No doubt every credit union will have heard of the Automated Cybersecurity Examination Tool (ACET). It’s the latest compliance requirement aiming to provide a repeatable, measurable and transparent process that improves and standardizes supervision related to cybersecurity in all federally insured credit unions. A Cybersecurity Agency delivering Security-as-a-Service can help credit unions with the people and repeatable process to meet ACET requirements.
The first large wave of ACET assessments started in 2018 and are establishing a baseline for each federally insured credit union (FICU). It’s also being used to provide a uniform measurement for all FICUs’ security postures; and to determine if additional supervision is necessary to address any security concerns.
The exams now include assessment of credit unions over $250 million in assets that were previously not exposed to the tool or exam process. The NCUA Office of Inspector General (OIG) said that the NCUA’s overall goal is to evaluate 100% of FICUs on a rolling basis over a four year maturity assessment life cycle.
Understanding the ACET / CAT
The ACET is an examination tool based on the FFIEC Cybersecurity Assessment Tool (CAT). The CAT has two parts; the first covers the inherent risk model and the second focuses on cybersecurity maturity.
Part one, the inherent risk model, measures risk across five categories:
- Technologies and Connection Types — includes “the number of Internet service provider (ISP) and third-party connections, whether systems are hosted internally or outsourced, the number of unsecured connections, the use of wireless access, volume of network devices, end-of-life systems, extent of cloud services, and use of personal devices.” The assessment tool lists 14 separate items in this category.
- Delivery Channels — addresses “whether products and services are available through online and mobile delivery channels and the extent of [ATM] operations.”
- Online/Mobile Products and Technology Services — includes “various payment services …person-to-person payments, originating automated clearing house (ACH), retail wire transfers, wholesale payments, merchant remote deposit capture [RDC] …correspondent banking and merchant acquiring activities.” There are 14 separate items in this category.
- Organizational Characteristics — considers items such as “mergers and acquisitions, number of direct employees and cybersecurity contractors … the number of users with privileged access … locations of business presence, and locations of operations and data centers.”
- External Threats — considers the “volume and type of attacks,” both successful and unsuccessful, which may impact the credit union’s inherent risk, as well as the “volume and sophistication” of attacks targeting the credit union.
Part two, the cybersecurity maturity step covers five main domains. Each domain is broken down into four levels of maturity for an organization to assess themselves – baseline, evolving, intermediate and advanced. The five domains of cybersecurity maturity are summarized below.
- Cybersecurity risk management and oversight – The first domain focuses on board of directors' (board’s) oversight and management’s development and implementation of an effective enterprise-wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight.
- Threat intelligence and collaboration – The second domain seeks to implement processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties.
- Cybersecurity controls – The third domain is focused on practices and processes used to protect assets, infrastructure, and information by strengthening the institution’s defensive posture through continuous, automated protection and monitoring.
- External dependency management – The fourth domain involves establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships with access to the institution’s technology assets and information.
- Cyber incident management and resilience – The final domain includes establishing, identifying, and analyzing cyber events; prioritizing the institution’s containment or mitigation; and escalating information to appropriate stakeholders. Cyber resilience encompasses both planning and testing to maintain and recover ongoing operations during and following a cyber incident.
The full details behind the cybersecurity examination tool can be found here.
If you’ve used the CAT to assess your inherent risk level and cybersecurity maturity levels previously, the ACET will be familiar. It is simply an Excel-based version of the CAT with some features added to help examiners track their time and recommendations better.
While the ACET can seem overwhelming because of the number of statements it contains, the ACET uses the same maturity levels as the CAT. The statements are progressively tiered so that the person completing the ACET can stop answering when a majority of the statements for a maturity level have “no” answers. The NCUA will follow this same methodology, so the examiner should not attempt to answer Intermediate maturity questions if the credit union is not yet at an Evolving maturity level.
How a Cybersecurity Agency can help
The question quickly turns from what is the ACET to how to be prepared for it. This is where every credit union we know gets concerned. To complete the ACET, credit unions are required to answer 494 questions and submit roughly 200 documents for examiners to assess how the institution is preventing and preparing for cyber threats and attacks.
This exam preparation is clearly time-consuming and technical, but the NCUA has indicated that it is and will remain a priority for the agency according to NAFCU. Collecting necessary materials, predetermining how to provide information, knowing weaknesses and reviewing training and education can help make the exams shorter and less disruptive.
This is where a Cybersecurity Agency delivering Security-as-a-Service can help. With an experienced team of cybersecurity experts that understand ACET, credit unions will be armed with the people and repeatable process and reports needed for the exam.
Cygilant, the leading Cybersecurity Agency, has a team of experts that understand the ACET. A combined, integrated offering, Cygilant delivers the people needed to prepare for the exam and to demonstrate a credit union’s security posture with repeatable and measurable reports.
Learn more about Cygilant’s Security-as-a-Service for credit unions.