The Transition from ACET to InTREx-CU for Credit Union Examinations
The National Credit Union Association (NCUA) Chairman Rodney Hood discussed changes to the credit union (CU) CyberSecurity and Technology examination program before Congress in early December 2019. Hood announced the adoption of the Information Technology Risk Examination (InTREx) solution to this end. InTREx is utilized by the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve System (FRS), and the State Liaison Committee members of the Federal Financial Institutions Examination Council (FFIEC). As of July 2020, changes in the NCUA cybersecurity priorities reflect will transition away from the Automated Cybersecurity Examination Tool (ACET) to InTREx based examinations to measure the effectiveness of critical security controls.
Information Security Examination Program
The first phase of the adoption involves an InTREx pilot. The pilot will focus on statements and questions, examination procedures, and associated job aids. Furthermore, the InTREx-CU will encourage “examination harmonization” across the financial services sector. As a result, the InTREx-CU will help CUs identify gaps in security controls. Also, examiners and credit unions will be armed with tools to identify potential high-risk areas in security programs and address program deficiencies. Ultimately, the NCUA will achieve joining the rest of the financial sector by standardizing on a common cybersecurity examination framework. Experienced financial services risk assessors will be familiar with the InTREx audit process documentation that will now serve as the basis for CU cybersecurity examinations. The InTREx Program helps financial services organizations enhance identification, assessment, and validation of IT in financial institutions and address identified risks.
The 4 Core Analysis Sections of the InTREx
InTREx has four main Core Analysis sections (plus Information and Cybersecurity supplemental guides):
- Audit
- Management
- Development and Acquisition
- Support and Delivery
The new InTREx-CU proposal covers the requirements of the five ACET domains: Cyber Risk Management & Oversight (Audit, Support & Delivery), Threat Intelligence & Collaboration (Management), Cybersecurity Controls (Management, Support & Delivery), External Dependency Management (Management, Development & Acquisition), and Cyber Incident Management & Resilience (Management).
Risk/Threat Profile Management
According to Hood, the InTREx-CU initiative will improve upon the collection of intel regarding hostile threat actors targeting CUs. As a result of this information, the NCUA hopes to gain ins the tactics, techniques, and procedures (TTPs) of hostile actors. and, in turn, improve the industry’s defensive posture. The CU threat landscape has changed due to financial services technological advances and a growing remote workforce. By understanding the diverse threats of nefarious adversaries, the NCUA hopes to curate a best-practice cybersecurity repository for credit unions. Other intended outcomes of the new initiatives are more prescriptive regulatory guidance and an information sharing and analysis function for CUs.
Cybersecurity & Technology
“Safe and sound” credit unions are a cybersecurity “priority” of the NCUA. To this end, Hood eyes the InTREx-CU as a critical cybersecurity CU initiative. The initiative helps CUs prepare for attacks and build resilience in their security programs as a result. The InTREx-CU represents the next phase towards this reality. Further alignment with the NIST National Initiative for Cybersecurity Education (NICE) Framework will spread security awareness across the broader CU space.
How Lares Can Help CUs Adopt InTREx-CU
Lares continues to stay informed of the cybersecurity initiatives proposed by Chairman Hood and the NCUA. The InTREx-CU will vastly improve the safety and resiliency of CUs. That is why we are supporting CUs adopting the new program updates. From both a program advisory and assessment (cloud, application, Red Team/Blue Team/Purple Team) practices, Lares’ services align with the new cybersecurity program initiatives underway at the NCUA. Further, our combined services use industry best practices (ISO, NIST, CIS, BSIMM) to build comprehensive security programs. By doing so, we help clients identify, manage, and mitigate risk. Most importantly, we can help CUs meet the new InTREx-CU standards.
Mark Arnold has a 15+ cybersecurity career, serving 8 of those years in leadership roles. As a transformational leader, Mark has built security teams and programs, authored maturity model blueprints to optimize risk management processes, and implemented security domain practices at large enterprises and service providers. Mark’s areas of interest include cloud security, threat intelligence, and vulnerability research, nation-state attack methods and related activities (e.g. information operations and disinformation campaigns) and their collective impact on nations and society. Mark recently completed an executive education cohort on the intersection of cybersecurity and technology at Harvard’s Kennedy School.