Catching Up With the ACET
This year large credit unions will come face-to-face with the latest version of NCUA's Automated Cybersecurity Examination Tool (ACET). For those unfamiliar with the ACET, the tool is nearly identical to the FFIEC's Cybersecurity Assessment Tool (CAT), which we have blogged about in the past. Today's blog will cover significant information we've learned about the 2018 version of the ACET.
As we've previously reported, NCUA's Supervisory Priorities for 2018 revealed the agency's plan to use the ACET this year at what the agency considers to be the largest and most complex credit unions – those with over $1 billion in total assets – and calibrate baseline cybersecurity expectations using results gathered from the tool's inaugural deployment. Accordingly, the information in this blog reflects a version of the ACET that is subject to change. To help credit unions better understand how the ACET works, NAFCU invited Tim Segerson, deputy director at NCUA's Office of Examination and Insurance, to conduct a webcast covering important aspects of the new tool. You can access the webcast for free here.
At this stage, credit unions should be aware of three important takeaways: 1) the ACET is not yet finalized and will continue to change; 2) NCUA plans to formally deploy the tool in 2019; and 3) NCUA is contemplating ACET reviews every two or three years. When the ACET is used, it will replace the Gramm-Leach-Bliley Act/Part 748 Privacy review and the Electronic Banking questionnaire. NCUA does not expect the current iteration of the ACET will prove overwhelming for credit unions using it for the first time.
Examiners will be permitted to conduct the ACET review in advance of an exam, during an exam or after. Of course, examiners are also being advised to engage in lead planning ahead of time to ensure a smooth transition. In addition, NCUA was able to share information about its planned ACET workflow for 2018 on the webcast. This information reflected instructions to examiners and revealed important aspects of the review process:
- Declarative statements (used to assess cybersecurity maturity) may be answered affirmatively with reference to compensating controls.
- Credit unions must complete all statements in the baseline maturity level, and may terminate the review above the baseline level based on judgment.
- Examiners are not required to validate all declarative statements by reviewing every piece of collected information; however, examiner judgment will prevail.
- When the majority of declarative statements do not satisfy a given maturity level, the examiner will not review above that level.
- Examiners are advised to limit exam discussions (overview, executive summary, etc.) to the fact that an ACET review was performed, it was reviewed with management and final results were left for further review and consideration.
For smaller credit unions, NCUA has expressed a commitment to streamline the ACET as much as possible; however, the agency has not indicated how it will be used in connection with reviews of small and medium-sized credit unions. What we do know is more testing and refinement of the tool will occur in 2018 to see how the ACET "fits" credit unions that are under $1 billion in total assets. For example, based on feedback received last year when the ACET was still in its pilot stage, NCUA reduced the number of document requests it makes in connection with ACET-based examinations.
Finally, it's worth mentioning that the ACET does a good job of enhancing its source material – the FFIEC's CAT – with more descriptive information. The enhanced guide includes commentary, descriptions of the validation approach for declarative statements, and mapping of individual statements to the FFIEC's IT Booklets and the NIST Framework for Improving Critical Infrastructure Cybersecurity.
Looking forward, NCUA has expressed an intention to develop the tool with a commitment to transparency, collaboration and scalability. The agency will continue to improve the ACET with additional cross-references to major cybersecurity standards while ensuring it is harmonized with other segments of the financial services industry. Meanwhile, credit unions interested in obtaining a current version of the ACET can make a request to CU_cybersecurity@ncua.gov.