On Compliance: NCUA’s New Automated Cyber Examination Tool
Earlier this year, the National Credit Union Administration released its Automated Cyber Examination Tool, which provides enhanced guidance and functionality for performing a cybersecurity risk assessment as part of an NCUA exam. Credit unions are not required to adopt ACET and continue to have independence in how they manage and self-assess their cybersecurity programs, but we think it’s a worthy tool to add to your cybersecurity toolkit.
NCUA is continually updating ACET and has not yet posted it to its website. (Email the agency to request a copy of the latest version.)
ACET is based on the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool, leaving the content unchanged, but extending the functionality by clarifying assessment procedures, providing an easy-to-use required documents list and embedding improved analysis.
Clear Assessment Approach
In any examination, the goal is to be as objective as possible. But there inevitably will be some subjectivity involved. ACET attempts to limit the subjective interpretation of the examiner by providing examination approaches to make the process as transparent as possible. This effort can make a significant difference in ensuring that both the examiner and the credit union have the same understanding of the intent and application of the control.
ACET’s required documents list is an easy-to-use inventory of what your credit union needs to create and have accessible for the assessment. Organization is critical to the efficient validation of controls during the exam. Proactively providing all necessary artifacts will make the process run smoothly. Examiners appreciate it when they don’t have to search for documents—and keeping examiners happy can go a long way toward favorable results.
ACET also incorporates some useful data analysis. The dashboard summarizes the inherent risk profile and presents it next to the derived cybersecurity maturity score for a quick and easy comparison. The maturity detail section also provides an informative summary of all the controls, so you can quickly see which domains and components are adequately addressed. In addition to the analysis provided in ACET, the Financial Services Sector Coordinating Council released a version of the CAT tool in Excel, which contains some useful charts that may be worth exploring.
Now that we’ve reviewed the functionality of ACET, we can address some common questions.
How does ACET affect my credit union?
ACET is currently being used by NCUA when performing examinations for credit unions with assets of greater than $1 billion, but the agency’s long-term goal is to leverage ACET for all examinations. Examiners are continuously evaluating the results of current exams to further develop ACET, both for overall effectiveness and to scale it for smaller credit unions.
Should my credit union adopt ACET?
While this is a question that every credit union must evaluate for itself, most will answer “yes.”
First, it is advantageous to align self-assessment procedures with the third-party auditor. Since NCUA is using ACET to perform examinations, it is providing transparency to its process, allowing your credit union to properly prepare. In essence, NCUA is giving you the test questions, so it is in your best interests to use them. You can complete ACET and provide it to the examiners in advance, which will save time and effort. Furthermore, NCUA is looking to standardize this in the future, so the quicker you start using it, the better prepared you will be for exams.
Second, while ACET does address compliance, it is much more than compliance tool. It is designed to provide management the necessary data points to decide whether the associated risk profile is appropriate for the credit union and identify the maturity gaps in the credit union’s cybersecurity program. It also FFIEC’s Cybersecurity Assessment Tool, most of the content should be familiar to existing staff who have been through an audit within the past couple of years. Transitioning to ACET should not be a wholesale migration, but more of a continued refinement of cybersecurity metrics, capabilities and processes.
Does ACET cover all my cybersecurity requirements?
ACET does provide all the criteria necessary for a competent cybersecurity program. However, performing an assessment with ACET does not inherently mean all requirements are fulfilled. For example, the Gramm-Leach-Bliley Act requires an assessment of the threat to member information, which must still be performed.
Alternatively, ACET may contain some components that your organization is not addressing. This does not necessarily mean that you are out of compliance or will have a negative judgment. Risk management is concerned with the balance of actual risk against risk tolerance, so there may not be a need for specific controls within certain areas at an individual institution.
Should I ignore other cybersecurity guidance, frameworks, or models?
While ACET is a powerful tool for assessing risk, other cybersecurity tools can be applied in conjunction with it to help your credit union make the best possible decisions about protecting member information. For example, quantitative risk assessment can be a powerful model for risk assessment and can help translate technical risk into business risk. Additionally, using a more common tool, such as the National Institute of Standards and Technology’s Cybersecurity Framework, may allow for simpler comparison to peers inside and outside the industry.
Justin Silbert is chief information security officer with CUES Supplier member LEO Cyber Security, Fort Worth, Texas, a cybersecurity consulting company specializing in maturing security programs through leadership, cyber operations, incident response and compliance.