5 Things to Know About the New NCUA Automated Cybersecurity Examination Tool

The financial services industry is often in the crosshairs of cyberattacks. This puts regulators under intense pressure to ensure that banks and credit unions are as secure as possible.

Regulators have taken many steps over the past three years to better position the industry against cyberattacks. The most recent evolution of this campaign is the NCUAs Automated Cybersecurity Examination Tool (“ACET”), a tool that aims to standardize the security baseline by which all credit unions are reviewed and to allow the NCUA to better aggregate information on industry practices.

The ACET is an examination tool based on the FFIEC Cybersecurity Assessment Tool (“CAT”). The NCUA announced last December that it was developing the ACET and stated that credit unions with over $1 billion in assets would be examined using the new tool in 2018 as a test of the process. Since then, the NCUA has clarified how the tool would be used and has added that they intend to roll the tool out to all credit unions over the coming years.

For credit unions that are wondering how the ACET will impact their exams, this week we present these 5 things to know regarding the ACET: 

1. The ACET is the CAT with added features for examiners: For credit unions who have used the CAT to assess their inherent risk level and cybersecurity maturity level in the past, the contents of the ACET will be very familiar. That is because the ACET is an Excel-based version of the CAT with some features added to help examiners track their time and recommendations better. As a matter of fact, any of you who have utilized the FSSCC Automated Cybersecurity Tool or our cybersecurity assessment tool in the past will find that the ACET is a very similar tool.
   
   
2. There will be no ACET findings: The first time that a credit union is examined using the ACET, the NCUA says there will be no findings issued from the tool unless there is a clear violation of a regulation (such as a GLBA violation). Additionally, the NCUA may waive the GLBA review and the Electronic Banking questionnaire for any credit union that is receiving an exam with the ACET. The focus the first time around is to have discussions and to educate, not to penalize. 
   
   
3. The ACET is voluntary (but recommended): Since the introduction of the CAT in 2015, the NCUA has stated that usage of the tool is voluntary. The ACET is also voluntary. When the NCUA does an examination using the ACET, they will provide a list before the exam of about 30 items that they need for the review. They will also ask the credit union if they have completed the ACET. If the credit union has not completed the ACET, the examiner will complete it with the provided materials.  This will not be considered a negative, as the NCUA wants their examiners to perform this work so that they become experts in using the tool. If the credit union has completed the ACET, the NCUA will have more time to spend reviewing the tool with the credit union and making suggestions. We highly recommend that credit unions complete the ACET ahead of time so that they can have more meaningful discussions during the exam.
   
   
4. You can get the ACET now, but you need to ask: The NCUA continues to develop the ACET, so they have not yet made it publicly available. They want to make sure that anyone who gets a copy knows that it is a work in progress. The final version is not expected to be released officially until 2019. If a credit union wants to get a copy now, all they need to do is ask their NCUA examiner for it. Credit Unions that do get an early copy are encouraged to request refreshed copies before their exam.
   
   
5. Stop when you determine your maturity level: The ACET can seem overwhelming at first because of the number of statements it contains, and it might seem like an ACET-based exam will take longer. In reality, the ACET uses the same maturity levels as the CAT (Baseline, Evolving, Intermediate, Advanced, Innovative), and the statements are progressively tiered so that the person completing the ACET can stop answering when a majority of the statements for a maturity level have “no” answers. The NCUA will follow this same methodology, so the examiner should not attempt to answer Intermediate maturity questions if the credit union is not yet at an Evolving maturity level. Since the NCUA expects most credit unions to be in the Baseline or Evolving categories, this means that most ACET exams will include under half of the available statements.  
   
   

Bedel Security works every day with banks and credit unions to help them reach their next cybersecurity maturity level. If you are a credit union who wants to be proactive in completing the ACET but doesn’t know quite where to start, contact us to see how we can help!