While completing the National Credit Union Administration‘s (NCUA) Automated Cybersecurity Examination Tool (ACET) is an important first step in helping credit unions and their regulators assess cybersecurity readiness, there are additional critical steps that are required to ensure that a credit union is fully prepared and truly in compliance with regulator expectations.
The ACET measures credit union operations, products and services, and cyber controls through two major components: Inherent Risk Profile and Control Maturity. The Inherent Risk Profile determines a credit union’s exposure to risk by identifying the type, volume, and complexity of the institution’s operations. The Control Maturity measures the entity’s level of cybersecurity control readiness. Completing both the Inherent Risk Profile and the Cybersecurity Maturity portions of the assessment enables credit unions to gain valuable insight into their systems, potential cyber vulnerabilities, and general control levels.
Regulators expect credit unions to take the information gathered in the assessment, understand it, determine where they are versus where they need to be, and then put a plan in place to reach those goals. These are collectively referred to as “the next steps”, and in our experience are often missing from cyber-readiness planning.
Gap Analysis – Determining “Desired” State of Maturity
After establishing your current risk status by completing the assessment, the gap analysis is the next step credit unions must take to identify missing controls and processes. The intent of this step is to increase their level of cybersecurity maturity by comparing their current state to their “desired” state.
A credit union’s desired state of cyber maturity can be thought of as where the institution desires to be after addressing the gaps identified in the gap analysis. This can actually present the biggest challenge for a credit union because the concept of a “desired” state requires the credit union to establish its risk appetite. Risk appetite is mentioned nine times in the ACET, and the FFIEC defines it as “…the amount of risk a financial institution is prepared to accept when trying to achieve its objectives.” The risk appetite is set and approved by the Board, and although they may decide a single enterprise-wide cyber risk appetite is sufficient, more often they may prefer to assign a separate risk appetite to each business process.
Finally, because the cybersecurity landscape is continually evolving, and the number of cyber threats is constantly increasing, institutions should strive to steadily increase their control maturity levels, even if their inherent risk profile and risk appetite do not increase. For this reason, the gap analysis and action plan are the most important recurring steps in the cybersecurity program.
The Action Plan, Implementing Plans to Attain and Sustain Maturity
The action plan uses the information gathered in the gap analysis to identify specific declarative statements that should be achieved prior to the next assessment. There is no pre-set number of statements that need to be implemented, but once all baseline statements have been achieved, it is best to target the top six to eight statements and put plans in place to achieve them before the next assessment. Statements should be prioritized according to how the associated contributing components align with specific risk areas. Again, the key is to show all stakeholders that you are making incremental progress from one assessment to the next.
Reevaluate and Address Any Issues from Prior Assessments
The ACET is intended to be completed at least annually, or as significant operational and technical changes occur. Credit unions should continue to review the risk and control maturity results to understand which policies, procedures, processes, and controls are in place and where any corresponding gaps may occur. The periodic reevaluation should include documentation on what improvements have been made (i.e. what declarative statements have been achieved) and how the results were achieved, including resolutions from prior assessments.
The ACET is not the only cyber assessment tool available, but it is now the standard most auditors and NCUA examiners are using. Completing it accurately, and then understanding and acting on the results enables credit unions to confidently understand their cybersecurity risk levels, enhance their cybersecurity posture, and meet auditor, examiner, and Board expectations with confidence. While completing the assessment represents an important first step, taking the information gathered from the assessment, understanding it, and putting a plan in place to address gaps and vulnerabilities helps ensure a credit union can effectively identify and address cyber threats, and demonstrate a strong cybersecurity posture.
For more information, please download our complimentary white paper, Moving Beyond the ACET – Next Steps All Credit Unions Should Take to Improve Cybersecurity Posture.