Go to:

May 2018
< Apr Jun >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

Compliance Does Not Equal Security
Friday, May 5, 2017 6:25 AM

Kevin Hood, CISA, IT Consultant, Credit Union Resources

Compliance is a headache for most credit unions, and it’s not going away. Specifically, with the new focus on cybersecurity, we can expect more focus on regulations aimed at protecting member data. Unfortunately, many credit unions are lulled into the belief that compliance = security. This is not the case, and credit unions should work at developing a more proactive security program as opposed to simply checking off a box on a compliance checklist.

With the cost of compliance on the rise, we see many credit unions doing the minimum to get by and stay in compliance. It is true that this will protect you from further regulatory scrutiny and fines; however, this does not fully protect you from other consequences of a data breach, such as reputation risk, legal battles, disruption of critical member services, and disgruntled members. Some of the largest data breaches in the past have occurred at organizations that were PCI compliant, such as Target, Heartland, and Home Depot.

Regulatory requirements and guidance should be seen as a baseline for security. For example, you have antivirus software in place, and that’s great; now, how are you proactively monitoring and responding to alerts? You have a nice, new, expensive firewall in place—that's great; now, how are you proactively monitoring and responding to alerts? Again, just because you have a solution in place so that you could check that item off the checklist doesn’t mean your credit union is as secure as possible.

I was recently at a mid-size credit union performing a cybersecurity risk assessment, and they had great documented policies and procedures in place regarding patch management. But upon further inspection, their file server was still running Windows Server 2003, which has been end-of-life for almost two years. They had never been written up by an examiner because they had “policies and procedures” in place; however, they definitely weren’t as secure as they could be.

Regulatory requirements and guidance are not a one-size-fits-all solution to security. You can’t eliminate all risks, but you can build a strong security program, above and beyond the baseline requirements, to try and mitigate these risks as much as possible. Remember, compliance does not equal security. Hackers don’t care if you’re compliant.


Assess Your Systems and Manage Your Risk

As technology changes, every credit union faces new security issues. Let Credit Union Resources help you stay on top of it—your future could depend on it. Our team of technology professionals provides guidance on compliance, shares best practices, and performs audits. We have a vested interest in your success, and your cybersecurity matters to us. To find out how we can help you manage cybersecurity and operational risks, contact:

Idrees Rafiq
800-442-5762, ext. 6799

Deanna Brown
800-442-5762, ext. 6464

About Credit Union Resources, Inc.
Credit Union Resources is a service corporation that provides industry-leading solutions and expertise to credit unions across the country. Credit Union Resources is a wholly owned subsidiary of the Cornerstone Credit Union League, a regional trade association representing the interests of credit unions in Arkansas, Oklahoma, and Texas.