ACET – Reality Sets In for Many More Credit Unions

ACET – Reality Sets In

by Kyle Benson, Product Marketing Manager

In 2017, the National Credit Union Administration launched the ACET—Automated Cybersecurity Examination Tool—to provide a cybersecurity assessment tool for determining the security posture of credit unions.  Through 2018 and 2019, the focus was on credit unions with assets of $1B or more. For 2020 through 2023, the focus will be expanding to include those credit unions with assets in excess of $250M. For reference, the average amount of assets held by credit unions in the United States is $286M[1], so this means that many more of the 5,308 credit unions in the US will be required to complete the ACET and the time to start preparing is now.  

Although the ACET closely mirrors the requirements set out in the Federal Financial Institutions Examination Council (FFIEC) assessment, it is assessing cybersecurity posture through documentary evidence to support the answers to 530 statements. ACET asks for more than 200 unique documents, so the impact on credit union staff is significant. Feedback from the pilot testing has shown that completing the assessment may take up to three weeks of having the examiner on-site.

What is ACET measuring?

There are two primary outcomes from ACET. The first is an Inherent Risk Profile – made up of five categories – technologies and connection types, delivery channels, online/mobile products and technology services, organizational characteristics, and external threats. Each of these categories is scored from one to five based on the inherent risk the credit union faces. Ultimately, a blended risk level is established for each area.   

The second area of examination is the very robust Cybersecurity Maturity section, which covers five domains: cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience. Each of these domains has roughly 100 statements that must be addressed with proof.  To further judge the level of maturity in each of these domain areas, the statements are assigned a maturity level, which includes baseline, evolving, intermediate, advanced, and innovative.  The goal, of course, is to show marked improvement in maturity across the domains over time. 

If you’re feeling minor heart palpitations right now, you are not alone. The first time you open the ACET spreadsheet, you will likely experience a stress response, but the more time you spend with the tool, the more you see the logical flow of it. Ultimately, you will arrive at the point where it just becomes a case of breaking it down into manageable chunks and getting to work. 

Those that have been through the FFIEC exam or have mapped to the NIST Framework will see a lot of familiar language and requests.  But, ACET will require significantly more documented proof.

How SilverSky adds value

As I looked through the ACET spreadsheet, I saw several areas where SilverSky will add value to customers. A lot of the Inherent Risk Profile has to do with sizing factors that define the credit union from both business and technology standpoints. Beyond that, the document request list and the cybersecurity maturity area is where the rubber meets the road and is where SilverSky can help the most. 

ACET asks for documentation and processes that support cybersecurity, like summaries of network control and monitoring systems (firewalls, IDS/IPS, SIEM, DLP, MDM, etc.). Also, summaries of anti-virus, anti-spam, and other email protection tools to block phishing, malware, ransomware, and prevent data extraction. Much of this documentation can come directly from the SilverSky portal. 

Other areas are planning and process discussions requiring proof of doing exercises to document IT controls, vulnerability testing, network assessments, and penetration testing.  SilverSky has twenty years of experience in highly regulated industries and can be a great force-multiplier to your internal team as you begin this journey. 

As compliance testing becomes more stringent and complex, it forces more strategic discussions about building cybersecurity into the front end of business decisions rather than as an afterthought, which is a good thing.  Will it be cumbersome and resource-intensive at first? Absolutely.  But, as maturity levels increase over time, credit unions will be much more cybersecurity conscious and prepared for the inevitable attacks that will come their way. 

If you’d like to learn more about how SilverSky can help you prepare for the ACET, contact your sales representative or call us at 1-800-234-2175.  

 

Sources:

[1] NCUA – June 2019

Previous

Next

Managed Detection & Response

Comprehensive solutions to detect, prioritize, and address security incidents.

Managed Security Services

24 X 7 X 365 monitoring, management, and system maintenance.

Email Protection Suite

Monitor and manage your email environment with advanced email security and compliance protections.

Cloud Email & Collaboration

Cloud office productivity enhanced with proven security and compliance protection.

How does SilverSky's integrated stack of solutions meet your needs?

Compliance & Risk Services

Assess your program and controls, benchmark and identify areas for improvement. Develop your security roadmap for investment and improvements. Effectively measure ROI and impact on your security posture

Incident Response Readiness

Incident Response Plan Development / Review. Incident Response Readiness Review. Emergency Incident Response.

Discuss your compliance, risk management and incident response readiness needs.

Schedule Free 1-on-1 Consultation

Financial Services

1,500+ small & mid-sized financial institutions rely on SilverSky to meet and exceed FFEIC, GLBA and PCI DSS requirements and overall cybersecurity needs.

Healthcare

Hundreds of small & mid-sized healthcare organizations rely on SilverSky to address HIPAA and other regulatory requirements and serve overall cybersecurity needs.

Retail

Small and mid-sized retail organizations count on SilverSky to maintain PCI DSS requirements, secure customer data and reduce cybersecurity threats.

How Exposed Are You?

Take the test to see how your security program compares with other businesses like yours.

Resources

White papers, guides, tools, on-demand webinars, case studies and more. Explore a range of topics. 

Events

Blog

Product Sheets

SilverSky product and services information at your fingertips. Product data sheets, compliance matrixes, & brochures.

How Exposed Are You?

Take the test to see how your security program compares with other businesses like yours.

About Us

Did you know that SilverSky enjoys a 97% customer satisfaction rating and a 87.5% customer retention rate from thousands of small and mid-sized companies?

Looking to strengthen your cybersecurity?

Become A Partner

Partner with SilverSky to tap into the approaching $300 billion+ cybersecurity market.

Talk to one of our partner managers and consider expanding your cybersecurity offerings.

Schedule Partner Exploration Discussion