New Tool Will Enhance NCUA’s Cybersecurity Assessments at Credit Unions

This year, the NCUA will begin using a new tool to help our examiners assess a credit union’s level of cybersecurity preparedness. Called the Automated Cybersecurity Examination Tool, it provides us with a repeatable, measurable and transparent process that improves and standardizes our supervision related to cybersecurity in all federally insured credit unions.

Developed in 2017, the Automated Cybersecurity Examination Tool mirrors the FFIEC’s Cybersecurity Assessment Tool developed for voluntary use by banks and credit unions. Just like the FFIEC’s Tool, our Automated Cybersecurity Examination Tool consists of two parts: the Inherent Risk Profile and the Cybersecurity Maturity level.

The Inherent Risk Profile in the tool helps determine a credit union’s exposure to risk by identifying the type, volume, and complexity of the institution’s operations. The Cybersecurity Maturity portion of the tool is designed to help us measure a credit union’s level of risk and corresponding controls. The levels range from baseline to innovative.

 
This image shows in a radiating circle each level of cybersecurity preparedness that credit unions can be rated as using NCUA’s Automated Cybersecurity Examination Tool. As you radiant out of the center the better, your level of cybersecurity is considered. In center is the most basic level, which is baseline. The next level is evolving, then intermediate and advanced. The highest level is innovative.
 

The Cybersecurity Maturity assessment includes statements to determine whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness within the following five domains:

  • Cyber-risk management and oversight
  • Threat intelligence and collaboration
  • Cybersecurity controls
  • External dependency management
  • Cyber-incident management and resilience

Each of these domains includes assessment factors and contributing components. Within each component, declarative statements describe activities supporting the assessment factor at each maturity level.

 
This image shows the five domain areas of cybersecurity maturity that are part of NCUA’s Automated Cybersecurity Examination Tool and their associated assessment areas. The first domain is Cyber Risk Management and Oversight. It’s assessment areas are: Governance, risk management, resources and training and culture. The second is Threat Intelligence and Collaboration. Its assessment areas are Threat intelligence, monitoring and analyzing and information sharing. The third domain is cybersecurity controls. Its assessment areas are Preventative controls, detective controls and corrective controls. The fourth domain is External dependency management. Its assessment areas are connections and relationship management. The fifth and final domain is cyber incident management and resilience. It’s assessment areas are incident resilience planning and strategy; detection, response, and mitigation; and escalation and reporting.
 

Additionally, the Automated Cybersecurity Examination Tool incorporates appropriate cybersecurity standards and practices established for financial institutions. The tool maps each of its declarative statements to these best practices found in the FFIEC’s Information Technology Examination Handbook, regulatory guidance, and leading industry standards like the National Institute of Standards and Technology’s Cybersecurity Framework. The tool also provides our examiners a plain-language explanation and references for each of the declarative statements included in the assessment.

In 2018, the NCUA will review credit unions with $1 billion or more in assets using the Automated Cybersecurity Examination Tool, while we continue to refine the tool further to ensure it scales properly for smaller, less complex credit unions. We will use the assessment over the next few years to benchmark the industry’s preparedness levels. These benchmarks will be used to start a dialog on how we all can improve the credit union system’s cybersecurity preparedness levels.

Using the new Automated Cybersecurity Examination Tool ensures we are consistent in our approach and we can scale our expectations properly to the size, complexity and risk exposure of each credit union. The tool will also provide valuable insights that will help us focus our supervision efforts on areas that are the most important for the credit union system. As the tool’s implementation evolves over the course of the year, we will be sure to keep stakeholders informed.

For more information, visit our Cybersecurity Resources website.