United States flag An official website of the United States government
Help With My Credit Union Español Contact Us
Search

NCUA’s Information Security Examination and Cybersecurity Assessment Program

This image contains collage of different IT related themes that support the importance of cybersecurity.

In 2023, the NCUA implemented the Information Security Examination (ISE) procedures, which were developed to help standardize the examination of credit union’s information security and cybersecurity programs.

ISE objectives include:

  • Evaluating management’sability to recognize, assess, monitor,and manage information systems and technology-related risks.
  • Assessing whether the credit union has ample expertise to adequately plan, direct, and manage information systems and technology operations.
  • Determining whetherthe boardof directorshas adoptedand implementedadequate information systems and technology -related policies and procedures.
  • Evaluating theadequacy of internal information systemsand technologycontrols and oversight to safeguard member information.

The NCUA’s ISE and cybersecurity assessment programs incorporatethe following:

  • Automated Cybersecurity Evaluation Toolbox (ACET): The ACET is a voluntary tool that allows credit unions to determine and measure their own cybersecurity preparedness over time. The tool maps each of its declarative statements to the practices found in the FFIEC IT Examination Handbook, regulatory guidance, and leading industry standards like the National Institute of Standards and Technology Cybersecurity Framework.
  • Examiner’s Guide: The Examiner’s Guide provides a framework for consistent application of staff judgment as to conclusions about a credit union’s financial and operational condition and related risk ratings. It also provides a consistent approach for evaluating the adequacy of a credit union’s relevant risk-management processes.
  • National Supervision PolicyManual (NSPM): The NSPMestablishes national policies, procedures, and guidelines for effective district management, supervision of credit unions, and quality assurance, including as they relate to the NCUA’s information security examination policies and procedures.
  • FFIEC Information Technology Booklets: The FFIEC IT Handbook Infobase offers a variety of resources ranging from IT booklets and work programs to information on IT security related laws, regulations, and guidance. Financial institutions can use these resources to align their information security and cybersecurity practices with the FFIEC guidelines.
  • Credit Unions Service Organization (CUSO) Reviews: Although the NCUA lacks direct regulatory authority over CUSOs, the NCUA and state supervisory authorities (under state statutes) periodically perform independent or joint reviews of CUSOs to ensure they comply with statutory and regulatory requirements. These reviews are also designed to ensure that CUSOs use sound business and operational practices and to determine whether the CUSO complies with statutory and regulatory requirements for the products and services they provide.