NCUA issues letter to credit unions about NCUA’s automated cybersecurity evaluation toolbox


In December of 2021, the National Credit Union Administration (NCUA) issued Letter to Credits Union 21-CU-15 about NCUA’s supervisory efforts to educate federally-insured credit unions on cybersecurity preparedness and how the recent release of the Automated Cybersecurity Evaluation Toolbox (ACET) application may help federally-insured credit unions self-assess their cybersecurity preparedness. The ACET helps a credit union assess readiness against cyber-attacks by weighing a credit union’s own cybersecurity processes and best practices against industry standards and best practices. The ACET maturity assessment (assessment) within the ACET outlines practices taken from the Federal Financial Institution Examination Council IT Examination handbook, regulatory guidance, and other standards from other institutions such as the National Institute of Standards and Technology Cybersecurity Framework. The letter also underscores the ACET is a self-assessment with no requirement from NCUA to use the ACET or implement the assessment.

The ACET User Guide provides an overview of ACET’s two parts. The first part is the inherent risk profile, which identifies the institution’s risks before controls are implemented. The second part measures a credit union’s cybersecurity maturity “across five maturity levels.” The goal of the ACET is to see how “institutionalized” a credit union’s cybersecurity practices are engrained in the credit union. The letter also provides a brief set of FAQs to federally-insured credit unions about the ACET. The FAQs address the operational components of the ACET maturity assessment.


continue reading »