LAS VEGAS–Credit unions here were given an overview by NCUA of the new FFIEC Cybersecurity Assessment Tool (CAT).
Although voluntary and meant to be a self-assessment, most credit unions are expected to begin using the tool as they seek to address their cyber-exposure.
Wayne Trout, regional information systems officer with NCUA, told the joint annual meeting of the CUNA Technology Council and CUNA OpSS Council that the primary objective of the cybersecurity tool is to help institutions identity their risks and determine their cybersecurity maturity. The emphasis, said Trout, is on cybersecurity risk management concepts.
“What the assessment seeks to do is provide institutions with a repeatable and measurable process to inform management of their institution’s risks and cybersecurity preparedness,” said Trout. After that comes the “gap analysis,” he explained, where work is done on interpreting and analyzing risks.
Trout stressed that cyber-risk management is an enterprise wide effort, and isn’t just limited to IT. After all, he said, it’s usually not IT that clicks on a link that brings a virus into the credit union. As part of the process the tool seeks to identity polices, procedures, processes and controls, as well as develop an action plan following the gap analysis.
But what is inherent risk? According to Trout, it’s the “amount of risk a credit union’s activities and connections pose, notwithstanding any controls in place to mitigate risk.”
“One of the things we discover is credit unions that go through this process need to look at the risk of the service itself. The mitigation is a consideration down the line,” he said.
Of the five levels of risk in the CAT, NCUA believes most credit unions will will fall into the least risk category. Those at the Most Risk level will be the largest credit unions with worldwide membership that are always seeking and adding new types of services, he said.
“The tool is scalable by the institutions’ size and the services it offers,” said Trout, noting the new tool offers Not Applicable as an option.
During his presentation Trout walked credit unions through the grid that will be used to determine Inherent Risk.
Any institution regardless of asset size that has an online banking function immediately is at the moderate risk level, said Trout. And any credit union driving its own ATMs, even a small CU with one ATM, jumps up to the moderate level, he added.
What about a third party managing a function? An audience member asked, “If you are offering the service, you have the risk, and you need to drive deeper into the vendor third-party section,” responded Trout.
Still, when it comes to inherent risk levels, Trout said they are parameters, not rigid rules.
Considerations For The Process
Trout said CUs should keep these steps in mind as they prepare for the CAT:
- Credit unions need to begin by gathering and validate information. “The validation piece means speaking to the right people.”
- Senior management must buy in and the board must recognize it owns cybersecurity responsibilities, said Trout.
The FFIEC Cyber Assessment Tool comes with five cybersecurity maturity domains:
- Cyber-risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience
“When I do the training for NCUA examiners they are financials-based and aren’t always comfortable with the technology piece,” said Trout. “But of the five Cybersecurity Maturity Domains, they are already doing three of them.”
He added there is no one rating for an institution. It’s a by domain, by component level rating. Different components will have different ratings.
Trout urged credit unions to make sure to share assessment results. “Bring it to the highest level to get the change engine working. Meet with the CEO and the board. Review the assessment results and provide additional information. Explain to the board why you feel certain things need to be done and why you’ve rated yourself as you have.”
Trout repeated credit unions should not go through the exercise once and then leave it on a shelf. “Review this periodically, especially following significant operational or technological changes.”
He said credit unions need to update their CAT review anytime there are new products, services or initiatives introduced.
According to Trout, the benefits of the risk assessment tool to CUs includes:
- Identify risk drivers
- Assess level of preparedness
- Identify misalignments in risk
- Determine optimal enhancements to align/inform risk management strategies
- Understand risk with third parties and partners
Trout also recently testified before the NCUA board offering an update on the Cybersecurity Assessment Tool. That story can be found here http://cutoday.ssd.thinkcreativeinternal.net/Fresh-Today/NCUA-Shares-What-s-Ahead-For-Technology-Security-Exams