This year, the NCUA will begin using a new tool to help our examiners assess a credit union’s level of cybersecurity preparedness. Called the Automated Cybersecurity Examination Tool, it provides us with a repeatable, measurable and transparent process that improves and standardizes our supervision related to cybersecurity in all federally insured credit unions.
Developed in 2017, the Automated Cybersecurity Examination Tool mirrors the FFIEC’s Cybersecurity Assessment Tool (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) developed for voluntary use by banks and credit unions. Just like the FFIEC’s Tool, our Automated Cybersecurity Examination Tool consists of two parts: the Inherent Risk Profile and the Cybersecurity Maturity level.
The Inherent Risk Profile in the tool helps determine a credit union’s exposure to risk by identifying the type, volume, and complexity of the institution’s operations. The Cybersecurity Maturity portion of the tool is designed to help us measure a credit union’s level of risk and corresponding controls. The levels range from baseline to innovative.
The Cybersecurity Maturity assessment includes statements to determine whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness within the following five domains:
- Cyber-risk management and oversight
- Threat intelligence and collaboration
- Cybersecurity controls
- External dependency management
- Cyber-incident management and resilience
Each of these domains includes assessment factors and contributing components. Within each component, declarative statements describe activities supporting the assessment factor at each maturity level.
Additionally, the Automated Cybersecurity Examination Tool incorporates appropriate cybersecurity standards and practices established for financial institutions. The tool maps each of its declarative statements to these best practices found in the FFIEC’s Information Technology Examination Handbook (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , regulatory guidance, and leading industry standards like the National Institute of Standards and Technology’s Cybersecurity Framework (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) . The tool also provides our examiners a plain-language explanation and references for each of the declarative statements included in the assessment.
In 2018, the NCUA will review credit unions with $1 billion or more in assets using the Automated Cybersecurity Examination Tool, while we continue to refine the tool further to ensure it scales properly for smaller, less complex credit unions. We will use the assessment over the next few years to benchmark the industry’s preparedness levels. These benchmarks will be used to start a dialog on how we all can improve the credit union system’s cybersecurity preparedness levels.
Using the new Automated Cybersecurity Examination Tool ensures we are consistent in our approach and we can scale our expectations properly to the size, complexity and risk exposure of each credit union. The tool will also provide valuable insights that will help us focus our supervision efforts on areas that are the most important for the credit union system. As the tool’s implementation evolves over the course of the year, we will be sure to keep stakeholders informed.
For more information, visit our Cybersecurity Resources website.