I asked 15 P2P Lending Platforms About their Security Practices and their Answers were Unsatisfactory

Following up on the initial article written on how P2P Investment platforms handle Information Security and on the P2P Investment platform Security Risks , I’ve asked 15 of these platforms about their Security practices in connections to these risks.

<!– more –>

Information Security is not something on the platforms mind

Or at least the flow of information about this topic is not considered.

Clear signs are simply not responding, evading direct answers or refusing to share information based on its confidentiality.

Sure, it would be irresponsible to share information to the public that can be used to harm your business. And I did not ask that. I simply asked to describe their security measures and I have also offered to sign any kind of confidentiality agreement. Not even 1 platform that evaded the answers considered asking me for any background info or any kind of confidentiality clause to sign.

In case you were wondering what are the questions, this was done based on the P2P Lending Platform Security Assessment Form version 2.0 (includes link to the questionnaire on Google Sheets)

It included ridiculous answers !

” At the moment, we comply with all data protection and safety regulations. ”

Why is it ridiculous ? Because it cannot be reasonably justified and it’s intended to evade . No proof was given because “ it is internal information ” . Simply put, the person answering this had no idea what such an answer implies.

If a company were to comply with all data protection and safety regulations (on the planet ?! ), that company would have to dedicate so many financial and human resources that their business might not even stay afloat. Or they are a huge corporation that can afford it.

If the platform were to comply with all data protection and safety regulations APPLICABLE to them, then it’s easy – because P2P platforms are not financially regulated as banks – so they do not need to comply with anything but EU personal data protection law. And given GDPR, I highly doubt that they can prove compliance without actual proof.

Chart 1 – rating of the answers received from the platforms

Some platforms did not answer, not even after 4 weeks!

It started on August 12th 2019, after which I had a weekly follow-up. I’m still waiting for more than 1/3 of the platforms to answer.

Chart 2 – status of the answer

The 15 platforms are :

  • Mintos
  • Crowdestor
  • Envestio
  • Robocash
  • Twino
  • Grupeer
  • ViaInvest (did not answer)
  • Bulkestate
  • Housers (did not answer)
  • Bandora
  • Viventor (did not answer)
  • Kuetzal (did not answer)
  • Crowdestate
  • FastInvest (did not answer)
  • Swaper ((did not answer)

(Assumed) Reasons for this are diverse :

  1. they don’t do anything / too much / don’t know about security so why bother answer because that will make them look bad
  2. the one getting message did not understand or did not knew how to get the answers, so they just dropped it
  3. it would have taken too long to get all the answers from relevant stakeholders in the company, so they just dropped it thinking it doesn’t really matter

If the platforms receive questions like this more often, that will simply force out #2 and #3 out of the equation, because there will be a greater need for it.

On the external side (the investor asking the questions side) it gives an impression of lack of professionalism which in turn leads to a lack of trust.

“We have the best security and we don’t need to prove it. Nor can we allow you to check it so just trust us!”

No platform said the above directly. Almost all platforms said it indirectly.

Seeing the types of answers I was receiving, I offered platforms a free assessment on their security posture, after which they would receive an objective report, meant only for their eyes and giving them clear indications on where they are and what are the recommended next steps to improve. With any kind of confidentiality clauses required. With no strings attached whatsoever.

I simply wanted to discuss in details how do they truly handle information. This is coming from the position of an investor willing to trust my funds and information to them but also as a security professional that wants to improve the overall security posture of companies online.

Chart 3 – status of security assessments

I didn’t even get to suggest this to those that have not answered at all, reason why there is much less data here to showcase in the chart.

From those that have had this proposed, all have declined, except 2 that have expressed their curiosity about it (that does not mean it will actually happen).

1 has been promising to connect me with the relevant stakeholders for about 3 months, even after talking directly with their several members of their senior management.

Chart 3 description

  • refused – the platform clearly stated that they are not interested, usually basing the answer on “other priority tasks
  • pending – the platform has expressed their curiosity about it, but there is nothing scheduled. It has been by the platform to “look into it after X will happen” or that “they will get back to me

How Was this Rated

1) Time to respond – this shows the attention they give to inquiries as well as how prepared are they in regards to questions on Information Security

Time from when the questions when answered until the moment of writing and the charts is 4 weeks. The following explains Chart 2.

  • Yes – they have answered within 4 weeks
  • Pending – the platform stated that they will get back to me
  • No – the platform has not answered, not even after 4 weeks of constant follow-up

2) Quality of the Answers, which in turn is based on how direct or evasive is the answer, how likely is it to be true, how much is this considered with business or tech in mind.

The following explains Chart 1

  • Good – the platform responded fast and had a comprehensive answer that seem truthful
  • Satisfactory – the platform responded relatively fast and the answer was good enough to show that Security and Privacy is considered
  • Unsatisfactory – the platform responded very slowly and the answers seemed very evasive or most likely not true. Those that have not answered or have had their first answer after more than 3 weeks, have automatically been rated as unsatisfactory. If it takes that long to simply acknowledge a ticket, then the platform has bigger operational issues than information security.
  • Ridiculous – the answers did not make sense technically or could not be reasonably justified

Concluding for Investors

Information Security is a topic that is clearly on the mind of some platforms while others do not really understand its importance.

There are multiple dimensions to building trust. Since the platforms operate mostly online, they are subject to information security and privacy risks. If these platforms do not consider these risks as part of their business, they simply are not professional enough.

Stop assessing a platform by its external appearance and how shinny it is and start looking into what really matters – how information is handled.

You don’t necessary have to be information security professionals to question the platforms on this subject. Having more and more investors use the P2P Lending Platform Security Assessment Form version 2.0 (includes link to the questionnaire on Google Sheets) when assessing a platform trustworthiness will force the platforms to give the attention necessary to this subject.

This will not guarantee that the platforms will actually answer truthfully. Nor if the answer seem ” legit enough ” does not mean that is a clear guarantee that their security is pitch-perfect. Public scrutiny (from investors) and the data breaches that will come will eventually push the maturity level upwards.

Ideally, platforms would have an information security audit report from an objective and reputable 3rd party just like (some of) them have their financial report.

Concluding for Platforms

Like with any other industry vertical, companies avoid doing proactive efforts in regards to information security thinking it’s a waste of money. And companies will keep doing this until one of them goes out of business because of a security incident.

Or lose a lot of money. Remember the ransomware case with Maersk causing 200 $ million losses ?

Taking the steps to considering these concerns as concrete business risks rather than “technical issues” will earn the trust of your investors even more and will assure safer operations in an increasingly unsafe digital environment.

Compliance vs actual security ? My goal is not to understand if the platform is compliant,but if the platform properly handles information security risks. And that does not mean to be 100% secure, which is impossible anyway. Compliance is known to be just a tick-box but has proven to not necessary be a blocker for data breaches.

A conscious and structured risk-based approach to this subject will make the platforms life easier (as in, more cost effective) on the long run.

PS – thanks to Financial bloggers Ferry from financielevrijheid.blog and Georg from CrowdLendingrocks.eu for providing feedback on the article before posting.