Credit union regulator working to update its IT exam program

The federal regulator of credit unions is working to update its information technology (IT) examination program to include continued and enhanced “maturity” assessments of credit unions’ cybersecurity programs beyond 2019, according to a recently issued inspector general report.

This updating will involve alternating use of the Automated Cybersecurity Examination Tool (ACET), which applies to credit unions with more than $1 billion in assets, with use of optional cybersecurity control (CSC) reviews based on CIS Controls. Those controls, the report notes, are the foundation of NCUA’s CSC reviews and are created by the nonprofit Center for Internet Security.

The report, dated July 31 and issued by the National Credit Union Administration (NCUA) Office of Inspector General (OIG), was initiated by the OIG office itself as a review of the NCUA Office of National Examination and Supervision’s (ONES) oversight of cybersecurity programs of credit unions with $10 billion or more in assets and corporate credit unions (also known as “credit unions’ credit unions”).

The OIG had made no recommendations in its report, but it said it “may conduct additional reviews of the NCUA’s cybersecurity examination program after the agency has incorporated its planned enhancements into its risk-focused examination program.”

NCUA implemented ACET in 2018. In its report, the OIG said that according to an NCUA representative, the initial ACET Assessments established a baseline for each federally insured credit union (FICU) assessed that year; provided a uniform measurement for all FICUs’ security postures; and determined whether additional supervision is necessary to address any concerns.

As to future ACET assessments, the report states that a management official in the Office of Examination and Insurance said the NCUA’s overall goal is to evaluate 100% of FICUs on a rolling basis over a four year maturity assessment life cycle.

That official, the report states, said NCUA’s plans for the maturity assessment portion of the agency’s overall cybersecurity examination program, which includes a new Automated Cybersecurity Examination Toolbox (ACET Solution) to conduct enhanced maturity assessments of all FICUs, is to get a perspective on the state of the credit union industry and identify areas of focus to guide communications and examination program priorities.