In July 2020, the National Credit Union Administration (NCUA) published their updated 2020 Supervisory Priorities. In the "Information Systems and Assurance (Cybersecurity)" section, the NCUA stated:

"The NCUA has transitioned its priority from performing Automated Cybersecurity Examination Tool (ACET) cybersecurity maturity assessments, to evaluating critical security controls. The NCUA is also piloting an Information Technology Risk Examination solution for Credit Unions (InTREx-CU). InTREx-CU harmonizes the IT and Cybersecurity examination procedures shared by the Federal Deposit Insurance Corporation, the Federal Reserve System, and some state financial regulators to ensure consistent approaches are applied to community financial institutions."

Since this statement from the NCUA, we have received questions regarding the difference between ACET and InTREx-CU, how to prepare for this change, and how this change will affect Tandem. Below are answers to the three questions we are hearing about this topic.

"What is different between ACET and InTREx-CU?"

ACET

To best understand the NCUA's ACET, it is important to look at its predecessor, the FFIEC's Cybersecurity Assessment Tool (CAT). The CAT was originally published in June 2015. Per the website, it was designed to "provide a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time." The CAT is a self-assessment tool, originally designed for banks and credit unions to use themselves to assess their risk and determine their cybersecurity preparedness.

Shortly after the CAT was published, Tandem created the Cybersecurity product which is a cloud-based software product making it easier for financial institutions to complete the CAT and report on their results.

In 2018, the NCUA adopted the CAT and appended a few features, designed solely for the purpose of examination. They referred to this combination as the ACET, short for Automated Cybersecurity Examination Tool. The ACET used the CAT statements and integrated them into a spreadsheet which also included a dashboard, a document request list, and additional commentary to be used in the examination process. To learn more about the NCUA's additions, see our blog: How is the NCUA ACET different from the FFIEC CAT? 

Shortly after the ACET was published, Tandem added the necessary features to the Cybersecurity product to make it easier for credit unions to complete the request list and download their CAT in the exact spreadsheet format the NCUA would expect them to complete during their exam.

InTREx

The Federal Deposit Insurance Corporation's InTREx Program (short for Information Technology Risk Examination Program) was published on June 30, 2016. According to a letter published by the FDIC (FIL-43-2016) the "InTREx Program is an enhanced, risk-based approach for conducting IT examinations." The FDIC's InTREx Program is the foundation for which the NCUA is piloting their own version, InTREx-CU. The final version of the NCUA's InTREx-CU is not yet publicly available, but it is anticipated the program will be similar to the FDIC's version. As such, InTREx-CU is a program specifically designed for examiners to use in the process of examination in assessing implementation of critical controls.

The Difference

In summary:

  • The CAT is a self-assessment tool.
  • The InTREx is an examination program.
  • The ACET caused some confusion, as it blurred the lines between a self-assessment tool and an examination tool.

Based on this information, InTREx-CU is not a wholesale replacement of ACET. ACET is the combination of the CAT self-assessment tool and an examination program, whereas InTREx-CU will be solely an examination tool. This distinction sets the examination apart from a self-assessment, which helps ensure all parties can conduct a thorough, independent review of controls.

Did you know? According to the Tandem State of Cybersecurity survey, of the 250+ respondents in 2019, 82% indicated use of the CAT and 15% indicated use of the ACET as the primary method of evaluating the maturity of their cybersecurity program. Download the report to learn more.

"What do I need to do to prepare for this change?"

While you may know your current assessment as "the ACET," all the risk and maturity statements are from the FFIEC's Cybersecurity Assessment Tool (CAT). The examination process moving to the InTREx-CU does not imply you should no longer complete a cybersecurity self-assessment, such as the CAT.

We recommend you continue to complete the CAT on at least an annual basis, or more frequently if significant changes occur, so you can measure your cybersecurity preparedness over time. While the InTREx Program seems to exclude a request for a completed CAT in the same way ACET did, the FDIC's InTREx expects institutions to use an industry-accepted framework to assess cybersecurity maturity. In fact, they reinforce the CAT's alignment with industry standards and say examiners will reference the CAT's Appendix A when citing deficiencies. A similar approach is expected from the NCUA's version, InTREx-CU.

As for completing the InTREx-CU, stay tuned. The 2020 Supervisory Priorities indicate the InTREx-CU is currently being piloted, so you can expect to hear from your examiner regarding their plans for the new examination process.

"How will this change Tandem's Cybersecurity software?"

At Tandem, it is our goal to improve security while easing the burden of regulatory compliance, and we are honored to have so many credit unions contacting us for assistance in managing this transition from ACET to InTREx-CU.

We will continue to provide the ACET features as part of our Tandem Cybersecurity product, for those who would like to continue to use them. At this time, Tandem does not offer a product which could effectively support the InTREx examination program. Additionally, regulators are considering developing their own portals for managing exams and gathering information. The FDIC already has one called FDICconnect. If the NCUA created a similar portal, a Tandem product may not be helpful.

Before committing to any long-term decisions, we are waiting for additional information, like the finalized version of the InTREx-CU, how NCUA examiners intend to use it, and if the NCUA plans to provide their own web application for the examination process. Once we have more information, Tandem leadership can determine if developing an InTREx tool would be beneficial to the end-user and if it should be part of future Tandem strategy.

Until then, Tandem Cybersecurity is a tool designed to help financial institutions complete their cybersecurity self-assessments. We will continue to offer the free and pro versions of the tool to help ensure our clients have an easy, efficient, and repeatable way to assess their cybersecurity risk and maturity. To learn more about Tandem Cybersecurity or to sign up for the free version, visit Tandem.App/Cybersecurity-Assessment-Tool-FFIEC.