What Credit Unions need to do now that the NCUA released its new Cybersecurity Examination Tool (ACET)

What Credit Unions need to do now that the NCUA released its new Cybersecurity Examination Tool (ACET)

FS-ISAC and CUNA just hosted a webinar, April 5, 2018, where NCUA examiners explained the inner working of the new tool.

That’s right, the NCUA just released the Automated Cybersecurity Examination Tool or better known as the ACET. I’m sure you can hardly contain your excitement! Maybe not exciting but it does signal that you better review the process you have in place. You do have process, right?

ISACA states that,”87% of C-suite professionals and Board members lack confidence in their organization’s cybersecurity initiatives, yet it’s the #1 corporate governance challenge.”

If you believe that statistic then most don’t have a process.

Being a trust advisor to Credit Unions and having built a Cybersecurity and Enterprise Risk Management program, I can share that the key to being successful is having a process in place that you can demonstrate is repeatable. No one care what framework you use. They don’t, what they care about is that you have a process in place, you know how it works and how to use it, and that it works over and over again.

What does this have to do with the ACET? Well the ACET is modeled after the FFIEC Cybersecurity Assessment tool, so closely that it practically mirrors it but is designed to be scalable. A frustration of users of the FFIEC CAT, I can speak from experience, is that it has a “one size fits all” feel and if you’re a smaller organization, under 1B, many of the questions such as in-house application development or are not applicable.

One of the goals of the ACET is to be scalable and appropriate for all CU’s; 50m to 1B+

We’ll have to wait and see how effective it turns out to be but one thing is for certain, our examiner friends will be asking you questions about it and looking to see what you have in place.

Action Steps to take right now:

  1. Ask Questions. CEO’s, ask yourself this question. “How confident do I feel about the effectiveness of our cybersecurity and risk management program.” If you’re feeling less than “confident” and uninformed then your Board is feeling the same way and may not know how best to ask questions.
  2. Focus on the Controls and less on the Threats. One of the goals for all of these types of tools is to document existing controls so you can identify gaps and have a sense of the maturity of your efforts. Start with identifying and documenting controls you already have in place that align to the NIST CSF categories;
    • Identify
    • Protect
    • Detect
    • Respond
    • Recover
  3. Start Talking. Who in the organization knows about existing controls and who needs to hear about gaps. You’d be surprised how many organizations don’t have clearly defined governance and reporting. If a committee doesn’t exist then form an ad hoc committee until you can determine who needs to be on the team. Cybersecurity is not a technology problem, it’s a business problem so don’t default to just thinking the CIO and IT.  If this feels too overwhelming, then take the next action.
  4. Enlist the aid of experts. Resources and information are available more so now than ever before. No need to try and become an expert overnight. ACET and CAT are geared for self-assessment however people often struggle in the interpretation of the questions and the prioritization of actions. This is where experience in the field pays off.


Ask for help. I, and my organization, were early adopters of the NIST CSF and experienced plenty of frustration but through much customization achieved a program focused on communication, transparency and actions that established governance reporting to the Board of Directors.