The National Credit Union Administration (NCUA) has recently identified cybersecurity as a supervisory priority for 2020, and as credit unions continue to manage an evolving cybersecurity threat landscape, it is vital that they have their Boards of Directors involved in the process. This starts with adhering to regulatory agencies expectations, such as completion of the Automated Cybersecurity Examination Tool (ACET), designed to help credit unions assess their cybersecurity maturity levels.
While the board typically delegates the day-to-day operational responsibilities to its officers and employees, it cannot delegate its responsibility for the consequences of unsound or imprudent information security policies and practices, including cybersecurity. Institutions that do not adhere to standards and best practices run the risk of examiner findings, Board criticism, and in extreme cases, individual director financial liability.
The Credible Challenge
The expectation that the Board provides a credible challenge to management applies to all financial institutions and is defined in the FFIEC IT Management Booklet this way: A credible challenge involves being actively engaged, asking thoughtful questions, and exercising independent judgment. To accomplish this, the Board must be kept informed, and that requires accurate, timely, and relevant information presented in a manner the Board will truly understand and be able to act on. A simple summary report is typically not detailed enough to engage the Board or give them the kind of information they need to provide that credible challenge. Summary reports can tell the “what” but not the “why”, and Boards need the “why”, when it involves something as significant as cybersecurity.
Engaging the Board of Directors
The Board is responsible for approving and providing general oversight for the credit union’s information security/cybersecurity program, and that includes being involved in—and engaged with—the completion of the ACET and the next steps. Once the initial risk assessment has been completed and reported to the Board, the next step that requires Board involvement is the Gap Analysis and resulting Action Plan. Since the Board is expected to review and approve the institution’s relative risk and control levels, presenting the outcome of the Inherent Risk Profile and Cybersecurity Maturity portions of the ACET enables the Board to gain valuable insight into their systems, cyber vulnerabilities, and current general control levels.
Most importantly though, an accurate risk and control maturity assessment enables management to present a convincing case to the Board providing key reasons why the institution should strengthen controls whenever and wherever necessary. The ACET already assigns numeric values in the Inherent Risk Profile and the Control Maturity sections, which enables a risk and a control maturity “grade” to be given. This adds clarity and gives the Board quantitative insight into how their organization is doing and how auditors and examiners are likely to see their relative risk and control levels.
The ACET only allows a single assessment’s results to be displayed, but ideally multi-assessment data should be displayed graphically or in an easy-to-consume manner, one that enables the Board of Directors to easily evaluate assessment-to-assessment performance comparisons, identify trends, and determine the necessary steps to enhance their cybersecurity posture.
It is extremely important for credit unions to ensure the appropriate people are involved in their efforts to combat cybersecurity risk, from the Board room to the server room. Doing so helps protect them from possible suboptimal audit and exam results and additional regulatory scrutiny. Ultimately, it is the Board of Director’s responsibility to protect itself and its sensitive member data. Having participation from the Board ensures that all stakeholders from the top down are completely vested in addressing this important security and regulatory process.
For more information, please download our complimentary white paper, Moving Beyond the ACET – Next Steps All Credit Unions Should Take to Improve Cybersecurity Posture.