equal to if not one step ahead of what’s coming down the track.
“That’s why it’s so important to have really robust teams working on it. Quite often, a lot of our work happens after an event because we’re mopping up after a breach. It’s good to see that we are more proactively engaged these days and I think that’s a sign that the industry recognises that there is a requirement to invest in constantly improving their security.”
“A lot of companies are still only using a simple password for access into email,” adds Rimington.
“Which is breakable – there are tools for brute forcing passwords, in fact they will deliver the password relatively quickly. And once you’re in the email you can begin to take over the account.
“You can legitimately use that account to send emails and that then manifests itself in what we call ‘business email compromise’ – for instance, requesting a diversion of funds into an unknown account. And that happens a lot. That is a multi-billion-pound industry.”
P2P lending platforms may be tech-savvy, but Kroll’s experience has shown that tech awareness is not enough. New cyber-attacks are happening all the time and the cost to the affected business can be enormous. The only way to avoid a cyber breach is to call in the experts.