Catching up with the ACET

This year large credit unions will come face-to-face with the latest version of NCUA’s Automated Cybersecurity Examination Tool (ACET). For those unfamiliar with the ACET, the tool is nearly identical to the FFIEC’s Cybersecurity Assessment Tool (CAT), which we have blogged about in the past. Today’s blog will cover significant information we’ve learned about the 2018 version of the ACET.

As we’ve previously reported, NCUA’s Supervisory Priorities for 2018 revealed the agency’s plan to use the ACET this year at what the agency considers to be the largest and most complex credit unions – those with over $1 billion in total assets – and calibrate baseline cybersecurity expectations using results gathered from the tool’s inaugural deployment. Accordingly, the information in this blog reflects a version of the ACET that is subject to change. To help credit unions better understand how the ACET works, NAFCU invited Tim Segerson, deputy director at NCUA’s Office of Examination and Insurance, to conduct a webcast covering important aspects of the new tool. You can access the webcast for free here.

At this stage, credit unions should be aware of three important takeaways: 1) the ACET is not yet finalized and will continue to change; 2) NCUA plans to formally deploy the tool in 2019; and 3) NCUA is contemplating ACET reviews every two or three years. When the ACET is used, it will replace the Gramm-Leach-Bliley Act/Part 748 Privacy review and the Electronic Banking questionnaire. NCUA does not expect the current iteration of the ACET will prove overwhelming for credit unions using it for the first time.


continue reading »