Cybersecurity: What’s your level of preparedness?

Here’s where many credit unions fall short, according a new NCUA tool.

September 12, 2018

NCUA is using a new tool to gauge credit unions’ level of cybersecurity preparedness: The Automated Cybersecurity Examination Tool (ACET).

Developed in 2017, ACET consists of an inherent risk profile and a cybersecurity maturity level, explains Wayne Trout, regional information systems officer for the agency. In 2018, NCUA will examine the 268 credit unions with more than $1 billion in assets using ACET.

Trout, who addressed the CUNA Technology Council’s 5th Annual Security Summit in San Francisco, identified several of credit unions’ “least achieved baseline statements” from the cybersecurity assessments:

  • The institution has policies commensurate with its risk and complexity that address the concepts of threat information sharing. “You need to have a policy in place that says what information you can share, how you share it, and through what means,” Trout says. “Put it in a box and see how you want to control it,”
  • Organizational assets (i.e., hardware, systems, data, applications) are prioritized for protection based on the data classification and business value. “This is a beast,” he says. “You have so much data in so many places. But take the first shot at it.”
  • A risk assessment focused on safeguarding customer information identifies reasonable and foreseeable internal and external threats, the likelihood and potential damage of threats, and the sufficiency of policies, procedures, and customer information systems. “If your credit union is on the East Coast,” Trout asks, “have you updated your risk policy for the possibility of hurricanes? As things change, you have to bring them into play.”
  • User access reviews are performed periodically for all systems and applications based on the risk to the application or system.
  • Firewall rules are audited or verified at least quarterly.
  • Data flow diagrams are in place and document information flow to external parties.
  • Contracts stipulate that the third-party security controls are regularly reviewed and validated by an independent party.
  • The risk assessment is updated to address new technologies, products, services, and connections before deployment. “Get senior management involved and implement a policy that says nothing goes into play until it goes through the risk assessment process,” he says. “This will prevent a lot of problems.”

Click here for more conference coverage from CUNA News, and get live updates on Twitter via @cumagazine@CUNA_News@CUNACouncils, and by using the #TechCounciland #OMECouncil hashtags. Learn more about the CUNA Councils, a member-led professional society for credit union executives, at