Newsroom

October 13, 2017

NAFCU reiterates call for flexibility as NCUA implements cybersecurity exam tool

A recent audit report revealed the NCUA plans to implement a new Automated Cybersecurity Examination Tool (ACET) to determine the effectiveness of credit union cybersecurity programs. NAFCU continues to urge the agency to avoid forcing credit unions into a one-size-fits-all cybersecurity program.

The self-implemented audit was conducted by the NCUA's Office of Inspector General (OIG) from February 2016 through last month to determine whether the NCUA's IT examination program provides adequate oversight to credit unions' cybersecurity programs and whether credit unions are doing enough to protect member information from cyber-attacks.

The audit determined the ACET will have greater scope than previous NCUA IT exam procedures. It will closely mirror the National Institute of Standards and Technology (NIST) cybersecurity framework, which was designed as voluntary guidance.

The NCUA plans to implement the ACET in January to obtain a baseline measure and will then be deployed every other year. Per NCUA guidelines, federally-insured credit unions with assets between $250 million and $10 billion will be subject to review.

The OIG report indicates the ACET will address all 98 of the voluntary NIST cybersecurity control guidelines and will also include nearly 500 Declarative Statements, which are the NCUA's control measures for assessing a credit union.

NAFCU has been a leading advocate for a strong national data security standard and supports an objective, risk-based approach to cybersecurity that grants financial institutions the flexibility to adopt controls based on their own assessments of threats or risk factors.

The association has also urged against NCUA's implementing compliance-based cybersecurity in which credit unions are required to implement controls that are not tailored to their institutions' level of operational complexity.

NAFCU will review the NCUA's ACET once available, expected in the December release of the agency's Automated Integrated Regulatory Examination System. NAFCU resources on cybersecurity are available here.