What regulators are doing this year and what’s likely for next
In 2018, the National Credit Union Administration rolled out its Automated Cyber Examination Tool examination, starting with credit unions over $1 billion in assets. This process has rolled over into 2019, and this article constitutes a summary of ideas about ACET-based exams for the current year.
NCUA will most likely will issue an update of its plans for 2020 in January. It is likely, though not certain, that the agency will continue along the same path it has been on this year.
ACET applies a modern, industry-wide approach to assessing the evolving landscape of technology and risks. The examination closely tracks the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool, with one big exception: The ACET requests documentation in more than 65 categories to back up 530 statements (170 statements for baseline compliance). In comparison, the prior Gramm-Leach-Bliley Act-based assessment had 150 questions and requested fewer than 10 documents.
According to NCUA Letter to Credit Unions January 2019, “Examiners will continue conducting information security maturity assessments with the Automated Cybersecurity Examination Toolbox (ACET). Examiners will use the ACET to assess credit unions with over 250 million in assets that have not previously received an assessment. All credit unions over $1B in assets will have completed their first initial ACET examination by the end of 2019. The security, confidentiality, and integrity of credit union member information remains a key supervisory priority for the NCUA.
“Two additional areas of supervisory focus for 2019 are the assessment of credit union IT risk management to ensure it effectively identifies, remediates, and controls inherent risks to appropriate residual risk levels, and oversight of service provider arrangements to ensure credit
unions implement effective risk-based supply chain management,” the document continues. “These areas of focus were established as a result of historical examination analysis, emerging threat trends, and sample results of ACET maturity assessments to date.”
NCUA ACET Examination Objectives
- 2019 ACET-based cyber reviews completed at all federally insured credit unions with assets greater than $1 billion
- 2019 ACET-based cyber reviews completed at 38% of all credit unions with assets between $250 million and $1 billion
- 2023 ACET cyber reviews at all federally insured credit unions with assets greater than $250 million
Practically speaking …
- Institutions above $1 billion that haven’t had an ACET based exam will receive one in 2019.
- Credit unions that had an ACET-based exam in 2018 will receive an alternate exam in 2019.
- Institutions above $250 million have a 40% chance of receiving an ACET-based exam in 2019.
- Institutions below $250 million will definitely go through it in the following years, and may receive an ACET exam as part of a pilot to determine how to scale the examination for smaller Institutions.
- Expect an emphasis on vendor management and IT risk management.
ACET Examination Experiences
During an institution’s first ACET examination, the examiner will spend up to four days reviewing the 170 baseline questions and the 67 documents on the document request list. Examiners expect that most credit unions will not comply with all of the baseline questions in the ACET workbook. The agency’s goal in the first ACET exam is to establish a reference point for compliance that will be used in the next ACET examination to measure improvement of the credit union’s cybersecurity and risk management programs. A document of resolution will not be issued for non-compliance unless the credit union is not complying with Gramm-Leach-Bliley Act guidelines.
Don’t wait until you receive notice of your first ACET examination to review the workbook. We have seen a number of cases where credit unions that completed the ACET workbook and developed the documents for the DRL in advance of their examination had a better experience and, in most cases, cut up to two days off of the examination. Your first ACET examination sets a reference point for your cybersecurity posture, so being better prepared will have a positive impact on the examiner and, in some case,s could extend the number of months between examinations.
In some examinations, examiners ask for additional documents and/or add questions from the information system and technology workbook based on previous NCUA examination findings. We call these examinations that do a much deeper dive into certain areas of the credit union’s operations ACET+ Exams. Reviewing previous years’ examination findings is a good starting point in preparing for your next examination. Examiners usually request proof that you have remediated previous DORs. Contacting your examiner early (2-plus months out) and requesting the list of additional documents and statements increases the time you have to prepare.
Between ACET examination cycles (two years), the examiners will often use statements and document lists from the IS&T workbook. Therefore, you need to contact your examiner at least two months before your examination date to discuss what will be the focus of the exam. Much of what the examiner is likely to request is already contained in the ACET statements and documents, potentially with different names.
What to Expect From Your Exam
A typical first standard ACET Examination includes:
- Documentation review of ACET DRL items
- Risk profile statements with documentation backup
- Domain maturity focused on baseline maturity with documentation backup
- Review of CU prepared inputs
- Finalize results in workbook format
- Expect about one week on site, less if well-prepared
AN ACET+ exam will likely include everything covered under a standard ACET examination, plus:
- Questions from the IS&T workbook based on the results of previous examination findings
- Additional documents that are not on the standard DRL, but supplement the information request in a particular area
- An ACET+ exam is often the second ACET based exam a credit union receives. The target maturity level will depend on the reference point for compliance established in the prior exam.
A non-ACET exam may:
- Take place as NCUA continues rollout and fine-tuning of ACET-based exams
- Request different statements than those in the IS&T workbook
- Request a different format for risk analysis information that has the same objective as ACET
- Refer to a different document list requested with a high percentage overlap with ACET (~70%), but probably a different numbering scheme
- Make it useful for you to ask for details early, as it is challenging if you don’t find out about the exam until a month before it happens
It is extremely important to talk to your IT auditing firm before it performs your annual operations assessment. This is because most IT auditing firms use the FFIEC CAT. The big difference between the FFIEC CAT and the ACET is the DRL. You need to ensure your IT auditor reviews the documents that you will provide to your examiner to ensure you have prepared the correct documentation and that your approach is in line with industry standards. Lack of documentation is the root cause of most DORs. The DRLs is focused on providing proof to the NCUA when you answer “Yes” to a question in the ACET workbook that you have tested your controls and that you are enforcing GLBA compliance.
One other area to look at is your library of polices. In many cases your policies may be contained in one large document from a third-party vendor. To better align with the ACET Document List you will need to structure your policy statements to matchup to the documents request list. This can take some time to perform. This is where your League’s audits practice, IT auditing firm, or a cybersecurity firm like Leo Cyber Security can assist you in your preparations.
Jim Bray is SVP/business development for Redstone Consulting Group, Huntsville, Alabama, a CUSO owned by $5.2 billion Redstone Federal Credit Union. RCG has developed an automated version of the NCUA’s ACET workbook (ACET Collaboration Portal) that eliminates the use of spreadsheets and email messages in the audit preparation process, preventing wasted manpower and human error.