The National Credit Union Association believes that Credit Unions will face more sophisticated cyberattacks in the near future.
On the NCUA website, the Chairman wrote, “Nearly every day, we see the growing sophistication of hackers, thieves, and terrorists.”
The NCUA is now going around the country, checking credit unions against a relatively new tool, called the ACET. If you haven’t already gotten a visit or two, expect one soon.
Since CI Security has helped with several ACET audits, we put together this FAQ for quick reference.
NCUA Automated Cybersecurity Examination Tool (ACET): Are you ready?
In 2018, the NCUA began using a new tool to help their examiners assess a credit union’s level of cybersecurity preparedness. Called the Automated Cybersecurity Examination Tool (ACET), it provides a repeatable, measurable, and transparent process that improves and standardizes cybersecurity in all federally insured credit unions.
Previously, for lack of a defined assessment methodology that addresses risks to Credit Unions, most relied on the FFIEC Cybersecurity Assessment Tool (CAT) to help themselves become aligned with NCUA standards, though the FFIEC does not directly regulate credit unions. In fact, the ACET essentially mirrors the FFIEC CAT.
What’s is the Automated Cybersecurity Examination Tool?
The ACET incorporates cybersecurity standards and practices that are appropriate to financial institutions. The ACET maps each of its requirements to the best practices found in the FFIEC’s Information Technology Examination Handbook, financial industry regulatory guidance, and industry standards such as the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF).
In 2018, the NCUA began reviewing credit unions with $1 billion or more in assets using the ACET, with the intention of refining the tool further to ensure it scales properly for smaller, less complex credit unions. Unfortunately, the NCUA has still not released an updated tool that addresses risks for smaller credit unions. That said, the ACET is a valuable tool to assess any credit union’s cybersecurity risks and a good tool for risk mitigation. Most credit unions working with CI Security have begun asking for assessments based on the ACET.
What’s in the Automated Cybersecurity Examination Tool?
The ACET contains two components: The Inherent Risk Profile and the Cybersecurity Maturity level. The Inherent Risk Profile assists in determining a credit union’s exposure to risk by identifying the type, volume, and complexity of the institution’s operations. Cybersecurity Maturity level measures a credit union’s level of risk and the controls in place to mitigate those risks. The levels range include baseline, evolving, intermediate, advanced and innovative.
When conducting an assessment to define the Cybersecurity Maturity level of a Credit Union, you must assess controls in the following 5 domains:
- Domain 1: Cyber-risk Management and Oversight
- Risk Management
- Training and Culture
- Domain 2: Threat intelligence and collaboration
- Threat Intelligence
- Information Sharing
- Domain 3: Cybersecurity controls
- Preventative Controls
- Detective Controls
- Corrective Controls
- Domain 4: External Dependency Management
- Relationship Management
- Domain 5: Cyber-incident management and resiliency
Why the ACET Is Important for Credit Unions, Regardless of Size
Even if a smaller credit union doesn’t feel like the ACET applies to them, the tool matters because it shows a credit union is meeting or working on meeting baseline standards. However, not meeting baseline standards for each domain typically indicates that there are some basic compliance issues that need to be resolved, which are the exact types of things the NCUA will pick up on and issue a DOR (Document of Resolution).
“They won’t nor can they answer all the declarative statements,” says Heather McCalman, credit union council manager for FS-ISAC, the financial services industry security consortium. As comfort, McCalman adds, credit unions only need to complete much of the work once. “Have someone from the IS or IT department involved,” McCalman advises. “If you don’t have that, bring in your virtual CISO, managed security services provider, or other technology consultant to sit with the most tech-savvy person you have.”
Handing over a completed ACET to the NCUA examiner before they even ask for it demonstrates that the credit union understands these standards and is actively working to meet them within their cybersecurity program. “When it’s complete, staff can use the first one as a springboard,” she says. “The ACET is a living document that should change when new products and services are offered and new security technologies are deployed.”
How to Use the ACET
Using the ACET, since it’s still essentially a version meant for an NCUA auditor to use, entails completing a spreadsheet to provide results. The ACET has multiple tabs (Admin, Guide) that are only for use by the NCUA Auditor, so those can be ignored. The tool is finished by completing tabs covering the following:
- Dashboard – a depiction of summary results
- Admin – only for NCUA auditors
- Document Request List (DRL) – a list of documents required to pass an audit
- Inherent Risk Profile (IRP) – a area where you assign a capability maturity level from 1 to 5, with 1 as the least mature, and describe your controls that result in the rating
- Material Details – a tab which summarize the results of the input on the IRP tab
- Domain tabs 1-5 – answer with “yes/no” and add description of controls for every yes answer (ignore the Reviewed and Suggested Edits columns)
- Guide – a description of the tool’s requirements
Manage Your Cybersecurity Risks by Using the ACET
While the ACET is still not in general release or in use for smaller credit unions, we highly recommend using the tool to identify and manage risk as well as to prepare for the eventual full adoption of the ACET by NCUA.
If you are seeking assistance in preparation for an NCUA audit or are looking to use the ACET as the basis of your cybersecurity assessment, CI Security has InfoSec consultants who specialize in financial services ready to help you anywhere in the process.