How NCUA’s Assessment Tool Can Enhance Cybersecurity Preparedness for Credit Unions
Cybersecurity is a top-of-mind concern for all financial institutions as the number and sophistication of threats continues to increase. Attackers today are often well-financed and equipped with the latest technology like machine learning tools, automation, and pre-built toolkits that make it easy for them to attack institutions of all sizes. As the cybersecurity world continues to evolve, it’s important that credit unions do so as well.
In response to this threat, regulatory agencies have introduced a host of new regulations around cybersecurity, and developed tools and guidance aimed to better evaluate a financial organization’s cybersecurity preparedness. Most recently, the National Credit Union Administration (NCUA) developed the Automated Cybersecurity Examination Tool (ACET) to help credit unions better assess their cybersecurity readiness.
The ACET, developed in 2017, directly aligns with the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT), released in 2015. Both the CAT and the ACET are designed to support an institutions’ measurement of cybersecurity risk and evaluation of control maturity. According to the NCUA, the new exam tool intends to provide a “repeatable, measurable, and transparent process that improves and standardizes our supervision related to cybersecurity in all federally insured credit unions.”
The ACET measures credit union operations, products and services, and cyber controls through two major components: Inherent Risk Profile and Control Maturity. The Inherent Risk Profile determines a credit union’s exposure to risk by identifying the type, volume, and complexity of the institution’s operations. The Control Maturity portion measures a credit union’s level of cybersecurity controls. The levels range from “baseline” to “innovative,” with the 123 baseline statements representing the minimum regulatory expectations. This portion consists of almost 500 declarative statements within the following five domains:
- Cyber-risk management and oversight
- Threat intelligence and collaboration
- Cybersecurity controls
- External dependency management
- Cyber-incident management and resilience
While officially the ACET is not strictly required, the NCUA states that “Credit unions may choose whatever approach they feel appropriate to conduct their individual assessments, but the assessment tool would still be a useful guide.” During an examination the NCUA will typically ask if the credit union has completed the ACET or equivalent assessment, and if not, the examiner will then use the ACET tool during the exam to complete the cyber assessment with the institution. Simply put, the ACET is the current defacto standard for cyber assessments.
Proper Interpretation is Key
While completing the ACET is recommended, it can also be quite time-consuming, particularly for smaller institutions, due to the amount of prep work and supporting documentation required. To complicate matters further, most of the questions and declarative statements can be interpreted in various ways. Incorrect interpretation will impact the accuracy of stated risk profiles and risk levels, which in turn will result in inaccurate gap analysis and actions plans, possibly resulting in under allocated, or misallocated, resources.
Regardless of whether you use the ACET or another methodology, simply completing the cyber assessment merely clears the first hurdle in the process, it does not ensure that a credit union is fully prepared, however. There are several critical next-steps credit unions need to take to ensure they are truly prepared to address cybersecurity threats. Next week, we will discuss the steps credit unions should take following completion of the ACET to ensure they are taking a proactive, vigilant, and compliant approach to cybersecurity preparedness.
For more information, please download our complimentary white paper, Moving Beyond the ACET – Next Steps All Credit Unions Should Take to Improve Cybersecurity Posture.