LendingClub reinforces its cyber defenses

Register now

LendingClub has added a layer of security to protect its data and applications from cyberattacks.

The online lender is using software from Accurics that is meant to help technology teams secure the code that manages their IT infrastructure.

LendingClub, which has been hard hit by the coronavirus crisis and recently laid off 460 employees (nearly a third of its staff), strengthened its defenses at a time when hackers are stepping up their efforts to break into banks through phishing and other attacks.

Financial services firms were already struggling to fend off hackers before the coronavirus pandemic.

In 2019, 6.5% of all breaches were suffered by financial services firms, according to a report from Bitglass that compiled data from the Identity Theft Resource Center and the Ponemon Institute. That is a relatively small figure.

But 61.7% of all leaked records came from financial firms. This is largely due to the Capital One-Amazon Web Services breach last year, which exposed 100,436,121 records.

Paolo Montini, chief data officer and head of cyber risk management, LendingClub
“In financial services, compliance and cybersecurity are always the biggest risks we have,” says Paolo Montini, chief data officer and head of cyber risk management at LendingClub. “We are always looking for ways and solutions to get ahead as much as possible in making sure that we manage them.”

“While financial services firms are not breached particularly often, their breaches tend to be much larger and more detrimental than those experienced by companies in other industries,” the report stated.

The Capital One-AWS breach shone a spotlight on the security challenges of keeping data in a public cloud, which is what LendingClub is addressing with its new software.

What LendingClub is doing

“In financial services, compliance and cybersecurity are always the biggest risks we have,” said Paolo Montini, chief data officer and head of cyber risk management at LendingClub. “We are always looking for ways and solutions to get ahead as much as possible in making sure that we manage them.”

LendingClub is subject to the strict cybersecurity requirements in California’s data privacy rules and New York’s cybersecurity law.

Montini works with LendingClub’s chief information and information-security officers to come up with controls to safeguard the company's data.

When applications run on a cloud, the infrastructure is more complex and there are more points of entry hackers can try to break through.

Montini recently deployed software from Accurics that acts kind of like a security guard for all of LendingClub’s software wherever it runs, whether internally or in a public cloud.

The Accurics software plugs into LendingClub’s repository of software code and analyzes it to make sure it meets all data privacy and security requirements before software is pushed out into production. It scans the code the company uses to provision its infrastructure — servers, networks, cloud instances, etc. — and analyzes it for security lapses. Once an application is provisioned to a cloud or internal environment, Accurics monitors the setup constantly to ensure it is sufficiently protected.

It looks for red flags like unencrypted data in transit, missing multifactor authentication and misconfigured firewalls. It continuously monitors so it can flag potential problems right away.

“Cybersecurity is a very complex topic in that there are many ways an attacker can gain access to your system,” Montini said. “You may use the most sophisticated tools in the world. You can have the best firewall in the market and spend a lot of money on it. But if it's poorly configured, if you leave a door open, people are going to get into that door. Accurics is checking all the doors and making sure that they're properly closed.”

Launching a tech company during a pandemic

Accurics, which is based in Pleasanton, Calif., and calls itself a “code-to-cloud” security company, emerged from stealth mode and officially launched on Tuesday.

The company has received $5 million in backing from ClearSky, WestWave Capital, Firebolt Ventures and Secure Octane. It is offering a free version and a more robust enterprise version. Accurics did not share pricing information for the enterprise version. The software supports Amazon Web Services and Google’s cloud platform.

CEO Sachin Aggarwal said that the global cloud computing market is set to top $623 billion by 2023, representing a compound annual growth rate of 18%.

But cloud security challenges include complexity, lack of consistency among container and cloud technology providers, and “drift” — the way privileged users can make changes to a cloud infrastructure in production, which can lead to violations of compliance and security policies and introduce risks.

Accurics offers what it calls “breach path prediction,” where it uses threat models to detect and remediate potential exposure paths in infrastructure code. It also offers continuous monitoring throughout a technology stack for possible violations of data privacy and cybersecurity laws, including the European Union's General Data Protection Regulation.

“We can take care of certain guardrails and compliance requirements early on in the process so that when they are actually in production, in run time in the green light with an application, then physically, the exposure on some of those issues is marginal,” Aggarwal said. “We do a lot of GDPR compliance checks early on in the process, for instance.”

For reprint and licensing requests for this article, click here.