Security for Credit Unions and Credit Union Services Organizations (CUSO)

Credit Unions and Credit Union Services Organization (CUSO) have unique regulatory requirements and threats that impact their businesses. While many financial institutions and financial service providers outsource components of their operations, this does not relieve them of the responsibility for data protection and integrity. As such, SAVANTURE has worked with leading government agencies and providers to provide security services and supplemental consulting services to help Credit Unions and CUSOs reduce their risk to cybersecurity compromises as well as to meet regulatory requirements. Real Security for Credit Unions and Credit Union Services Organizations (CUSO).

Verto & Associates Logo
SAVANTURE and Verto & Associates have teamed to provide custom solutions to meet industry and regulatory needs of Credit Unions and Credit Union Services Organizations (CUSO). Meeting the unique requirements for regulatory requirements and against cybersecurity threats.


Regulator requirements require:

Continuous Security Monitoring

Collection, Management and Retention of system logs (Syslog)

    for event analysis, trending and forensics. This is enabled primarily through technology. SAVANTURE provides:

Continuous vulnerability and threat awareness

    for awareness of vulnerabilities and misconfigurations within your environment. This is enabled primarily through personnel, technology and processes.

Multifactor Authentication

    for compensating for the weaknesses associated with static username and passwords. This is enabled primarily through technology and processes. SAVANTURE provides:

Policy Management and Risk Management


Interpretive Ruling and Policy Statements (IRPS)

Information Technology (IT) – including e-Commerce, has several applicable regulatory Rules and Regulations. This guidance is intended to assist credit unions with the planning, implementation and evaluation of IT operations and initiatives.Examination of Independent Credit Union Service Centers (46 Fed. Reg. 44421; Sept. 4, 1981) Applicable Rules and Regulations:

Rules and Regulations Date Issued ​Title and Description
12 CFR Part 748 ​04/14/2005 ​Security Program and Appendix B – Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice.
12 CFR Part 740 9/19/2002 ​Accuracy of Advertising and Notice of Insured Status – Addresses the adequacy of notification regarding the availability of federal share insurance when using the Internet to engage transactions.
12 CFR Part 721 ​7/26/2001 ​Federal Credit Union Incidental Powers Activities – Identifies activities deemed to be within the incidental powers of a federal credit union. Electronic Financial Services and Stored Value Products are addressed.
12 CFR Part 748 ​1/18/2001 ​Security Program and Appendix A – Guidelines for Safeguarding Member Information
​12 CFR Part 716 ​6/5/2000 ​Privacy of Consumer Financial Information
12 CFR Parts 716 and 741 ​5/8/2000 ​Privacy of Consumer Financial Information; Requirements for Insurance


Other Reference Material

FFIEC’s Cybersecurity Assessment Program

500 community financial institutions and The Federal Financial Institutions Examination Council (FFIEC) piloted a cybersecurity examination work program in 2014. The document does a good job of outlining observed risk, inherent problems within the industry, and potential areas of improvement. The output document can be accessed at

FFIEC Cybersecurity Assessment General Observations



        Launched in 1999, FS-ISAC was established by the financial services sector in response to 1998’s Presidential Directive 63. That directive – later updated by 2003’s Homeland Security Presidential Directive 7 – mandated that the public and private sectors share information about physical and cyber security threats and vulnerabilities to help protect the U.S. critical infrastructure.



        The Federal Financial Institution Examination Council (FFIEC) recommends that financial institutes participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC).


United States Computer Emergency Readiness Team (US-CERT)

The Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) leads efforts to improve the nation’s cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks to the Nation while protecting the constitutional rights of Americans. US-CERT strives to be a trusted global leader in cybersecurity – collaborative, agile, and responsive in a dynamic and complex environment.


FBI Infragard

InfraGard is a partnership between the FBI and the private sector. It is an association of persons who represent businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the U.S.