If you are a credit union, you should expect to see the ACET during your next IT examination. The NCUA began piloting this new examination tool in 2018 with larger credit unions, but we anticipate it will be used in most credit union examinations in 2019. As you prepare for the ACET, here is a list of frequently asked questions for you to review.
What is the difference between the CAT and the ACET?
While the ACET mirrors the CAT (the FFIEC's Cybersecurity Assessment Tool) in content, ACET provides additional content, features, and details to help credit unions and the NCUA examine and benchmark the industry's cybersecurity preparedness. To learn more about specific differences, read our in-depth post on the differences between the NCUA ACET and the FFIEC CAT.
Does the ACET replace the risk assessment requirement per GLBA?
No. While ACET should be considered complimentary to information security risk assessment(s) as outlined in the Interagency Guidelines Establishing Information Security Standards per GLBA, it does not replace this requirement.
Will NCUA IT Examinations be limited to ACET?
No. The NCUA indicates they will use the ACET during upcoming IT exams, and it will be in addition to risk-focused IT examinations.
Where do I get a copy of the ACET spreadsheet?
At the time of this post, the ACET is not available from the NCUA website. Per Supervisory Letter 17-CU-09, the NCUA stated they will "continue to test and refine the ACET through 2018," but you can download version 032618 of the ACET here. In addition, credit unions should receive the current version of the ACET prior to an IT examination. When the ACET is completed as part of the examination process, examiners will leave the completed ACET with the credit union, and discuss the results and any discrepancies with management.
Are credit unions required to complete the ACET?
No, the ACET is not required, but it is recommended. When the NCUA does an examination using the ACET, they will ask if the credit union has completed the ACET. If the credit union has not, the examiner will complete the ACET using the provided material from the exam request list. While this will not be considered a negative for the credit union, credit unions should complete the ACET ahead of time so they can have more meaningful discussions during the exam.
How can Tandem help my credit union with ACET?
Tandem offers an online tool to help financial institutions complete the FFIEC Cybersecurity Assessment Tool and the NCUA Automated Cybersecurity Examination Tool. The features allow credit unions to complete the assessment through Tandem and download the results in the ACET spreadsheet format. The Tandem online software comes in both a free and paid version. Join more than 1,000 other financial institutions and sign up for the free Tandem Cybersecurity Assessment Tool today by visiting https://conetrix.com/tandem/cybersecurity-assessment-tool-ffiec.