Blog: Financial Institutions

By: (CISA, CISSP, CRISC)

If you are a credit union, you should expect to see the ACET during your next IT examination. The NCUA began piloting this new examination tool in 2018 with larger credit unions, but we anticipate it will be used in most credit union examinations in 2019. As you prepare for the ACET, here is a list of frequently asked questions for you to review.

What is the difference between the CAT and the ACET?

While the ACET mirrors the CAT (the FFIEC's Cybersecurity Assessment Tool) in content, ACET provides additional content, features, and details to help credit unions and the NCUA examine and benchmark the industry's cybersecurity preparedness. To learn more about specific differences, read our in-depth post on the differences between the NCUA ACET and the FFIEC CAT.

Does the ACET replace the risk assessment requirement per GLBA?

No. While ACET should be considered complimentary to information security risk assessment(s) as outlined in the Interagency Guidelines Establishing Information Security Standards per GLBA, it does not replace this requirement. 

Will NCUA IT Examinations be limited to ACET?

No. The NCUA indicates they will use the ACET during upcoming IT exams, and it will be in addition to risk-focused IT examinations.

Where do I get a copy of the ACET spreadsheet?

At the time of this post, the ACET is not available from the NCUA website. Per Supervisory Letter 17-CU-09, the NCUA stated they will "continue to test and refine the ACET through 2018," but you can download version 032618 of the ACET here. In addition, credit unions should receive the current version of the ACET prior to an IT examination. When the ACET is completed as part of the examination process, examiners will leave the completed ACET with the credit union, and discuss the results and any discrepancies with management.

Are credit unions required to complete the ACET?

No, the ACET is not required, but it is recommended. When the NCUA does an examination using the ACET, they will ask if the credit union has completed the ACET. If the credit union has not, the examiner will complete the ACET using the provided material from the exam request list. While this will not be considered a negative for the credit union, credit unions should complete the ACET ahead of time so they can have more meaningful discussions during the exam.

How can Tandem help my credit union with ACET?

Tandem offers an online tool to help financial institutions complete the FFIEC Cybersecurity Assessment Tool and the NCUA Automated Cybersecurity Examination Tool. The features allow credit unions to complete the assessment through Tandem and download the results in the ACET spreadsheet format. The Tandem online software comes in both a free and paid version. Join more than 1,000 other financial institutions and sign up for the free Tandem Cybersecurity Assessment Tool today by visiting https://conetrix.com/tandem/cybersecurity-assessment-tool-ffiec. 


 

 

CoNetrix developed the online software tool highlighted in the video help financial institutions such as banks, credit unions, mortgage companies and trust companies complete and report on the FFIEC Cybersecurity Assessment Tool. The Tandem Cybersecurity module is available in three versions: Free, Pro, and Pro+. 

Additionally, CoNetrix has updated the tool to include the additional ACET features and to allow Credit Unions to complete the assessment through Tandem and download the results in the ACET spreadsheet format.

Join more than 1,000 other financial institutions and sign up for the free Tandem Cybersecurity Assessment Tool today by visiting conetrix.com/tandem/cybersecurity-assessment-tool-ffiec.


 

In 2018, the NCUA began piloting the use of the Automated Cybersecurity Examination Tool (ACET) based on the FFIEC's Cybersecurity Assessment Tool (CAT) to review credit unions.  While the ACET mirrors the CAT in content, ACET provides additional features and details to help credit unions and the NCUA examine and benchmark the industry's cybersecurity preparedness. 

What are the additional features of the ACET as compared to CAT?  Let's take a look…

ACET is a spreadsheet

While the FFIEC Cybersecurity Assessment Tool (CAT) was called a tool, it was released in the form of a PDF download.  This forced financial institutions to complete the tool manually on paper, to develop their own mechanism to electronically complete the assessment, or to use third-party software such as Tandem to complete the assessment.  The ACET was released by the NCUA as a spreadsheet, partly, to provide credit unions a functional option for completing the CAT.

ACET includes a dashboard

The first sheet in the ACET spreadsheet is a dashboard.  The dashboard provides summary information of the credit union, a completion status for the inherent risk profile and cybersecurity maturity, and inherent risk levels.  The dashboard is helpful to let the credit union and their examiner see the completion status of the assessment. 

ACET has an Admin sheet for NCUA examination use

ACET was primarily designed to be used during NCUA examinations; therefore, the NCUA included an Admin sheet to be used by NCUA examiners.  This sheet is primarily used to calculate and track review hours used during the examination process.

ACET contains a document request list

Since ACET is used as an examination tool, or work program, a document request list was added.  The current version (v032618) of the ACET does not have a hyperlink from each document request to any inherent risk questions or maturity statements. However, validation text added to these statements, in many cases, does reference back to the requested items.

ACET adds validation text to inherent risk statements

Answers to the inherent risk profile statements help institutions determine their overall cybersecurity inherent risk.  ACET expanded these statements to include "Validation Approaches" for each inherent risk statement.  The validation approaches language describes what an institution or examiner should review to answer, or validate the answer to, an inherent risk statement.  In many cases, these validation approaches reference back to documents you can review from the document request list.

ACET summarizes maturity in a Maturity Details sheet

The ACET includes a sheet called "Mat. Details." This table provides a summary of the institution's maturity.  Percentages of "Yes" answers are displayed by Component for each maturity level.  This view provides a snapshot of the intuition's cybersecurity maturity across all of the Components.

ACET provides additional reporting fields for declarative statements

The ACET includes additional columns to help institutions document evidence or additional information related to each cybersecurity maturity declarative statement in the "Domain" sheets.  The first additional column, Comment [Required for Yes(c)], was added for credit unions to have a place to explain the "Yes with compensating controls" answer. Two additional columns, Reviewed and Suggested Edits, were added to help examiners when reviewing the ACET.

ACET incorporates a guide with additional commentary and mappings

The ACET includes a sheet named "Guide" with additional commentary and mappings to help an institution or examiner understand and answer the cybersecurity maturity declarative statements.  The additional columns include:

  • Comment: commentary with additional details describing what is expected from the declarative statement and what value the control has on cybersecurity.
  • Examination Approaches: describes what an institution or examiner should review to answer or validate the answer to a declarative statement.
  • Baseline Mapping: mapping declarative statements to the FFIEC IT Examination Handbooks. These are the same mappings in the CAT Appendix A.
  • NIST Mapping: mapping declarative statements to NIST.

ACET and Tandem

When the FFIEC Cybersecurity Assessment Tool (CAT) was first released, Tandem developed an application to aid in its use. Now Tandem has updated the tool to include the additional ACET features and to allow Credit Unions to complete the assessment through Tandem and download the results in the ACET spreadsheet format.  The Tandem SaaS comes in both a free and paid version.  Join more than 1,000 other financial institutions and sign up for the free Tandem Cybersecurity Assessment Tool today by visiting conetrix.com/tandem/cybersecurity-assessment-tool-ffiec.


 

What is Colorado Cybersecurity Regulation (HB 18-1128)?

On January 19, 2018, the General Assembly of the State of Colorado introduced House Bill 18-1128, Concerning Strengthening Protections for Consumer Data Privacy. The regulation was signed into law on May 29, 2018 and goes into effect on September 1, 2018.

The new regulation contains four primary sections:

  1. Disposal of Personal Identifying Information
  2. Protection of Personal Identifying Information
  3. Notification of Security Breach
  4. Security Breaches and Personal Information

The first three sections focus on how a "covered entity" can protect personal identifying information (PII). A "covered entity" is defined as a "person" (e.g., an individual, corporation, business trust, etc.) who maintains, owns, or licenses PII in the course of their business, vocation, or occupation.

Section Four shifts some wording around, but repeats the first three sections, replacing the term "covered entities" with "governmental entities."

Does Colorado HB 18-1128 apply to Banks and Credit Unions?

Yes. While the regulation defines PII a couple different ways, both definitions include things a financial institution would "maintain, own, or license" in the course of normal business (e.g., social security numbers, credit cards, debit cards, account numbers, etc.). If you are a financial institution in the State of Colorado, Colorado HB 18-1128 applies to you.

Are Financial Institutions in Compliance with Colorado HB 18-1128?

Let's break this down by section.

  • Section One: Yes.
    Financial institutions are already subject to GLBA, so the organization should already have a policy in place that defines the secure disposal of paper and electronic documents containing PII.
  • Section Two: Yes.

Again, since financial institutions are already subject to GLBA, the organization should already have reasonable security procedures and practices in place to protect PII from unauthorized access, use, modification, disclosure, or destruction.

  • Section Three: Partially.

Per GLBA, each financial institution should have an incident response policy, program, and/or plan that outlines what the organization should do in the event of a security breach. However, Section Three additionally includes new requirements, specific to the State of Colorado, about classification and notification of a security breach.

For example, Section 3(2)(e) states that if the security breach affected more than 500 Colorado residents, the covered entity must notify the Colorado Attorney General as soon as possible, but no later than 30 days after determining a security breach occurred. This requirement is new and it is specific to Colorado organizations, so it does not likely exist in your current incident response policy, program, and/or plan.

How to Prepare for September 1st

To prepare for the September 1st effective date, it would be beneficial for each financial institution to compare their existing incident response policy with the new requirements in Section Three and make updates, as needed.

We have developed a downloadable PDF called, "Understanding & Preparing for the Colorado Cybersecurity Regulation (HB 18-1128)." This document provides a side-by-side comparison of the regulatory language with our opinion to help you simplify and interpret the regulatory wording. This document will help you understand the regulation, as you prepare your institution for the September 1st deadline.

For Tandem Customers: The resource also provides information about how the requirements of HB 18-1128 are already addressed in Tandem, including recommendations about how you can incorporate the Colorado-specific requirements into your existing information security program.

What is Tandem?

Tandem is an online information security and compliance software designed to increase security and help financial institutions stay in compliance with GLBA and FFIEC guidance. Tandem is now being utilized by financial institutions across the country and helps by saving both time and money without sacrificing information security, cybersecurity, or compliance.


 

By: (Security+)

How do you know what due diligence documents to gather from each of your vendors? There are many methods available, but some result in more accurate documentation than others. Today, I'm going to review two of the primary methods and discuss the effectiveness of each method.

Method #1: The Bucket Method

I often see, what I will call, the bucket method.

It Goes Something like This

Imagine you have a list of questions you ask about vendor characteristics, and then you classify that vendor based on the number of questions answered as "yes." For example, a vendor should be considered:

  • "Level 1" if two or less are answered as "yes."
  • "Level 2" if three to four are answered as "yes."
  • "Level 3" if five or more are answered as "yes."

Then, you could define the required due diligence based on the level of the vendor, or based on the bucket in which the vendor is grouped. At "Level 1," collect only a service level agreement. At "Level 2," collect a contract, a confidentiality agreement, and financial statements. At "Level 3," collect all document types (e.g., a contract, confidentiality agreement, financial statements, SOC report, examination report, BCP, etc.).

What Happens Now?

This method seems relatively simple to carry out. But in reality, it can create a lot of unnecessary document exceptions, and occasionally miss opportunities to request relevant documents.

  • Unnecessary Document Exceptions in a Bucket Method
    Consider a vendor who is "Level 3." While five characteristics applied to them, several of the required documents are both unnecessary to request, and at some rate, unreasonable. This results in an exception record to explain each case and ultimately, requires more effort from you, as the vendor manager, to oversee the relationship.

  • Missed Opportunities for Requesting Relevant Documents in a Bucket Method
    Consider a vendor who is "Level 2." While only three characteristics applied to the vendor, one of them is very important. If this vendor were to be unavailable for 24 hours, it would be detrimental for our business. We should get their BCP, but we did not because it was not required for "Level 2" vendors.
What This Means for You

The bucket method costs a lot of time and effort even though the labelling process seems quick and simple.

[Learn how to review your 3rd party vendor SOC reports in 15 minutes or less. Plus, download our free SOC review checklist.]

Method #2: The If-Then Method

Instead of the bucket method, consider the more accurate if-then method.

It Goes Something like This

Imagine you have a list of questions you ask about vendor characteristics. You could say that if you answer Question A as "yes," then you should collect a specific type of document related to the effects of that characteristic, Document A. Here are a few examples to consider:

  • If a vendor performs critical functions or provides critical services, then you should get a service level agreement.
  • If a vendor uses subcontractors in the performance of critical functions, then you should get their Third party Due Diligence of Subcontracts.
  • If a vendor stores customer information, then you should get a SOC report.

method for collecting vendor management due diligence documents

What Happens Now?

By using the if-then method, you only gather the documentation that is appropriate to the third party relationship. This method can be continually refined. If you notice you are creating a lot of document exceptions for a specific type of document, revisit the question you are asking that instigates this requirement. Consider what assumptions are being incorrectly made about the characteristic's effects. Update your list to appropriately account for this.

Let's say you thought, "If a vendor stores, transmits, or accesses customer data, then I should get their SOC report." You would quickly find that not every vendor who can access your customer's data is going to have a SOC report, and that the SOC report is quite unnecessary for the service you are receiving. In this case, you could create two separate questions. One question would be about storing customer data, in which you would require a SOC report. Then another about accessing and transmitting customer data, in which you would require a confidentiality agreement, but not a SOC report. Making this adjustment would greatly reduce the number of documented exceptions.

What This Means for You

The if-then method will eliminate unnecessary document requests and ensure pertinent documents are obtained.

In Summary

While both methods provide standardized ways to gather due diligence documentation from vendors, the bucket method can actually cause more problems for your vendor managers.  By using the if-then method, you can manage your vendors based on the services that are being provided to you and easily change your program to meet the developing needs of your environment. Couple this method with the Tandem Vendor Management Software, and increase the efficiency in which you conduct your program. 


 

By: (CISA, CISSP)

Early this year the tech world was rocked with the announcement of two unprecedented vulnerabilities named Meltdown and Spectre.

These two vulnerabilities are a big deal because they are hardware vulnerabilities affecting any device with a silicon chip. This includes microprocessors on workstations and servers, mobile phones, tablets, cloud services, and other platforms.

Understandably there was a rush from three main industries, processor companies, operating system companies, and cloud providers to provide solutions. However, as a result of the urgent response, there were unanticipated update incompatibilities which crashed systems. This created a dilemma for IT professionals. "Do we install updates which may cause our systems to crash?" or "Do we sit-tight and remain vulnerable?"

Even in the weeks of uncertainty, there were calm voices of seasoned reasoning. Their message reminded us that basic security standards remain our first line of defense. No matter how bad an exploit may be, its impact can be limited if:

  • The vulnerability doesn't have access to your systems
  • Operating system or application weaknesses are patched
  • Security software is installed (advanced end-point protection software with artificial intelligence is a game changer)

So how do you do achieve these standards? Here are some fundamental best practices:

  1. Monitor availability of operating system and application updates. Be sure you find and establish good sources to inform you about the patches and updates for your systems and applications. Then, monitor the sources or subscribe to notifications.

  2. Test updates to ensure compatibility. It is best if your update and patching process includes a test environment where non-production systems are updated first in order to test functionality and compatibility. This allows you to postpone or avoid updates which might crash systems or applications.

  3. Apply updates and patches on a regular schedule. As a best practice, you should implement a schedule (at least monthly) to evaluate, test and install updates for systems and critical applications. In this way, your schedule can coincide with schedules of operating system and application vendors (e.g., Microsoft has "Patch Tuesday, the second Tuesday of each month).

  4. Install and maintain security software (e.g., antivirus software, endpoint security software, etc.). If possible, explore and utilize behavior based end-point protection software. This genre of software "watches" system behavior to notice and stop suspicious action.

  5. Prevent malicious code execution. The goal is to keep malicious code out of your network and systems. This is best accomplished with layers of security including Internet filtering, phishing detection, and security awareness training for system users. Security awareness is essential to help prevent users from falling prey to malicious emails.

 

By: (Security+)

Ideally, reviewing a SOC Report will take you 15 minutes or less (once you get the hang of it). If you are a financial institution and you have vendors, then you have plenty of SOC Reports to review every year.

This blog will tell you what to review in SOC Reports, and nothing more.

You Don't Have to Know It All

I could tell you all sorts of information about SSAE 18 and SOC Reports! Here's one: SSAE 18 is the rule book and SOC is the engagement and report name, so you don't get a SSAE 18 from your vendor, you get a SOC Report. But what you actually want/need is a quick way to get your job done, not a dissertation on the inner working of SOC audits.

Other people may try to make the SOC Report review process seem big and complex so that you will rely on them to do the reviews for you… Don't let them scare you. You are capable of reviewing a SOC Report just as well as any expert. Really! I believe in you.

Admittedly, SOC Reports are complex and they are full of important information, but finding the information you need from it is really quite simple.

You Just Need the Important Parts

Think about this: If your vendor has a SOC Report, then that means an outside party has reviewed the vendor on your behalf. The outside party has verified the vendor is operating effectively. Thanks to this outside party, you don't have to comb over every detail of a SOC report. This means you can primarily read the cliff-notes version in the "Auditor's Report" section and trust the outside party's judgment.

SOC reports are completely standardized. They share a basic structure and even include some of the exact same sentences. This means you can grab what you need from a few specific places, then be on your way.

Let's Get To It

Here is a quick list of the information you need to find in a vendor's SOC report and note in your review. Section names won't be exact, but they're pretty close.

Look at the Cover Page to compile a profile for this SOC report. Find the company being reviewed, the auditing firm, SOC #, and Type #.

Look at the Scope subsection of the Auditor's Report section to find when the audit was done.

Now, this is one of the two most important parts of your review, so focus with me here. Look at the Scope subsection of the Auditor's Report section to see if complementary user entity controls are employed. If so, go to the Description of Systems section to find all of the details about the complementary user entity controls. And obviously, make sure you are doing those things.

Look at the Scope subsection of the Auditor's Report section to see if subservice provider controls are employed. If so, go to the Description of Systems section to find out what the vendor is doing to monitor the subservice provider controls.

Look at the Limitations subsection of the Auditor's Report section to see if anything happened during the audit that limited the auditor's ability to check everything.

This is the other of the two most important parts of your review. Look at the Opinion subsection of the Auditor's Report section to see if the auditor found anything problematic. Also note their official "opinion." If the auditor noted significant issues, find the Other section. Management should provide some kind of response to the significant issues found.

If this was a Type 2 engagement, look at the Test Results section to find any and all exceptions encountered during testing. This may include some that were not considered significant enough for the auditor to mention in the Opinion subsection.

And that's it. While it's pretty simple, why not make it easier? We created a downloadable PDF with the above checklist so that you can easily and efficiently review your SOC reports.


 

In September 2016, the Federal Financial Institutions Examination Council (FFIEC) released an updated Information Security Booklet as part of the IT Examination Handbook. Among other contemporary concepts, the FFIEC placed an increased emphasis on the role of Information Security Officers (ISOs) in financial institutions. In section I.B Responsibility and Accountability (Page 5), the FFIEC provides a list of six key qualities of the ISO role. Here are the six qualities and a brief interpretation of how this can be applied in your organization.

1. Sufficient Authority

Each ISO should have sufficient authority to perform their assigned tasks. While the ISO ultimately reports to the board or senior management, they must also be a trusted employee (or group of employees) who is authorized to make organization-altering decisions on their own. In short, your ISO should be someone you can, and will, trust.

2. Stature within the Organization

Each ISO should have stature within the organization to perform their assigned tasks. In addition to being a trustworthy part of the organization, the ISO should also be a respected part of the organization. The role of the ISO is a position that should be held with esteem. This is a tone that is set from the top. If the board and senior management respect the role of the ISO, the organization's employees will respect it, as well.

3. Knowledge

Each ISO should have knowledge to perform their assigned tasks. The ISO is tasked with oversight of the information security program. This is a broad-scoped topic which requires knowledge of the physical, technical, and administrative functions of the organization. If no one employee has sufficient knowledge to make decisions for each of these areas, it may be wise to consider appointing multiple individuals to fill the organization's ISO role as a committee.

Click here to find out more about a 6 part webinar training series created specifically for ISOs.

4. Background

Each ISO should have background to perform their assigned tasks. Similar to knowledge, the ISO should have a history that involves information security. An employee can be trustworthy, respectable, and have knowledge of information security, but be lacking a foundation of experience. Information security is an ever-changing field. Appointing an ISO who does not have experience in the field is a risk to the organization's information security.

5. Training

Each ISO should have continued training to perform their assigned tasks. Since the field is ever-changing, it should not be assumed that the ISO has all the training required to perform their duty. As the threat environment changes, as new controls are implemented, as the industry advances, the board and senior management should expect the ISO or members of the ISO team to further their education through training.

6. Independence

Each ISO should have independence to perform their assigned tasks. It would be best to avoid conflicts of interest when selecting an ISO. For example, while knowledge of information technology (IT) is important, the ISO should not be the person responsible for implementing the organization's IT function. For community financial institutions, this is not always practical. So, if your organization finds independence difficult, it may be beneficial to appoint individuals from various departments to fill the organization's ISO role as a committee.

In Summary…

While the FFIEC may not be very prescriptive when it comes to appointing an ISO, by ensuring your organization's ISO is trustworthy, respectable, knowledgeable, experienced, interested in learning, and independent of other functions in the organization, your organization can lay the foundation for an effective information security program.


 

On September 9th, 2016, the Federal Financial Institutions Examination Council (FFIEC) released a revised Information Security booklet.  This booklet is one of eleven booklets that make up the FFIEC Information Technology Examination Handbook (FFIEC IT Handbook). The IT Handbook is designed to provide information and reference to financial institutions and examiners.  The Information Security booklet specifically “provides guidance to examiners and addresses factors necessary to assess the level of security risks to a financial institution’s information systems.”

To learn more about the new FFIEC Information Security Booklet, join us for a webinar on October 11th at 2:00pm CDT. Register now

To see other webinars offered by CoNetrix, visit our webinars page.

About the FFIEC: The FFIEC was established in 1979 per Title X of the Financial Institutions Regulatory and Interest Rate Control Act of 1978.  The FFIEC is comprised of the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administrator (NCUA), the Office of the Comptroller of the Currency (OCC), the State Liaison Committee (SLC), and the Consumer Financial Protection Bureau (CFPB).

 


 

Today the FFIEC released a Cybersecurity Assessment Tool to help financial institutions identify their risks and assess their cybersecurity preparedness.  The assessment tool is designed to provide a repeatable and measurable process for banks and credit unions to measure their cybersecurity preparedness over time.

The FFIEC tool consists of pdf documents including an Overview for Chief Executive Officers and Boards of Directors, a User's Guide, an Inherent Risk Profile, a Cybersecurity Maturity, and some Additional Resources.

CoNetrix is working on a FREE online, interactive tool to assist banks and credit unions in completing the new FFIEC cybersecurity assessment.  This easy to use SaaS will allow financial institutions to answer questions provided in the FFIEC documents, view and analyze inherent risk and cybersecurity maturity, and run various reports.  To learn more about the new Tandem Cybersecurity tool, visit https://conetrix.com/cybersecurity.