On January 7, 2020 the National Credit Union Administration issued its yearly supervisory priorities and Information Systems and Assurance (Cybersecurity) received some renewed focus. According to the National Association of Federally-Insured Credit Unions (NAFCU) blog post, cybersecurity has also been a supervisory priority for many years and will likely continue to remain so.
NCUA will continue using the Automated Cybersecurity Examination Tool (ACET), which is based on the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT). “Sometime in early 2020”, according to NCUA, “Credit unions will have access to the ACET for conducting self-assessments.” NCUA has been using the ACET for credit unions with over $1 billion in assets since 2018, and last year began using the tool for credit unions with over $250 million in assets.
In 2020, the ACET will be used for credit unions with over $100 million in assets. There have also been rumblings that soon all credit unions, regardless of asset size, will find themselves scoped into the requirement.
Finally, the agency is also piloting new procedures in 2020 to “evaluate critical security controls during examinations between maturity assessments” that are scaled to the credit union’s size and risk profile.
Though the NCUA plans to “increase stakeholder outreach this year to provide education and promote awareness on cybersecurity issues”, Lares knows how overwhelming ACET preparation can be. The credit unions we work with often reach out to Lares to help read between the lines of the ACET requirements, map existing security program gaps, conduct IT Risk Assessments, and even assist in working with the NCUA auditor to help articulate the institution’s readiness and alignment.
Lares can help your credit union validate its security posture through offensive security-focused services such as penetration testing, application security assessments, vulnerability scanning, continuous security monitoring, IT risk assessments, virtual Chief Information Security Officer (CISO) services, and coaching.
If your credit union needs help with its ACET alignment activities in 2020, please do not hesitate to reach out by phone (720) 600-0329, by email firstname.lastname@example.org, or via our website https://www.lares.com/cu/. We look forward to helping your institution achieve its security and compliance goals and help you continue to put member satisfaction above everything else.
Andrew Hay is the COO at Lares and is a veteran cybersecurity executive, strategist, industry analyst, data scientist, threat and vulnerability researcher, and international public speaker with close to 25 years of cybersecurity experience across multiple domains. He prides himself on his ability to execute the security strategy of the company with which he works without neglecting business objectives and the needs of its customers. Andrew is the author of multiple books on advanced security topics and is frequently approached to provide expert commentary on industry developments. He has been featured in publications such as Forbes, Bloomberg, Wired, USA Today, and CSO Magazine.