P2P Investment Platforms and Information Security

Investing money via an online platform is easy and
convenient. The more easy to use an online service is, the greater the likelihood that it has some security gaps.

Security / Functionality / East-of-Use triad – the more you focus on one of the corners, the more “neglected” will the others bee

I´ve compiled a set of questions to broadly assess how P2P investment platforms are considering Information Security as part of their business. These questions were sent to the 4 P2P investment platforms that I currently invest in. Here is where you can find the questions and you can read the results below.

Disclaimer
This assessment has been completed with the sole purpose of objectively assessing the platforms in which I´ve invested to understand how trustworthy they are from an information security perspective. These interactions have been graded based on 3 factors. 1) time-span required for the platforms to deliver the questionnaire or some clear answers, 2) number of follow-up attempts required to that information and 3) the actual responses to the questionnaire. The purpose is not to directly promote one platform over another but to show the objective results of the assessment. I have not received any compensation for doing this.

P2P Investment Platform Security assessment Results

Mintos

  • First email sent – 04-02-2019
  • Number of follow-ups (additional email/call after my last one was not answered) – 5 out of which 1 phone call
  • Questionnaire received – no
  • Other – still pending a clear answer to the questions, last email reply was on 22-05-2019 and last phone call was 30-05-2019

Envestio

Image result for envestio logo
Envestio – latvian Based P2P lending platform for businesses and real-estate
  • First email sent – 04-02-2019
  • Number of follow-ups (additional email/call after my last one was not answered) –
  • Questionnaire received – no
  • Other – received an indirect answer to the questions on email on 06-02-2019 . I have offered a free, objective and fully confidential security assessment but the platform declined

Robocash

Robocash – originally Latvian based P2P lending platform, having itself registered as a Croatian entity
  • First email sent – 04-02-2019
  • Number of follow-ups (additional email/call after my last one was not answered) – 1
  • Questionnaire received – yes, on 06-03-2019
  • Other – very open to the initiative

Crowdestor

Crowdestor – Estonian based P2P lending platform for business and real-estate
  • First email sent – 04-02-2019
  • Number of follow-ups (additional email/call after my last one was not answered) – 3 on email, 1 phone call
  • Questionnaire received – yes, on 19-04-2019
  • Other – open to the intiative

Conclusion

P2P investment platforms do not expect information security and privacy queries from their investors and are not readily prepared to answer them, requiring at least a month to deliver an answer. They are focused on supporting investors and running their operations, losing oversight of underlying technical and process risks.

Robocash was the platform with the best response, in terms of speed and answers while Mintos had the worst response in terms time-span and number of follow-up attempts required to get an answer.

Subjective comments


It´s understandable that the focus is not on security. Historically speaking and based on human nature, we don´t really care about health or security until it bites us in the ass. When was the last time you did a proactive health check ? Probably never, because you hate going to the doctor. Or an information security check on your critical online accounts and information ? Chances of doing that are even lower here.

There haven´t been any (known) data breaches or cyber attacks on these platforms until now, so the assumption is that ¨it cannot happen to them¨ . Major data breaches and cyber attacks have been news headlines in the past years, in virtually any kind of business but still, most people (and business) do not think of being proactive until it´s actually too late.

I feel that platforms need to consider security risk management as part of their business. From a CEO perspective, it´s hard to justify the cost of allocating his scarce resources to something like this, when there´s no clear precedent in their vertical or a monetary value associated with this. Reason why I wrote about the security risks of using P2P Investment platforms, seen from both the platform and the investor perspective.

For P2P investment platform representatives : I offer free risk , objective and confidential assessments, either in person or over video call. Yes, you don´t have to pay money for this, just attention. But as seen above, some companies prefer not to take advantage of such offer, probably because of fear of bad publicity over their current practices.

Why ? Because I like the idea of P2P investment platforms and I want to make sure that we, as investors, and platform owners are aware of the security risks behind them and how they can be mitigated.

Print Friendly, PDF & Email