What credit unions need to know to ace NCUA's new cybersecurity exam
By this point, you should have either heard of or already have used the National Credit Union Administration’s new tool, the Automated Cybersecurity Examination Tool (ACET).
Developed in 2017, the tool is used by the NCUA to assess how credit unions are preventing and preparing for cyber threats and attacks. The first large wave of ACET assessments started in 2018 and were used to establish a baseline for each federally insured credit union. The ACET provides a uniform measurement for all FICU security postures and helps to determine if additional supervision is necessary to address any security concerns.
The exam now includes assessment of credit unions over $250 million in assets, which were previously not exposed to the tool or exam process. According to the NCUA Office of Inspector General, the goal is to evaluate 100% of federally insured CUs on a rolling basis, over a four-year maturity assessment lifecycle.
For those who are not familiar with the ACET exam, it’s an examination tool based on the FFIEC Cybersecurity Assessment Tool (CAT). While the ACET can seem overwhelming because of the number of statements it contains, the examination tool is simply an Excel-based version of the CAT with some features added to help examiners track their time and recommendations better. The statements are progressively tiered so that the person completing the ACET can stop answering when a majority of the statements for a maturity level have no answers.
The exam is broken up into two parts – the inherent risk model and cybersecurity maturity.
Part one, the inherent risk model, measures risk across five categories:
- Organizational characteristics – Considers items such as number of direct employees; recent mergers and acquisitions; cybersecurity contractors; users with privileged access; and locations of business presence, operations and data centers.
- Technology services and online and mobile products – There are 14 separate items in this category, including banking and merchant acquiring activities, and various payment services such as person-to-person payments; originating ACH; retail wire transfers; wholesale payments; and merchant remote deposit capture.
- Technologies and connection types – There are also 14 separate items in this category, including the number of internet service providers; third-party connections; whether systems are hosted internally or outsourced; the number of unsecured connections; the use of wireless access; volume of network devices; end-of-life systems; extent of cloud services; and use of personal devices.
- External threats – Considers the volume, sophistication and type of successful and unsuccessful attacks, as this may impact the credit union’s inherent risk.
- Delivery channels – Looks at whether products and services are available through online and mobile delivery channels and the extent of ATM operations.
Part two, the cybersecurity maturity step, covers five main domains. Each domain is broken down into four levels of maturity (baseline, evolving, intermediate and advanced).
- Cybersecurity controls – This focuses on the practices and processes used to protect assets, infrastructure and information by strengthening the institution’s defensive posture through continuous, automated protection and monitoring.
- Cybersecurity risk management and oversight – Includes management and the board of directors' development, oversight, and implementation of an effective enterprise-wide cybersecurity program, with comprehensive policies and procedures for establishing appropriate accountability and oversight.
- External dependency management – This involves establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships that have access to the institution’s technology assets and information.
- Threat intelligence and collaboration – This seeks to implement processes to effectively discover, analyze and understand cyber threats, with the capability to share information internally and with appropriate third parties.
- Cyber incident management and resilience – The final domain includes establishing, identifying, and analyzing cyber events; prioritizing the institution’s containment or mitigation; and escalating information to appropriate stakeholders.
How a cybersecurity agency can help
The question quickly turns from what is the ACET, to how to be prepared for it. Adding to the already long list of compliance requirements that credit unions need to adhere to, prepping for this exam is not only time consuming but, given its complexity, it requires submitters to have technical knowledge of the process.
To complete the ACET, credit unions are required to answer 494 questions and submit roughly 200 documents for examiners to assess how the institution is preventing and preparing for cyber threats and attacks. The NCUA has indicated that it is and will remain a priority for the agency, according to the National Association of Federally-Insured Credit Unions.
With slim staffs and small budgets, how are you supposed to juggle the ACET and your other responsibilities?
This is where partnering with a cybersecurity agency that delivers security-as-a-service can help credit unions since it can grow your team, resources, and security expertise.
With an experienced team of cybersecurity experts that understand the ACET on their side, credit unions will be armed with the people, repeatable process and reports needed for the exam. They can collect the necessary materials, predetermine how to provide information, help you understand your weaknesses, and provide training and education to make the exams shorter and less disruptive. They become the experts on your company and use their knowledge of the exam to ease the process and ensure you can comply with all requests.
Prepping and acing the ACET doesn’t have to be a daunting task that you have to accomplish alone. Partnering with a cybersecurity agency allows you to immediately access a team of experts that understand the ACET and will help you demonstrate your security posture with repeatable and measurable reports.