Inherent risk is always dynamic

Cybercriminals’ strategies, tactics are constantly changing.

As the business landscape continues to evolve, accelerated by the coronavirus (COVID-19) pandemic, many credit union executives have revenue generation and cost containment at the forefront of their minds. There tends to be less appetite for ongoing investments that elevate cybersecurity.

For many credit unions, a sense of weariness sets in when, year after year, they repeat the same tasks to meet the same information technology (IT) risk requirements. IT or cybersecurity teams move through the Federal Financial Institutions Examination Council (FFIEC), Federal Deposit Insurance Corp. (FDIC), Automated Cybersecurity Evaluation Toolbox (ACET), or other tools and check the boxes they believe will keep regulators happy. Unfortunately, that approach misses the point.

NCUA has made some tweaks to its oversight approach. But if ACET, which is now categorized as a self-assessment tool, is embraced as intended, credit unions will navigate toward increasingly robust cybersecurity postures. Risk reduction is a primary goal for most executives, and a more mature cybersecurity posture can accomplish that goal.


continue reading »