July 29, 2015

NCUA explains FFIEC cybersecurity assessment tool; examiners to be trained

NCUA officials discussed the Federal Financial Institutions Examination Council's new cybersecurity assessment tool during a webinar yesterday and said that, while voluntary, it will go far in helping credit unions prepare against cyber threats.

NCUA Information Systems Officer Patrick Truett walked through the basic steps of a cybersecurity risk assessment, which include identifying a credit union's inherent risk profile and assessing its "cyber maturity" level in five key areas. The tool helps institutions determine a target level of maturity and develop a plan to close the gaps, including allocating new resources and adjusting procedures and programs.

While the use of the assessment tool will not be mandatory, NCUA Examination and Insurance Deputy Director Tim Sergeson said NCUA examiners will receive training on the tool to apply it in the exam process to collect information about the credit union industry's cybersecurity preparedness as a whole.

NCUA said it will release a Letter to Credit Unions on the tool shortly and will host a series of meetings around the country to educate credit unions on cybersecurity. Staff also plan to publish a "Frequently Asked Questions" page online. NCUA will solicit industry feedback on the usability and effectiveness of the tool, especially for smaller institutions, Sergeson said.

NCUA will post an archive of Wednesday's recorded webinar within the next few weeks.