Dear Boards of Directors and Chief Executive Officers:
Strengthening the credit union system’s resiliency against potential cyberattacks remains one of the NCUA’s supervisory priorities. To assist in these efforts and to help credit unions understand their level of cybersecurity preparedness, the NCUA released the Automated Cybersecurity Evaluation Toolbox (Toolbox) application in October.
The Toolbox, as well as other pertinent information and resources, are available for download on the agency’s ACET and Other Assessment Tools webpage. The webpage includes a video (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) that provides an overview of the entire process, from the start of an assessment to reviewing reports.
The Toolbox is a no-cost, downloadable application developed to be a holistic cybersecurity resource for credit unions. It also provides credit unions with a no-cost method to conduct cybersecurity self-assessments. The Toolbox assists institutions of all sizes and complexity to determine and measure their information and cybersecurity preparedness against several industry standards and best practices. Using the maturity assessment within the Toolbox may assist credit unions in enhancing their cybersecurity oversight and management.
The maturity assessment incorporates cybersecurity standards and practices established for financial institutions. It includes practices found in the Federal Financial Institutions Examination Council IT Examination Handbooks, regulatory guidance, and leading industry standards like the National Institute of Standards and Technology Cybersecurity Framework. The maturity assessment provides a plain-language explanation and references for each of the statements included within the assessment. By conducting regular assessments, credit unions can better prepare to make risk-driven security management decisions.
While we highly encourage the use and implementation of the maturity assessment for a credit union to determine its information and cybersecurity preparedness level, it is only a self-assessment. Credit unions are not required to use the Toolbox or complete the maturity assessment. However, it can provide insight into additional steps a credit union may consider taking to strengthen its overall security posture.
Todd M. Harper