The NAFCU Journal May - June 2019 - 48

COMPLIANCE CENTRAL

Cybersecurity Exam Preparation
By Brandy Bruyere

O

nce again, the National
Credit Union Administration
(NCUA) placed cybersecurity as a focus for exams this
year. In 2019, the agency will use the
Automated Cybersecurity Examination
Tool (ACET) for credit unions with
more than $250 million in assets. The
ACET largely tracks the Cybersecurity
Assessment Tool (CAT) that financial
regulators published a few years ago.
Preparing for the cybersecurity portion
of an exam can be time-consuming and
challenging and often requires coordination across business units. Some
credit unions choose to utilize the CAT
in preparation for exams given under
NCUA's ACET, but it is not mandatory
to do so.
The cybersecurity portion of an
NCUA exam requires the credit
union to provide the examiner with
a significant amount of information.
It is important to identify which
staff members will be responsible
for collecting all of this information.
For example, the CAT measures a
credit union's inherent risk profile
across five categories:

Delivery Channels - addresses
"whether products and services are
available through online and mobile
delivery channels and the extent of
[ATM] operations."
Online/Mobile Products and
Technology Services - includes
"various payment services ...
person-to-person payments,
originating automated clearing
house (ACH), retail wire transfers,
wholesale payments, merchant
remote deposit capture [RDC] ...
correspondent banking and merchant
acquiring activities." There are
14 separate items in this category.
Organizational Characteristics -
considers items such as "mergers
and acquisitions, number of
direct employees and cybersecurity
contractors ... the number of
users with privileged access ...
locations of business presence,
and locations of operations and
data centers."
External Threats - considers the
"volume and type of attacks," both
successful and unsuccessful, which
may impact the credit union's inherent risk, as well as the "volume and
sophistication" of attacks targeting the
credit union.

Technologies and Connection
Types - includes "the number of
Internet service provider (ISP) and
third-party connections, whether
systems are hosted internally or outsourced, the number of unsecured
These general areas of operation are then
connections, the use of wireless
used to determine the credit union's level
access, volume of network devices,
of risk, ranging from "least inherent" to
end-of-life systems, extent of cloud
"most inherent."
services, and use of personal devices."
The assessment tool lists 14 separate
The CAT also measures a credit union's
items in this category.
cybersecurity maturity over five domains:
48

Domain 1: Cyber Risk Management -
"addresses the board of directors' oversight and management's development
and implementation of an effective
enterprisewide cybersecurity program
with comprehensive policies and procedures for establishing appropriate
accountability and oversight."
Domain 2: Threat Intelligence and
Collaboration - "includes processes to
effectively discover, analyze and understand cyber threats, with the capability
to share information internally and
with appropriate third parties."
Domain 3: Cybersecurity Controls -
includes "the practices and processes
used to protect assets, infrastructure
and information by strengthening
the institution's defensive posture
through continuous, automated
protection and monitoring."
Domain 4: External Dependency
Management - "involves establishing
and maintaining a comprehensive program to oversee and manage external
connections and third-party relationships with access to the institution's
technology assets and information."
Domain 5: Cyber Incident Management and Resilience - "includes
establishing, identifying and
analyzing cyber events; prioritizing
the institution's containment or
mitigation; and escalating information to appropriate stakeholders ...
[and] encompasses both planning
and testing to maintain and recover
ongoing operations during and
following a cyber incident."
THE NAFCU JOURNAL  MAY-JUNE 2019



The NAFCU Journal May - June 2019

Table of Contents for the Digital Edition of The NAFCU Journal May - June 2019

The NAFCU Journal May - June 2019
Contents
Conferences
From the Chair
Washington and Industry Briefs
The Bottom Line
Welcome, New Members
Knowledge Is Power Credit unions leverage data and analytics for strategic business growth.
Lowering the High Cost of Internal Fraud Policies, culture and training work together to improve fraud detection and prevention.
2019 Annual Conference Exhibitor Directory
Executive Spotlight
Management Insight
Compliance Central
Inside NAFCU Services
From the President’s Desk
The NAFCU Journal May - June 2019 - The NAFCU Journal May - June 2019
The NAFCU Journal May - June 2019 - Cover2
The NAFCU Journal May - June 2019 - Contents
The NAFCU Journal May - June 2019 - 2
The NAFCU Journal May - June 2019 - Conferences
The NAFCU Journal May - June 2019 - From the Chair
The NAFCU Journal May - June 2019 - 5
The NAFCU Journal May - June 2019 - Washington and Industry Briefs
The NAFCU Journal May - June 2019 - 7
The NAFCU Journal May - June 2019 - The Bottom Line
The NAFCU Journal May - June 2019 - 9
The NAFCU Journal May - June 2019 - 10
The NAFCU Journal May - June 2019 - 11
The NAFCU Journal May - June 2019 - Welcome, New Members
The NAFCU Journal May - June 2019 - 13
The NAFCU Journal May - June 2019 - 14
The NAFCU Journal May - June 2019 - 15
The NAFCU Journal May - June 2019 - 16
The NAFCU Journal May - June 2019 - 17
The NAFCU Journal May - June 2019 - Knowledge Is Power Credit unions leverage data and analytics for strategic business growth.
The NAFCU Journal May - June 2019 - 19
The NAFCU Journal May - June 2019 - 20
The NAFCU Journal May - June 2019 - 21
The NAFCU Journal May - June 2019 - 22
The NAFCU Journal May - June 2019 - 23
The NAFCU Journal May - June 2019 - 24
The NAFCU Journal May - June 2019 - 25
The NAFCU Journal May - June 2019 - Lowering the High Cost of Internal Fraud Policies, culture and training work together to improve fraud detection and prevention.
The NAFCU Journal May - June 2019 - 27
The NAFCU Journal May - June 2019 - 28
The NAFCU Journal May - June 2019 - 29
The NAFCU Journal May - June 2019 - 30
The NAFCU Journal May - June 2019 - 31
The NAFCU Journal May - June 2019 - 32
The NAFCU Journal May - June 2019 - 33
The NAFCU Journal May - June 2019 - 34
The NAFCU Journal May - June 2019 - 2019 Annual Conference Exhibitor Directory
The NAFCU Journal May - June 2019 - 36
The NAFCU Journal May - June 2019 - 37
The NAFCU Journal May - June 2019 - 38
The NAFCU Journal May - June 2019 - 39
The NAFCU Journal May - June 2019 - 40
The NAFCU Journal May - June 2019 - 41
The NAFCU Journal May - June 2019 - Executive Spotlight
The NAFCU Journal May - June 2019 - 43
The NAFCU Journal May - June 2019 - 44
The NAFCU Journal May - June 2019 - 45
The NAFCU Journal May - June 2019 - Management Insight
The NAFCU Journal May - June 2019 - 47
The NAFCU Journal May - June 2019 - Compliance Central
The NAFCU Journal May - June 2019 - 49
The NAFCU Journal May - June 2019 - Inside NAFCU Services
The NAFCU Journal May - June 2019 - 51
The NAFCU Journal May - June 2019 - From the President’s Desk
The NAFCU Journal May - June 2019 - Cover3
The NAFCU Journal May - June 2019 - Cover4
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_NovemberDecember2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_SeptOct2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_JulAug2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_MayJun2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_MarApr2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_JanFeb2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_NovDec2019
https://www.nxtbook.com/ygsreprints/NAFCU/G109023_nafcu_septoct2019
https://www.nxtbook.com/ygsreprints/NAFCU/G106941_nafcu_julaug2019
https://www.nxtbook.com/ygsreprints/NAFCU/G105388_nafcu_mayjun2019
https://www.nxtbook.com/ygsreprints/NAFCU/G103030_nafcu_marapr2019
https://www.nxtbook.com/ygsreprints/NAFCU/G88665_nafcu_janfeb2019
https://www.nxtbook.com/ygsreprints/NAFCU/G100235_nafcu_novdec2018
https://www.nxtbook.com/ygsreprints/NAFCU/G98517_nafcu_septoct2018
https://www.nxtbook.com/ygsreprints/NAFCU/G96479_nafcu_julaug2018
https://www.nxtbook.com/ygsreprints/NAFCU/G93390_nafcu_mayjune2018
https://www.nxtbook.com/ygsreprints/NAFCU/G90161_nafcu_marapr2018
https://www.nxtbook.com/ygsreprints/NAFCU/G88665_nafcu_janfeb2018
https://www.nxtbook.com/ygsreprints/NAFCU/G83806_nafcu_novdec2017
https://www.nxtbook.com/ygsreprints/NAFCU/G80296_nafcu_septoct2017
https://www.nxtbook.com/ygsreprints/NAFCU/G79086_nafcu_julyaugust2017
https://www.nxtbook.com/ygsreprints/NAFCU/G75911_nafcu_mayjune2017
https://www.nxtbook.com/ygsreprints/NAFCU/G73247_nafcu_marapr2017
https://www.nxtbook.com/ygsreprints/NAFCU/G71923_nafcu_janfeb2017
https://www.nxtbook.com/ygsreprints/NAFCU/G69249_nafcu_novdec2016
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_septoct2016
https://www.nxtbook.com/ygsreprints/NAFCU/g63853_nafcu_julaug2016
https://www.nxtbook.com/ygsreprints/NAFCU/g61005_nafcu_mayjun2016
https://www.nxtbook.com/ygsreprints/NAFCU/g58935_nafcu_marapr2016
https://www.nxtbook.com/ygsreprints/NAFCU/g56716_nafcu_janfeb2016
https://www.nxtbook.com/ygsreprints/NAFCU/g55605_nafcu_novdec2015
https://www.nxtbook.com/ygsreprints/NAFCU/g53582_nafcu_sepoct2015
https://www.nxtbook.com/ygsreprints/NAFCU/g52154_nafcu_july2015
https://www.nxtbook.com/ygsreprints/NAFCU/g50302_nafcu_mayjune2015
https://www.nxtbook.com/ygsreprints/NAFCU/g48554_nafcu_marapr2015
https://www.nxtbook.com/ygsreprints/NAFCU/g47118_nafcu_janfeb15
https://www.nxtbook.com/ygsreprints/NAFCU/g45886_nafcu_novdec2014
https://www.nxtbook.com/ygsreprints/NAFCU/g44155_nafcu_sepoct2014
https://www.nxtbook.com/ygsreprints/NAFCU/g42892_nafcu_julyaug2014
https://www.nxtbook.com/ygsreprints/NAFCU/g41296_nafcu_mayjun2014
https://www.nxtbook.com/ygsreprints/NAFCU/g39799_nafcu_marapr2014
https://www.nxtbook.com/ygsreprints/NAFCU/g38961_nafcu_janfeb2014
https://www.nxtbook.com/ygsreprints/NAFCU/g38041_nafcu_novdec2013
https://www.nxtbook.com/ygsreprints/NAFCU/g36539_nafcu_sepoct2013
https://www.nxtbook.com/ygsreprints/NAFCU/g34910_nafcu_julaug2013
https://www.nxtbookmedia.com