The National Credit Union Administration (NCUA) plans to implement a new Automated Cybersecurity Examination Tool (ACET) to determine the effectiveness of credit union cybersecurity programs.
The NCUA plans to implement the ACET this coming January to obtain a baseline measure. After that, it will be deployed every other year. Per NCUA guidelines, federally-insured credit unions with assets between $250 million and $10 billion will be subject to review.
The ACET will closely mirror the National Institute of Standards and Technology (NIST) cybersecurity framework, which was designed as voluntary guidance.
A report by the Office of the Inspector General indicates the ACET will address all 98 of the voluntary NIST cybersecurity control guidelines and will also include nearly 500 Declarative Statements, which are the NCUA’s control measures for assessing a credit union.
The National Association of Federally Insured Credit Unions (NAFCU) has been a leading advocate for a strong national data security standard and supports an objective, risk-based approach to cybersecurity that grants financial institutions the flexibility to adopt controls based on their own assessments of threats or risk factors.
NAFCU will review the NCUA’s ACET once its available in December. However, the association has urged against NCUA’s implementing compliance-based cybersecurity in which credit unions are required to implement controls that are not tailored to their institutions’ level of operational complexity.