ALEXANDRIA, Va. (7/30/15)--The National Credit Union Administration intends to incorporate the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool into its examinations, starting in June 2016. NCUA staff presented information on the tool, as well as how it will utilize it in agency activities, during a webinar Wednesday.
“For us at NCUA, we do intend to eventually incorporate the tool and the components of the tool into an examination approach. We’re going to take a long time to both train our staff on it and also give the industry a long time to get comfortable with the tool,” said Tim Segerson, deputy director of the NCUA’s Office of Examination and Insurance. “It is never going to be, at least at this point in time, a mandatory component.”
The FFIEC released the tool June 30, after a pilot program the previous year involved 500 financial institutions includingcredit unions. It is intended as a scalable resource to help financial institutions identify risks and assess cybersecurity preparedness.
Starting in June 2016, assuming the NCUA is able to successfully train examiners in the tool’s usage, its methodologies will be incorporated into the examination process.
The tool takes a basic approach of measuring an institution’s inherent risk, based on the combination of activities, products, services and scope of operations offered. The tool aims to show the proper “maturity” of an institution’s cybersecurity program, based on that inherent risk
“It will be a process that, as we get down the road and have thoroughly trained our examiners, will help our examiners organize a review methodology around cybersecurity,” Segerson said. “It will help us collect information on the industry and to identify area where we could possibly provide guidance to help the industry move in a direction we feel they need to move in.”
For the next 12 months, the NCUA will conduct a wide-ranging public outreach campaign designed to inform credit unions about the tool. This includes eventually reaching out to organizations such as CUNA, as well as state leagues.
Although the tool itself is new, it was put together using information from the pilot program, as well as regulations and guidance already in place.
“The agency took a very direct approach to identifying current guidance and regulatory requirements as a baseline,” said Segerson. “When you look at the tool and you look at the baseline statements, those are all directly tied to specific regulatory requirements under Part 748 for credit unions, or to guidance provided by the (information technology) handbooks and examination guidance we’ve provided in the past.”