In 2017, the National Credit Union Administration launched the ACET—Automated Cybersecurity Examination Tool—to provide a cybersecurity assessment tool for determining the security posture of credit unions.  Through 2018 and 2019, the focus was on credit unions with assets of $1B or more. For 2020 through 2023, the focus will be expanding to include those credit unions with assets in excess of $250M. For reference, the average amount of assets held by credit unions in the United States is $286M[1], so this means that many more of the 5,308 credit unions in the US will be required to complete the ACET and the time to start preparing is now.  

Although the ACET closely mirrors the requirements set out in the Federal Financial Institutions Examination Council (FFIEC) assessment, it is assessing cybersecurity posture through documentary evidence to support the answers to 530 statements. ACET asks for more than 200 unique documents, so the impact on credit union staff is significant. Feedback from the pilot testing has shown that completing the assessment may take up to three weeks of having the examiner on-site.

What is ACET measuring?

There are two primary outcomes from ACET. The first is an Inherent Risk Profile – made up of five categories – technologies and connection types, delivery channels, online/mobile products and technology services, organizational characteristics, and external threats. Each of these categories is scored from one to five based on the inherent risk the credit union faces. Ultimately, a blended risk level is established for each area.   

The second area of examination is the very robust Cybersecurity Maturity section, which covers five domains: cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience. Each of these domains has roughly 100 statements that must be addressed with proof.  To further judge the level of maturity in each of these domain areas, the statements are assigned a maturity level, which includes baseline, evolving, intermediate, advanced, and innovative.  The goal, of course, is to show marked improvement in maturity across the domains over time. 

If you’re feeling minor heart palpitations right now, you are not alone. The first time you open the ACET spreadsheet, you will likely experience a stress response, but the more time you spend with the tool, the more you see the logical flow of it. Ultimately, you will arrive at the point where it just becomes a case of breaking it down into manageable chunks and getting to work. 

Those that have been through the FFIEC exam or have mapped to the NIST Framework will see a lot of familiar language and requests.  But, ACET will require significantly more documented proof.

How SilverSky adds value

As I looked through the ACET spreadsheet, I saw several areas where SilverSky will add value to customers. A lot of the Inherent Risk Profile has to do with sizing factors that define the credit union from both business and technology standpoints. Beyond that, the document request list and the cybersecurity maturity area is where the rubber meets the road and is where SilverSky can help the most. 

ACET asks for documentation and processes that support cybersecurity, like summaries of network control and monitoring systems (firewalls, IDS/IPS, SIEM, DLP, MDM, etc.). Also, summaries of anti-virus, anti-spam, and other email protection tools to block phishing, malware, ransomware, and prevent data extraction. Much of this documentation can come directly from the SilverSky portal. 

Other areas are planning and process discussions requiring proof of doing exercises to document IT controls, vulnerability testing, network assessments, and penetration testing.  SilverSky has twenty years of experience in highly regulated industries and can be a great force-multiplier to your internal team as you begin this journey. 

As compliance testing becomes more stringent and complex, it forces more strategic discussions about building cybersecurity into the front end of business decisions rather than as an afterthought, which is a good thing.  Will it be cumbersome and resource-intensive at first? Absolutely.  But, as maturity levels increase over time, credit unions will be much more cybersecurity conscious and prepared for the inevitable attacks that will come their way. 

If you’d like to learn more about how SilverSky can help you prepare for the ACET, contact your sales representative or call us at 1-800-234-2175.  

 

Sources:

[1] NCUA – June 2019

Managed Security Services

Your around the clock SOC.

Managed Endpoint Detection and Response

Some attacks will succeed. Don’t worry—we have you.

Managed Detection and Response

Augment your IT team using our expertise and the latest technologies.

Email Protection Suite

Defending against the leading attack vector.

Cloud Email and Collaboration

More than ever, the cloud is essential.

Incident Response Readiness

When a breach occurs, you’ll be ready.

Compliance & Risk Services

Take the next steps on your cybersecurity maturity journey.

Trusted Cybersecurity for an Uncertain World

Understand, detect, and effectively respond to threats, reduce business risk and improve the return on your security investment.

Financial Services

We comply with the same regulations you do.

Healthcare

Affordable defenses for a sector under attack.

Retail

SilverSky stands between cybercriminals and your customers’ data.

Benefits of a Single Vendor Relationship

The Cooperative Bank of Cape Cod found itself especially appreciative of SilverSky’s comprehensive solution set—particularly as they rapidly, but securely, enabled employees to work remotely.

ACET

Automated Cybersecurity Examination Tool

HIPAA

Health Insurance Portability and Accountability Act

PCI DSS

Payment Card Industry Data Security Standard

FFIEC

Federal Financial Institutions Examination Council

GLBA

Gramm-Leach-Bliley Act

ACET Helps Credit Unions Further Their Missions

Learn how going all in for ACET protects customers and the health of community-based financial services.

Resources

Articles, guides, ebooks, tools, on-demand webinars, case studies, and more. Explore a range of topics.

Press & Events

Press releases, upcoming conferences and trade shows, and future and on-demand webinars

Revisiting Cybersecurity’s Delicate Balance

Learn how CISOs are rebalancing prevention, detection, and response for stronger cyber defenses.

About Us

Trusted cybersecurity for an uncertain world.

Careers

Looking to join the fight against cybercriminals?

Security Management Console

Comprehensive customer portal for state of devices, reports for compliance, support tickets, and more.

Transforming Cybersecurity Culture from Corner Offices to Cubicles

Executives are increasingly thinking about cybersecurity management in a similar manner as they would any other risk assessment. This guide is here to help.