The relationship that needs to be forged isn’t controls relative to size, but rather controls related to risk. The threat to your customer or member data is every bit as real whether you’re a small credit union or Bank of America. Not having a network monitoring solution in place may be acceptable if your firewall is sufficiently configured and monitored and you have a strong anti-virus solution running; it’s not acceptable for your only justification for not having one is that you’re too small to need one.”]
Source: https://www.cuinfosecurity.com/blogs/regulatory-compliance-its-size-risk-that-matters-most-p-98