What Credit Unions Need to Know About the NCUA ACET & its New Cybersecurity Standards
NCUA ACET & its New Cybersecurity Standards
With Internet of Things (IoT) and Bring Your Own Device (BYOD) growing exponentially every year, financial institutions stand to see key benefits in facilities cost reduction and employee productivity. But credit union executives must also ask – what are the unseen risks of becoming more connected?
For example, the facilities department might implement online thermostats to remotely control HVAC systems, lighting, or time clocks. Employees might bring their own mobile devices to connect to the enterprise network, unaware their devices might be infected with malware or a virus, and unwillingly spreading laterally to the company. All these behaviors, while productive, can also put the institution at severe risk because it leaves a potential hole in the network – the ability for a bad actor to attack the unsecured Internet of Things devices that lack proper security or access controls, and/or mobile home devices (iPad, phones, etc.) of unaware employees.
The Shift to a New Examination Tool
The NCUA issued a statement warning of increasing cybersecurity vulnerabilities for federally-insured credit unions and financial services market participants, including ransomware, malware and phishing attacks, identity theft, denial of service, ATM skimming, pandemic-themed attacks and supply chain attacks – the latter being a significant threat due to the multiple parties that must work together to deliver financial services to consumers.
The NCUA has recently moved to a new security examination tool called the Automated Cybersecurity Examination Tool (ACET). Previously in 2015, NCUA was using just the Cybersecurity Assessment Tool (CAT) to identify cyber threats and test their security readiness. The NCUA ACET is based on CAT, however it adds security control validation and includes an easy-to-read dashboard. According to a report from the NCUA, the purpose of the ACET was not to be a long-term examination program, but to “benchmark” credit unions, measuring the industry’s cybersecurity preparedness.
Initially, the NCUA began reviewing credit unions with $1 billion or more in assets using the ACET, refining the tool throughout the process to ensure it could scale properly for smaller, less complex credit unions.
What This Means for Credit Unions
With the shift to the NCUA ACET, it is now necessary for credit unions to have certain controls in place in order to pass NCUA audits. Of the five domains laid out in the ACET, Domain 3 is perhaps the most critical when it comes to cybersecurity. Domain 3 tackles the necessary as it examines the necessary preventive, detective and corrective cybersecurity controls.
In the end, credit unions CIOs and CISOs have a responsibility to protect their members and their financial data. This year, as the security talent crisis grows, breaches get more complicated and IoT/BYOD device attacks get more severe, an easy to implement NAC solution should be on top of their list.
Portnox CLEAR & the NCUA ACET
As the NCUA audits continue to expand, many credit unions struggle with finding an effective solution to meet Domain 3 controls within the ACET framework.
Fortunately, Portnox CLEAR provides the network access control, endpoint awareness, risk and real-time remediation capabilities that either directly meet or highly contribute to many of the most difficult Domain 3 audit areas and requirements.
Try Portnox Cloud for Free Today
Gain access to all of Portnox's powerful zero trust access control free capabilities for 30 days!