The NCUA recently held a webinar (recording available until March 7, 2019) to outline the new exam approach, and what credit unions should expect. The NCUA has released the Automated Cybersecurity Examination Tool (ACET) to aid examiners in the complex world of cybersecurity risks and controls.
Here are the quick hitting facts you need to know:
- The ACET is not the only exam guidance – this is in addition to a standard risk-focused IT exam.
- The ACET is built based on the FFIEC CAT – if you have performed internal assessments against the CAT and have been working to move beyond baseline you should be in good shape.
- The ACET was developed due to resource limitations. This means examiners are being asked to review more material efficiently. Have compensating controls clearly documented to ensure the examiner can follow your thought process.
- The ACET was first used in December 2017 and is being rolled out for all exams starting with larger institutions to streamline the process. This will help the NCUA appropriately scale expectations for smaller institutions.
Exams using the ACET will provide another benefit – the work program being used by the examiner and thus the expectations of the examiner are public knowledge. There should be no surprises during any review – the ACET provides specific controls to implement. This will also help the NCUA obtain a standardized view of the industry and set appropriate baseline expectations.
The ACET is still in a working form as the NCUA adjusts expectations but our initial review of the Draft 1.0 version is self-explanatory. Each domain maps back to the FFIEC CAT which maps to the NIST Cybersecurity Framework. Credit unions should be receiving the ACET ahead of any exam which will help in adjusting any compensating control wording from your FFIEC CAT results.