Cybersecurity RADAR for Credit Unions Archives

27 Feb 2020

Banks, Compliance, Credit Unions Brendan McGowan 0 comment

Top 3 Cybersecurity Threats CEOs Need to Be Aware of in 2020

We recently conducted a sentiment survey to ask our community bank and credit union customers about their top worries for 2020. Cybersecurity was at the top of the list for most institutions and not without reason. According to a recent Boston Consulting Group report, cyber-attacks are 300 times more likely to hit financial firms than any other company.

In an effort to help community bank and credit union CEOs prepare for cybersecurity threats in 2020, I recently shared a video from my “Banking Bits and Bytes Super Duper CEO Series,” covering the current threat landscape and what financial institution CEOs need to look out for over the next 12 months. Here are three key areas to focus on:

Business Email Compromise

Business email compromise isn’t a new cybersecurity threat to financial institutions, but we’ve recently seen increased incidents of these malicious emails in community banks and credit unions. We often see this happen when the CFO at a bank receives an email that appears to come from the CEO asking them to send a wire transfer on their behalf. These types of emails are able to easily slip through email filters because they don’t contain any malicious code. It is just a plain text message so it can easily be viewed as a non-threatening email to an employee. This is why user security awareness training is the most important counter measure to prevent employees from interacting with these messages.

Extortion Emails

Top IT Areas Where CEOs Should Focus to Enhance Cybersecurity Posture Get a Copy

We’ve also seen a rise in extortion emails claiming to have compromising information about a financial institution executive that will be released to the public unless a ransom is paid. In these emails, hackers may also claim to know username and password pairings and say they have hacked into a victim’s computer. Fortunately, these threats are rarely – if ever — true or accurate, but this has still raised concerns from many executives.

The best way to guard against this sort of attack is to use different passwords for different accounts and to change those passwords often. Multi-factor authentication is another very effective tool in protecting against extortion. Also, ensuring your institution has quality user security awareness training prevents someone from mistakenly responding to these emails.

Internet of Things (IoT)

Most people think of the IoT as devices like the Amazon Echo or the Google Nest Thermostat, but that’s not what we’re talking about here. While most Windows PCs in financial institutions have effective security measures in place to protect against threats, there are other items on the network like multi-function printers; network connected LaserJet printers; the digital signage in front of the institution; or the even the DVR system or security camera from third-party providers, that can present an opportunity for criminals.

These devices are often on the network and as a result, can “see” the other devices connected to the network. They are often communicating with devices outside of the institution and unfortunately, you don’t have the ability to control the software that runs these devices; manage the patch level; or dictate who the device can talk to or how it does so. Financial institutions can compensate for this lack of control through careful network topology design; careful perimeter security rules; and installing detective technologies on the network to know when these IoT devices are up to no good.

As cybersecurity threats become more complex, so too must the measures that CEOs employ within their institutions to counter these threats. To learn more about security threats and how to protect your institution, watch the full “Banking Bits and Bytes Super Duper CEO Series” below.

20 Feb 2020

Credit Unions Jamie Davis 0 comment

What the NCUA’s 2020 Supervisory Priorities Mean for Your Credit Union’s ACET Cybersecurity Efforts

The National Credit Union Association (NCUA) released the Automated Cybersecurity Examination Tool (ACET) in 2017 to help credit unions assess their current cybersecurity preparedness level and since then, examiners have been primarily focused on making sure the assessment is completed. However, in January, the NCUA issued its supervisory priorities stating, “In addition to the ACET, the NCUA will be piloting new procedures in 2020 to evaluate critical security controls during examinations between maturity assessments.” This means that credit unions must now go beyond simply completing the ACET to successfully meet these expectations.

Safe Systems compliance expert, Tom Hinkel, held a webinar last month covering the difficulties of filling out the ACET and how credit unions can best prepare for the NCUA’s new procedures. Key points from the webinar included:

Challenges in Accurately Completely The ACET

Before taking the next steps in the ACET process, it is important for credit unions to understand how misinterpreting a question or a declarative statement can significantly impact the accuracy of the overall assessment. If the responses are inaccurate, then the conclusions aren’t going to be correct either. The main challenge is that most of the items in the inherent risk profile are open to interpretation, and how a credit union chooses to interpret those questions affects where it will set its risk level for each part of the assessment. The NCUA has added pop-up descriptions throughout the assessment to help with interpretation and while this is useful, it does not eliminate all possibility of misinterpretation. Having access to compliance expertise during this process can help provide more clarity for credit unions to ensure that each answer is truly accurate.

Steps Toward Cyber Maturity

Originally defined by the FFIEC, the five steps of the cybersecurity assessment process include: 1) completing the ACET; 2) identifying gaps; 3) determining desired state of maturity; 4) developing an action plan; and 5) reporting and reevaluating. However, many credit unions cycle back and forth between step one and step five without making sure that steps 2, 3, and 4 are completed as well. Without looking at the output of the assessment and making adjustments based on the results, the institution hasn’t improved its cybersecurity posture. It has just defined it. With the NCUA’s new supervisory priorities, examiners now expect credit unions to take the appropriate next steps to continually evolve their cyber maturity based on risk.

ACET Cybersecurity Graphic

Gap Analysis

The webinar covered how credit unions can better analyze their risk and control levels and identify cybersecurity gaps. A “gap” is defined as the difference between an institution’s residual risk level (risk after applying controls) and its risk appetite (where management expects the credit union to be). However, the ACET is clear that the risk assessment portion is designed to capture inherent risk, and the credit union must then be able to get from inherent risk (before controls are applied) to residual risk in order to conduct a meaningful analysis of its risk and control areas. The ACET doesn’t provide a straightforward way to do this, unfortunately, but it is a requirement in order to accurately identify the institution’s gaps.

Desired State of Maturity

You’ve Completed the ACET, but Is That Enough? Watch Recorded Webinar

Once an institution identifies “where it is”, the next step is to determine its “desired state of maturity,” defined as any level at (or below) the institution’s risk appetite. Cyber risk appetite—in turn—is defined as the amount of risk the institution is willing to accept when trying to achieve its objectives. The risk appetite is set and approved by the Board, and while they may decide a single enterprise-wide cyber risk appetite is sufficient, generally they will prefer to assign a separate risk appetite to each business process. Apart from how your institution decides to define cyber risk appetite, it is a critical step to get to the action plan.

Action Plan

The action plan is made up of the declarative statements that the institution plans to achieve prior to the next assessment in order to close the gap between the “current level” and the “desired state.” Because the threat environment is continually increasing, examiners now expect to see steady incremental increases and improvement over time. Essentially, if an institution is deemed stable on the risk side and doesn’t increase on the control maturity side, their cybersecurity posture is effectively moving backward. The webinar highlights how credit unions can use their ACET results to drill down from the domain level to the contributing components and from there to the individual declarative statements to identify and prioritize specific action plan objectives.

Report and Reevaluate

Finally, a significant part of the assessment is not just understanding where you are, where you need to be, and how you’re getting there, but also communicating your efforts clearly to all stakeholders. Credit unions need to show what improvements have been made and how those results were achieved. The FFIEC provided a document to CEOs and Boards to assist with this process. We believe superimposing your results on this graph demonstrates an effective way to present cybersecurity posture to your auditors and examiners, as well as the IT steering committee, and the Board:

ACET Cybersecurity Graphic

If you’d like to find out some best practices and tips to help improve your cybersecurity process and increase your compliance posture, download our recorded webinar: “Cybersecurity Preparedness: You’ve Completed the ACET, but Is That Enough? What Do Regulators Expect Next?”

30 Jan 2020

Compliance, Credit Unions Tom Hinkel 0 comment

Reduce Cybersecurity Risk by Involving the Board of Directors in the ACET Process and Beyond

The National Credit Union Administration (NCUA) has recently identified cybersecurity as a supervisory priority for 2020, and as credit unions continue to manage an evolving cybersecurity threat landscape, it is vital that they have their Boards of Directors involved in the process. This starts with adhering to regulatory agencies expectations, such as completion of the Automated Cybersecurity Examination Tool (ACET), designed to help credit unions assess their cybersecurity maturity levels.

While the board typically delegates the day-to-day operational responsibilities to its officers and employees, it cannot delegate its responsibility for the consequences of unsound or imprudent information security policies and practices, including cybersecurity. Institutions that do not adhere to standards and best practices run the risk of examiner findings, Board criticism, and in extreme cases, individual director financial liability.

The Credible Challenge

The expectation that the Board provides a credible challenge to management applies to all financial institutions and is defined in the FFIEC IT Management Booklet this way: A credible challenge involves being actively engaged, asking thoughtful questions, and exercising independent judgment. To accomplish this, the Board must be kept informed, and that requires accurate, timely, and relevant information presented in a manner the Board will truly understand and be able to act on. A simple summary report is typically not detailed enough to engage the Board or give them the kind of information they need to provide that credible challenge. Summary reports can tell the “what” but not the “why”, and Boards need the “why”, when it involves something as significant as cybersecurity.

Engaging the Board of Directors

Moving Beyond the ACET – Next Steps All Credit Unions Should Take to Improve Cybersecurity Posture View Infographic

The Board is responsible for approving and providing general oversight for the credit union’s information security/cybersecurity program, and that includes being involved in—and engaged with—the completion of the ACET and the next steps. Once the initial risk assessment has been completed and reported to the Board, the next step that requires Board involvement is the Gap Analysis and resulting Action Plan. Since the Board is expected to review and approve the institution’s relative risk and control levels, presenting the outcome of the Inherent Risk Profile and Cybersecurity Maturity portions of the ACET enables the Board to gain valuable insight into their systems, cyber vulnerabilities, and current general control levels.

Most importantly though, an accurate risk and control maturity assessment enables management to present a convincing case to the Board providing key reasons why the institution should strengthen controls whenever and wherever necessary. The ACET already assigns numeric values in the Inherent Risk Profile and the Control Maturity sections, which enables a risk and a control maturity “grade” to be given. This adds clarity and gives the Board quantitative insight into how their organization is doing and how auditors and examiners are likely to see their relative risk and control levels.

The ACET only allows a single assessment’s results to be displayed, but ideally multi-assessment data should be displayed graphically or in an easy-to-consume manner, one that enables the Board of Directors to easily evaluate assessment-to-assessment performance comparisons, identify trends, and determine the necessary steps to enhance their cybersecurity posture.

It is extremely important for credit unions to ensure the appropriate people are involved in their efforts to combat cybersecurity risk, from the Board room to the server room. Doing so helps protect them from possible suboptimal audit and exam results and additional regulatory scrutiny. Ultimately, it is the Board of Director’s responsibility to protect itself and its sensitive member data. Having participation from the Board ensures that all stakeholders from the top down are completely vested in addressing this important security and regulatory process.

For more information, please download our complimentary white paper, Moving Beyond the ACET – Next Steps All Credit Unions Should Take to Improve Cybersecurity Posture.

23 Jan 2020

Compliance, Credit Unions Tom Hinkel 0 comment

Three Steps Credit Unions Should Take to Enhance Cybersecurity Posture After Completing the Automated Cybersecurity Examination Tool (ACET)

While completing the National Credit Union Administration‘s (NCUA) Automated Cybersecurity Examination Tool (ACET) is an important first step in helping credit unions and their regulators assess cybersecurity readiness, there are additional critical steps that are required to ensure that a credit union is fully prepared and truly in compliance with regulator expectations.

The ACET measures credit union operations, products and services, and cyber controls through two major components: Inherent Risk Profile and Control Maturity. The Inherent Risk Profile determines a credit union’s exposure to risk by identifying the type, volume, and complexity of the institution’s operations. The Control Maturity measures the entity’s level of cybersecurity control readiness. Completing both the Inherent Risk Profile and the Cybersecurity Maturity portions of the assessment enables credit unions to gain valuable insight into their systems, potential cyber vulnerabilities, and general control levels.

Regulators expect credit unions to take the information gathered in the assessment, understand it, determine where they are versus where they need to be, and then put a plan in place to reach those goals. These are collectively referred to as “the next steps”, and in our experience are often missing from cyber-readiness planning.

Gap Analysis – Determining “Desired” State of Maturity

After establishing your current risk status by completing the assessment, the gap analysis is the next step credit unions must take to identify missing controls and processes. The intent of this step is to increase their level of cybersecurity maturity by comparing their current state to their “desired” state.

A credit union’s desired state of cyber maturity can be thought of as where the institution desires to be after addressing the gaps identified in the gap analysis. This can actually present the biggest challenge for a credit union because the concept of a “desired” state requires the credit union to establish its risk appetite. Risk appetite is mentioned nine times in the ACET, and the FFIEC defines it as “…the amount of risk a financial institution is prepared to accept when trying to achieve its objectives.” The risk appetite is set and approved by the Board, and although they may decide a single enterprise-wide cyber risk appetite is sufficient, more often they may prefer to assign a separate risk appetite to each business process.

Finally, because the cybersecurity landscape is continually evolving, and the number of cyber threats is constantly increasing, institutions should strive to steadily increase their control maturity levels, even if their inherent risk profile and risk appetite do not increase. For this reason, the gap analysis and action plan are the most important recurring steps in the cybersecurity program.

The Action Plan, Implementing Plans to Attain and Sustain Maturity

The action plan uses the information gathered in the gap analysis to identify specific declarative statements that should be achieved prior to the next assessment. There is no pre-set number of statements that need to be implemented, but once all baseline statements have been achieved, it is best to target the top six to eight statements and put plans in place to achieve them before the next assessment. Statements should be prioritized according to how the associated contributing components align with specific risk areas. Again, the key is to show all stakeholders that you are making incremental progress from one assessment to the next.

Reevaluate and Address Any Issues from Prior Assessments

The ACET is intended to be completed at least annually, or as significant operational and technical changes occur. Credit unions should continue to review the risk and control maturity results to understand which policies, procedures, processes, and controls are in place and where any corresponding gaps may occur. The periodic reevaluation should include documentation on what improvements have been made (i.e. what declarative statements have been achieved) and how the results were achieved, including resolutions from prior assessments.

The ACET is not the only cyber assessment tool available, but it is now the standard most auditors and NCUA examiners are using. Completing it accurately, and then understanding and acting on the results enables credit unions to confidently understand their cybersecurity risk levels, enhance their cybersecurity posture, and meet auditor, examiner, and Board expectations with confidence. While completing the assessment represents an important first step, taking the information gathered from the assessment, understanding it, and putting a plan in place to address gaps and vulnerabilities helps ensure a credit union can effectively identify and address cyber threats, and demonstrate a strong cybersecurity posture.

For more information, please download our complimentary white paper, Moving Beyond the ACET – Next Steps All Credit Unions Should Take to Improve Cybersecurity Posture.

16 Jan 2020

Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

How NCUA’s Assessment Tool Can Enhance Cybersecurity Preparedness for Credit Unions

How the NCUAs Tool Will Enhance Cybersecurity Preparedness for Credit Unions

Cybersecurity is a top-of-mind concern for all financial institutions as the number and sophistication of threats continues to increase. Attackers today are often well-financed and equipped with the latest technology like machine learning tools, automation, and pre-built toolkits that make it easy for them to attack institutions of all sizes. As the cybersecurity world continues to evolve, it’s important that credit unions do so as well.

In response to this threat, regulatory agencies have introduced a host of new regulations around cybersecurity, and developed tools and guidance aimed to better evaluate a financial organization’s cybersecurity preparedness. Most recently, the National Credit Union Administration (NCUA) developed the Automated Cybersecurity Examination Tool (ACET) to help credit unions better assess their cybersecurity readiness.

The ACET

The ACET, developed in 2017, directly aligns with the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT), released in 2015. Both the CAT and the ACET are designed to support an institutions’ measurement of cybersecurity risk and evaluation of control maturity. According to the NCUA, the new exam tool intends to provide a “repeatable, measurable, and transparent process that improves and standardizes our supervision related to cybersecurity in all federally insured credit unions.”

The ACET measures credit union operations, products and services, and cyber controls through two major components: Inherent Risk Profile and Control Maturity. The Inherent Risk Profile determines a credit union’s exposure to risk by identifying the type, volume, and complexity of the institution’s operations. The Control Maturity portion measures a credit union’s level of cybersecurity controls. The levels range from “baseline” to “innovative,” with the 123 baseline statements representing the minimum regulatory expectations. This portion consists of almost 500 declarative statements within the following five domains:

Cyber-risk management and oversight
Threat intelligence and collaboration
Cybersecurity controls
External dependency management
Cyber-incident management and resilience

While officially the ACET is not strictly required, the NCUA states that “Credit unions may choose whatever approach they feel appropriate to conduct their individual assessments, but the assessment tool would still be a useful guide.” During an examination the NCUA will typically ask if the credit union has completed the ACET or equivalent assessment, and if not, the examiner will then use the ACET tool during the exam to complete the cyber assessment with the institution. Simply put, the ACET is the current defacto standard for cyber assessments.

Proper Interpretation is Key

While completing the ACET is recommended, it can also be quite time-consuming, particularly for smaller institutions, due to the amount of prep work and supporting documentation required. To complicate matters further, most of the questions and declarative statements can be interpreted in various ways. Incorrect interpretation will impact the accuracy of stated risk profiles and risk levels, which in turn will result in inaccurate gap analysis and actions plans, possibly resulting in under allocated, or misallocated, resources.

Next Steps

Regardless of whether you use the ACET or another methodology, simply completing the cyber assessment merely clears the first hurdle in the process, it does not ensure that a credit union is fully prepared, however. There are several critical next-steps credit unions need to take to ensure they are truly prepared to address cybersecurity threats. Next week, we will discuss the steps credit unions should take following completion of the ACET to ensure they are taking a proactive, vigilant, and compliant approach to cybersecurity preparedness.

For more information, please download our complimentary white paper, Moving Beyond the ACET – Next Steps All Credit Unions Should Take to Improve Cybersecurity Posture.