In most card games, fives are not necessarily a winning hand—you typically need a little more to be at the top of your game. But five is now a special number for credit unions. ACET, the Automated Compliance Examination Tool, is the mechanism that the National Credit Union Administration (NCUA) is using to test the inherent risk profile and cybersecurity maturity of America’s credit unions.
5 ACET Inherent Risk Profile Domains
The NCUA tool measures five levels of inherent risk across five domains, including:
- Technologies and connection types
- Delivery channels
- Online/mobile products and technology services
- Organizational characteristics
- External threats
5 Levels of ACET Cybersecurity Maturity
It also measures five levels of cybersecurity maturity:
- Cyber risk management and oversight
- Threat intelligence and collaboration
- Cybersecurity controls
- External dependency management
- Cyber incident management and resilience
Five really is the magic number here.
When you first open the ACET tool, it’s natural to be overwhelmed. With hundreds of declarative statements needing response and row after row of documents within the Document Request List, the first impression is that the tool is overly complicated. But in short order, you will start to see overlapping information requests, trends, and more efficient ways of completing the assessment. Actually, the opportunity to identify overlaps and opportunities for increased efficiency is where the value of going through the ACET lies.
Like most cybersecurity frameworks, ACET is a combination of people, processes, and technologies. The challenge of working through an exam is the weeks and months it takes to gather, sort, and present evidence to meet the exam requirements. The ACET helps you to identify areas where you have an overlap in technology functionality. Since the heritage of cybersecurity is to identify a threat vector and then apply technology to combat that threat, most companies have an assortment of technologies that weren’t designed to work together. Each technology is its own piece leaving security staffs to put the puzzle together. This results in the need to hire multiple skill sets to use the range of tools, managing multiple contracts and licensing agreements, and additional time to gather the outputs from the various technologies to meet compliance needs. This is the reason many companies consolidate their cybersecurity infrastructure.
The ace in the hole is to have a cybersecurity partner like SilverSky that can provide solutions across a broad set of cybersecurity threats and allow you to remain NCUA compliant. By using ACET as a guide, companies can identify where they have redundant technologies, find places to reduce complexity, and save money.
ACET asks for documentation and processes that support cybersecurity like summaries of network control and monitoring systems (firewalls, IDS/IPS, SIEM, DLP, MDM, etc.). It also asks for summaries of antivirus, antispam and other email protection tools to block phishing, malware, ransomware, and prevent data extraction. Much of this documentation can come directly from a single SilverSky portal, as opposed to multiple portals from multiple vendors.
NCUA exams also require proof of doing exercises to document IT controls, vulnerability testing, network assessments, and penetration testing. Again, you could use several vendors to complete these assessments, but once again, you will need to pull the puzzle pieces together. SilverSky has twenty years of experience in highly regulated industries and can be a great force-multiplier to your internal team as you begin this journey.
As a bonus, when your cybersecurity partner goes through the same FFIEC compliance exam that you do, you know they understand the compliance issues far beyond vendors that don’t go through this process. And that is a winning hand. Contact us if you would like to discuss ways we can help you to prepare for ACET and, most importantly, strengthen your cybersecurity posture.