In 2017, the National Credit Union Administration launched the ACET—Automated Cybersecurity Examination Tool—to provide a cybersecurity assessment tool for determining the security posture of credit unions. Through 2018 and 2019, the focus was on credit unions with assets of $1B or more. For 2020 through 2023, the focus will be expanding to include those credit unions with assets in excess of $250M. For reference, the average amount of assets held by credit unions in the United States is $286M, so this means that many more of the 5,308 credit unions in the US will be required to complete the ACET and the time to start preparing is now.
Although the ACET closely mirrors the requirements set out in the Federal Financial Institutions Examination Council (FFIEC) assessment, it is assessing cybersecurity posture through documentary evidence to support the answers to 530 statements. ACET asks for more than 200 unique documents, so the impact on credit union staff is significant. Feedback from the pilot testing has shown that completing the assessment may take up to three weeks of having the examiner on-site.
What is ACET measuring?
There are two primary outcomes from ACET. The first is an Inherent Risk Profile – made up of five categories – technologies and connection types, delivery channels, online/mobile products and technology services, organizational characteristics, and external threats. Each of these categories is scored from one to five based on the inherent risk the credit union faces. Ultimately, a blended risk level is established for each area.
The second area of examination is the very robust Cybersecurity Maturity section, which covers five domains: cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience. Each of these domains has roughly 100 statements that must be addressed with proof. To further judge the level of maturity in each of these domain areas, the statements are assigned a maturity level, which includes baseline, evolving, intermediate, advanced, and innovative. The goal, of course, is to show marked improvement in maturity across the domains over time.
If you’re feeling minor heart palpitations right now, you are not alone. The first time you open the ACET spreadsheet, you will likely experience a stress response, but the more time you spend with the tool, the more you see the logical flow of it. Ultimately, you will arrive at the point where it just becomes a case of breaking it down into manageable chunks and getting to work.
Those that have been through the FFIEC exam or have mapped to the NIST Framework will see a lot of familiar language and requests. But, ACET will require significantly more documented proof.
How SilverSky adds value
As I looked through the ACET spreadsheet, I saw several areas where SilverSky will add value to customers. A lot of the Inherent Risk Profile has to do with sizing factors that define the credit union from both business and technology standpoints. Beyond that, the document request list and the cybersecurity maturity area is where the rubber meets the road and is where SilverSky can help the most.
ACET asks for documentation and processes that support cybersecurity, like summaries of network control and monitoring systems (firewalls, IDS/IPS, SIEM, DLP, MDM, etc.). Also, summaries of anti-virus, anti-spam, and other email protection tools to block phishing, malware, ransomware, and prevent data extraction. Much of this documentation can come directly from the SilverSky portal.
Other areas are planning and process discussions requiring proof of doing exercises to document IT controls, vulnerability testing, network assessments, and penetration testing. SilverSky has twenty years of experience in highly regulated industries and can be a great force-multiplier to your internal team as you begin this journey.
As compliance testing becomes more stringent and complex, it forces more strategic discussions about building cybersecurity into the front end of business decisions rather than as an afterthought, which is a good thing. Will it be cumbersome and resource-intensive at first? Absolutely. But, as maturity levels increase over time, credit unions will be much more cybersecurity conscious and prepared for the inevitable attacks that will come their way.
If you’d like to learn more about how SilverSky can help you prepare for the ACET, contact your sales representative or call us at 1-800-234-2175.
 NCUA – June 2019