Credit Unions Introduced to New Automated Cybersecurity Examination Tool
In the 2018 Data Breach Investigations Report (DBIR), Verizon reported over 53,000 security incidents, including 2,216 confirmed data breaches in 2017. Financial institutions have high stakes when it comes to cybersecurity and credit unions are natural targets for these types of attacks: as nonprofit entities, they are likely to have limited information technology.
The prevalence and severity of cybersecurity issues make it understandable, then, that the National Credit Union Administration (NCUA) would include cybersecurity among its primary areas of supervisory focus for 2018.
As part of its efforts to better assess credit unions’ cybersecurity preparedness, the NCUA this year will begin to use the new Automated Cybersecurity Examination Tool (ACET) to standardize cybersecurity preparedness assessment of credit unions with $1 billion or more in assets. It will also work to fine-tune the tool to evaluate smaller credit unions in the future after creating a baseline with these larger credit union assessments.
Developed in late 2017, the ACET aligns with the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool that allows institutions to voluntarily identify cybersecurity risk and readiness. The NCUA encourages credit unions continue to use the FFIEC’s tool for cybersecurity self-evaluation.
In a December 2017 NCUA Letter to Credit Unions, the supervisory group added, “The ACET provides the NCUA with a repeatable, measurable and transparent process for assessing the level of cyber preparedness across federally insured institutions.”
The ACET encourages consistency and scalability of assessment, while also providing insight through benchmarking that will help the NCUA “focus [its] supervision efforts on areas that are the most important for the credit union system.”
“Using the new [ACET] tool ensures we are consistent in our approach and we can scale our expectations properly to the size, complexity, and risk exposure of each credit union,” the NCUA said about its regulatory approach.
In an April webinar joined by Credit Union National Association (CUNA) staff members, Tim Segerson, director of Risk Management for NCUA, said, “We’ve set pretty clear expectations because we want to make sure no one is surprised. This isn’t going to be a ‘gotcha’ situation, but an ongoing conversation and collaboration with the industry.”
Streamline the reserve calculation process and impress examiners.
The National Association of Federally-Insured Credit Unions (NAFCU) said in a recent post that credit unions should pay close attention to these three takeaways:
- The ACET is not yet finalized and will continue to change
- The NCUA will formally deploy the tool in 2019
- The NCUA is contemplating ACET reviews every 2-3 years. The ACET will replace the Gramm-Leach-Bliley Act/Part 748 Privacy review and the Electronic Banking questionnaire
According to NAFCU, “NCUA does not expect the current iteration of the ACET will prove overwhelming for credit unions using it for the first time.”