Compliance Does Not Equal Security
Posted by Kevin Hood, CISA, IT Consultant, Credit Union Resources, Inc on 4/12/2017

Compliance is a headache for most credit unions, and it’s not going away.  Specifically, with the new focus on cybersecurity, we can expect more focus on regulations aimed at protecting member data.  Unfortunately, many credit unions are lulled into the belief that Compliance = Security.  This is not the case, and credit unions should work at developing a more proactive security program as opposed to simply checking off a box on a compliance checklist.

With the cost of compliance on the rise, we see many credit unions doing the minimum to get by and stay in compliance.  It is true that this will protect you from further regulatory scrutiny and fines; however, this does not fully protect you from the other consequences of a data breach such as reputation risk, legal battles, disruption of critical member services, and disgruntled members.  Some of the largest data breaches in the past have occurred at organizations that were PCI compliant, such as Target, Heartland, and Home Depot.

Regulatory requirements and guidance should be seen as a baseline for security.  For example, you have antivirus software in place – that’s great, now how are you proactively monitoring and responding to alerts?  You have a nice, new, expensive firewall in place – that’s great, now how are you proactively monitoring and responding to alerts?  Again, just because you have a solution in place so that you could check that item off the checklist doesn’t mean it is as secure as possible.  I was recently at a mid-size credit union performing a cybersecurity risk assessment, and they had great documented policies and procedures in place regarding patch management.  But upon further inspection, their file server was still running Windows Server 2003, which has been end-of-life for almost two years.  They had never been written up by an examiner because they had “policies and procedures” in place; however, they definitely weren’t as secure as they could be.

Regulatory requirements and guidance are not a “one-size-fits-all” solution to security.  You can’t eliminate all risks, but you can build a strong security program, above and beyond the baseline requirements to try and mitigate these risks as much as possible.  Remember, compliance DOES NOT EQUAL security… Hackers don’t care if you’re compliant.

Credit Union Resources has Technology Consulting & Compliance Services available for credit unions of all sizes.  For additional information, please contact Deana Brown ( or Idrees Rafiq (

Categories: Technology Consulting & Compliance
Post a Comment
Email: (Email will not be published.)
Subscribe to the Blog

Categories & Archives
Category Filter

Author Filter




Connect: FacebookTwitter©  Credit Union Resources, Inc. All rights reserved.


Contact Us
6801 Parkwood Blvd.
Suite 300
Plano, Texas 75024
Phone: (469) 385-6400
Toll Free: (800) 442-5762
Online Form