In January 2021, the National Credit Union Administration (NCUA) published their 2021 Supervisory Priorities which stated, "The agency has reprioritized away from performing facilitated [ACET] cybersecurity maturity assessments, to piloting the Information Technology Risk Examination for Credit Unions (InTREx-CU). […] ACET will become a self-assessment resource for credit unions, supported by the NCUA."
Because Tandem has created features in our Cybersecurity product to help credit unions be prepared for their ACET exams, the Tandem team has received several questions regarding InTREx-CU and how it will be addressed in Tandem. Here's what we know.
How is InTREx-CU different from ACET?
The ACET, Automated Cybersecurity Examination Tool, is an exam program built on top of the FFIEC's Cybersecurity Assessment Tool (CAT). The CAT is designed for banks and credit unions to self-assess their cybersecurity preparedness outside of the examination process. According to a report from the NCUA, the purpose of the ACET exam spreadsheet was built to "benchmark" the credit union industry's cybersecurity preparedness. The process was completed between 2018 and 2020.
For a simplified visual, check out the image below. The ACET exam spreadsheet includes:
- The CAT "questions" (green tabs)
- Tools for the examiner's use (yellow tabs)
- The examination document request list (red tab)
This combination of tabs and features is why we say "ACET is an exam tool built on top of the FFIEC's Cybersecurity Assessment Tool."
InTREx-CU (Information Technology Risk Examination for Credit Unions) does not include CAT as part of the work program or document request list. InTREx-CU is a new examination model, similar to the NCUA's exam procedures based on 12 CFR Part 748, but with a heightened focus on critical security controls. Credit unions examined with InTREx-CU will be expected to complete the new document request list, which currently includes 33 items.
Will I see InTREx-CU in my 2021 or 2022 exam?
InTREx-CU is expected to remain in "pilot" mode through the end of 2022 and is only performed by Regional Information Security Officers (RISOs) for that reason. What will happen after 2022 is yet to be made clear.
- For the majority of credit unions whose next IT exam will not be performed by a RISO, you can expect to be examined with the traditional exam program based on 12 CFR Part 748, not InTREx-CU or ACET.
- For credit unions who will have an RISO perform the next IT exam, you can expect to see the pilot version of InTREx-CU. RISOs primarily work with the largest credit unions in the industry. To help you prepare, ask your examiner for the most recent version of the InTREx-CU document request list.
InTREx-CU brings a new focus on incident management, specifically requesting "the formally approved Incident Response Plan, employee training program, accompanying procedures, results from the most recent cyber incident and results of incident response testing." If you are looking for a fast and effective way to build an Incident Response Plan and track incidents as they occur, see our newest Tandem addition: Incident Management.
Will I be expected to keep doing the CAT/ACET?
Yes, and no. Expected, but not required.
The NCUA's 2021 Supervisory Priorities indicate they will continue to support the ACET (a.k.a., CAT) as a self-assessment resource, helping credit unions continue to assess their cybersecurity risk and maturity outside of the NCUA's examination process. "Continue to support" indicates the NCUA believes ACET/CAT is a valuable self-assessment tool and that credit unions will benefit from its continued use.
While the NCUA will "continue to support" the tool, credit unions will not see an item on their examination document request list for ACET/CAT, as of date. However, we have heard from individual examiners who believe credit unions should and will continue to update their cybersecurity self-assessments.
Does Tandem recommend I keep completing the CAT?
Yes, we continue to encourage completion of the CAT annually, or more frequently if significant changes occur, to measure your cybersecurity maturity over time. Performing the CAT self-assessment remains beneficial for several reasons:
- It is aligned with the FFIEC IT Examination Handbook, the NIST Cybersecurity Framework, and industry-accepted cybersecurity practices.
- It offers a way for financial institutions to review their own cybersecurity posture without an auditor or examiner.
- It provides a way to demonstrate current and potential cybersecurity maturity to senior management.
- It allows you to compare your current cybersecurity posture against the past or to other institutions, if using a product like Tandem.
How can I complete the CAT?
At Tandem, we are pleased to offer our clients an easy, efficient, and repeatable way to assess cybersecurity risk and maturity using the CAT question and answers. To learn more about Tandem Cybersecurity or to sign up for the free version of the tool, visit Tandem.App/Cybersecurity-Assessment-Tool-FFIEC. Tandem offers helpful and valuable features, such as the ability to allow multi-user access and compare results with similar institutions, which can be used to justify and request investments in cybersecurity from the board.
Can we expect any ACET or InTREx-CU changes to Tandem's Cybersecurity software?
The NCUA has begun using MERIT (Modern Examination and Risk Identification Tool) to conduct exams starting in August 2021. MERIT is a new web-based examination platform, designed to replace the NCUA's legacy platform, ARIES. As such, we do not plan to integrate the InTREx-CU document request list into Tandem because doing so would not save our customers any time or effort in the examination process.
As NCUA examiners still expect (but do not require) that credit unions will continue to complete the CAT self-assessment portions of the ACET, Tandem will continue to offer the free and pro versions of our tool to help ensure our clients have an easy, efficient, and repeatable way to assess their cybersecurity risk and maturity.
Since ACET has been suspended as an examination model, users will not need to use the Document Request List section of Tandem Cybersecurity. We do not have plans to remove the Document Request List section at this time, as users likely have historical files and notes they would like to keep. An element of the ACET features we believe is important to retain is the ACET commentary for every inherent risk and maturity statement. The NCUA commentary continues to provide value in helping readers understand the context of each statement and we find credit unions and banks alike have found these resources valuable.
To learn more about Tandem Cybersecurity or to sign up for the free version, visit Tandem.App/Cybersecurity-Assessment-Tool-FFIEC.