NCUA Issues Letter to Credit Unions about NCUA’s Automated Cybersecurity Evaluation Toolbox
In December of 2021, the National Credit Union Administration (NCUA) issued Letter to Credits Union 21-CU-15 about NCUA's supervisory efforts to educate federally-insured credit unions on cybersecurity preparedness and how the recent release of the Automated Cybersecurity Evaluation Toolbox (ACET) application may help federally-insured credit unions self-assess their cybersecurity preparedness. The ACET helps a credit union assess readiness against cyber-attacks by weighing a credit union’s own cybersecurity processes and best practices against industry standards and best practices. The ACET maturity assessment (assessment) within the ACET outlines practices taken from the Federal Financial Institution Examination Council IT Examination handbook, regulatory guidance, and other standards from other institutions such as the National Institute of Standards and Technology Cybersecurity Framework. The letter also underscores the ACET is a self-assessment with no requirement from NCUA to use the ACET or implement the assessment.
The ACET User Guide provides an overview of ACET’s two parts. The first part is the inherent risk profile, which identifies the institution’s risks before controls are implemented. The second part measures a credit union’s cybersecurity maturity “across five maturity levels.” The goal of the ACET is to see how “institutionalized” a credit union’s cybersecurity practices are engrained in the credit union. The letter also provides a brief set of FAQs to federally-insured credit unions about the ACET. The FAQs address the operational components of the ACET maturity assessment.
Once the ACET is installed, the ACET serves as a standalone app that is locally stored. However, there may be minimal software and hardware requirements to use the ACET, which NCUA lists in the ACET User Guide as follows: (1) Pentium dual-core 2.2 GHz processor (Intel x86 compatible); (2) 6 GB free disk space; (3) 4 GB of RAM; (5) Microsoft Windows 10 or higher; (6) Microsoft .NET Framework 4.7 Runtime; (7) SQL Server 2012 Express LocalDB (included in ACET installation); and (8) IIS Express 8 (included in ACET installation). In the event there are questions or issues, the toolbox also provides several resources such as video and a user guide that gives a user a walk through from installation to assessment.
The FAQs also discuss how the ACET maturity assessment interacts with existing information security guidance. NCUA did not implement the ACET maturity assessment to replace a credit union’s existing information security program. While the maturity assessment found in the ACET is separate from a GLBA risk assessment process under appendix A to Part 748 of NCUA’s rules and regulations, the FAQs reaffirm the ACET maturity assessment may be a component of a GLBA risk assessment process. According to the FAQs, credit unions should still use the GLBA risk assessment process “in the development of [their own] information security program.”
A credit union may want to use the ACET to better understand its readiness in light of growing cybersecurity risk and geopolitical events. NCUA recently notified credit unions of a cybersecurity warning issued by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The warning asks credit unions to adopt a “heightened state of awareness and to conduct proactive threat hunting.” Cybersecurity will continue to be on the minds of compliance professionals as cybersecurity is a NCUA supervisory priority entering 2022.