The NCUA uses a risk-based approach to examining and supervising credit unions. The risk-based approach addresses the following seven primary areas of risk:
- Credit risk;
- Interest rate risk;
- Liquidity risk;
- Transaction risk;
- Compliance risk;
- Strategic risk, and;
- Reputation risk.
All federally insured credit unions receive an NCUA examination on a periodic basis.1To ensure both compliance with applicable laws and regulations, and safety and soundness, a review of the credit union’s information security program is performed at each examination. The NCUA uses a risk-focused approach to examine credit unions’ information security to provide examiners flexibility to focus on areas of material current or potential risk relevant to each credit union’s unique business model. The objectives of an information security examination include:
- Evaluating management’s ability to recognize, assess, monitor, and manage information systems and technology-related risks.
- Assessing whether the credit union has sufficient expertise to adequately plan, direct, and manage information systems and technology operations.
- Determining whether the board of directors has adopted and implemented adequate information systems and technology -related policies and procedures.
- Evaluating the adequacy of internal information systems and technology controls and oversight to safeguard member information.
The NCUA’s information security examination program incorporates the following:
- Automated Cybersecurity Evaluation Tool box (ACET): The ACET allows the NCUA and credit unions to determine the maturity of a credit union’s cybersecurity program. The tool incorporates appropriate cybersecurity standards and practices established for financial institutions. The tool maps each of its declarative statements to the practices found in the FFIEC IT Examination Handbook, regulatory guidance, and leading industry standards like the National Institute of Standards and Technology Cybersecurity Framework. The tool also provides examiners a plain-language explanation and references for each of the statements included within the assessment. It is also available to credit unions to help them voluntarily assess their level of cybersecurity preparedness.
- Examiner’s Guide: The Examiner’s Guide provides a framework for consistent application of staff judgment with respect to conclusions about a credit union’s financial and operational condition and related risk ratings. It also provides a consistent approach for evaluating the adequacy of a credit union’s relevant risk-management processes. The Examiner’s Guide and other related examiner guidance, manuals, and training materials provide examiners with information and direction with respect to the NCUA’s information technology examination policies and procedures.
- National Supervision Policy Manual (NSPM) (opens new window): The NSPM establishes national policies, procedures, and guidelines for effective district management, supervision of credit unions, and quality assurance, including as it relates to the NCUA’s information security examination policies and procedures.
- FFIEC Information Technology Booklets: (opens new window)The FFIEC IT Handbook Infobase offers a variety of resources ranging from IT booklets and work programs to information on IT security related laws, regulations, and guidance. Financial institutions can use these booklets to align their information security and cybersecurity practices with the FFIEC guidelines.
- Credit Unions Service Organization (CUSO) Reviews: Although the NCUA lacks direct regulatory authority over CUSOs, the NCUA and state supervisory authorities (under state statutes) periodically perform independent or joint reviews of CUSOs to ensure they comply with statutory and regulatory requirements. These reviews are also designed to ensure that CUSOs use sound business and operational practices and to determine whether the CUSO complies with statutory and regulatory requirements for the products and services they provide.
1 NCUA’s examination frequency for federal credit unions is based on risk, but generally may not extend more than 20 months from the previous examination. Federally insured, state-chartered credit unions are primarily examined by the applicable state regulator, with participation from the NCUA based on risk but no less than every 60 months.