Manage Learn to apply best practices and optimize your operations.

Cloud compliance management solutions in use at small banks, credit unions

Solution providers report that community banks and credit unions are showing an increased interest in cloud IT services and cloud GRC.

Credit unions and community banks represent a mixed market for IT solutions and services.

Those small and midsized institutions face increasing financial pressure in the form of razor-thin net interest margins and increasing compliance chores. Some credit unions and banks have liquidated or sought buyers as a result. For the institutions soldiering on, the money crunch limits investment dollars available for IT, among other items.

[SaaS-based IT security] levels the playing field between smaller community banks and credit unions and large-sized institutions. SaaS vendors basically help keep credit unions alive.

Richard Reinders,
information security analyst, Lake Trust Credit Union

But, on the other hand, credit unions and banks may seek outsourced and cloud-based solutions as a way to save money, be compliant with regulations and compensate for limited in-house resources. Indeed, some channel partners report an uptick in demand for cloud compliance management solutions and cloud-based IT services.

Richard Reinders, information security analyst at Lake Trust Credit Union in Lansing, Mich., said the credit union uses Software-as-a-Service (SaaS)-based IT security tools, which he said helps it keep pace with larger institutions.

"For us it levels the playing field between smaller community banks and credit unions and large-sized institutions," Reinders said. "SaaS vendors basically help keep credit unions alive," he added, noting shrinking interest margins and compliance pressures.

Growth in cloud

Dan Holt, president and general manager of managed services at Computer Services Inc. (CSI), said he has seen cloud demand take off among his customers. CSI, based in Paducah, Ky., offers technology solutions, managed services and cloud services to financial institutions.

Holt said the cloud move marks a change in spending in the sector. The last wave of IT infrastructure spending occurred prior to the 2008 economic downturn in the United States. The tech refresh cycle showed signs of life last year as some institutions pursued in-house server upgrades and virtualization projects, he noted.

But organizations are rethinking that approach. Holt said the chief financial officer has a new response when IT requests $100,000 for a virtualized environment: "Can't we do this in the cloud?"

Holt said cloud awareness is so high among financial firms that CFOs and other top-level executives are asking that question. The key for banks: Trim costs and concentrate on the essentials.

"If they can reduce their expenses, focus on their core competencies and produce more loans, they become more effective as a financial institution," he said.

Who is heading to the cloud? Holt said he anticipates that three-quarters of all community banks and credit unions will move the vast majority of IT to the cloud over the next three to five years. He said institutions in the $100 million to $750 million asset range are moving the most aggressively in that direction.

Larger banks and credit unions tend to be more selective in cloud outsourcing, he added. Banks at the $1 billion level and above, he noted, have more complex environments, which impedes a soup-to-nuts cloud migration.

Credit unions, meanwhile, tend to like to have more control over the IT environment, Holt explained. "Credit unions are a little slower to adopt something like that," he said.

Cloud outsourcing may start with areas such as disaster recovery, backup and storage, Holt said, and virtual desktop infrastructure has also become popular.

Focus on security

Security is another niche where cloud solutions attract the attention of credit unions and community banks. TraceSecurity Inc., based in Baton Rouge, La., reports increased interest from community banks and credit unions in its cloud-based governance, risk and compliance (GRC) tool, TraceCSO. The cloud compliance product lets customers automate compliance with more than 25,000 citations and regulations. TraceSecurity also offers security services including risk management and vulnerability scanning.

Dariel LeBoeuf, executive vice president of sales and marketing at TraceSecurity, said regulatory pressure and resource constraints compel mid-tier financial institutions to consider cloud solutions. Ninety percent of TraceSecurity’s customers are in the financial services sector. The company's core market consists of organizations with assets in the range of $100 million to $1 billion.

LeBoeuf said the mid-tier once caught a break regarding the specialized security requirements they needed to implement, noting that situation has changed in recent years.

"The regulatory bodies are putting more pressure on them to comply," LeBoeuf said.

He noted that smaller institutions, in particular, may lack staffers who understand the regulations and know how to put controls in place to comply with those regulations.

While the compliance pressure grows, smaller banks and credit unions also find themselves with a bigger target drawn on their backs. LeBoeuf said the big banks traditionally were the prime candidates for breaches, but those institutions have deployed layers of security and have become harder to successfully attack. Accordingly, the smaller institutions have emerged as more tempting targets.

More on cloud compliance management solutions

Credit union adopts cloud GRC tool

Compliance rules impact on nonprofits and cloud computing

Compliance management: GRC software, mobile management

Smaller banks and credit unions need to shore up their defenses, but they have found in-house GRC expensive to deploy.

In past years, only a few large corporations used GRC systems, noted Bob Bender, chief technology officer of Founders Federal Credit Union, based in Lancaster, S.C. He said on-premises GRC is a huge system to maintain, requiring multiple administrators. The cost to install a basic, three-module configuration can cost $500,000, with a full deployment running into seven figures, he said.

Founders Federal Credit Union uses TraceSecurity’s TraceCSO. Bender said the cloud model makes GRC affordable. "You take those huge systems and put them in the cloud, and all of the sudden it reduces the cost of ownership," he said.

Lake Trust Credit Union also uses TraceCSO. Reinders said SaaS has proven the best answer given the credit union's resource constraints.

"When you look at credit unions and community banks, there just isn't the in-house capacity and knowledge to even make a solution like TraceCSO and what other SaaS vendors offer," he said.

Reinders said cloud GRC employs a virtual machine, as opposed to a hardware appliance, as a vulnerability scanner. The scanning component, he added, reports to the cloud portion of the solution, which lets the credit union see whatever risks and vulnerabilities the scans have discovered.

The credit union also uses cloud-based tools for intrusion detection and intrusion prevention monitoring, Reinders said. In general, the credit union adopts the security tools it deems best, whether on-premises or cloud, he added.

The need to deal with the intensifying threat of distributed denial of services (DDoS) attacks may also take credit unions to the cloud. This month, the National Credit Union Administration, which plays a similar oversight role as the FDIC, issued a DDoS warning along with guidelines for risk mitigation.

"I can see a lot of outsourcing vendors coming in to help credit unions with that in the near future," Reinders said.

Dig Deeper on Vertical Market Sales Strategy