NCUA 2019 Supervisory Priorities – ACET and IT Risk Management


The first NCUA letter to credit unions of the new year, 19-CU-01, offers Supervisory Priorities for upcoming exams, including ACET and IT Risk Management. Among the focus items are enhanced Bank Secrecy Act Compliance and Information Systems and Assurance. As anticipated, Examiners will continue their information security maturity assessments using the Automated Cybersecurity Examination Toolbox, (ACET), and the exams now include assessment of credit unions over $250 million in assets that were previously not exposed to the tool or exam process.

NCUA 2019 Areas of Focus

Two areas of focus are evaluating credit union IT Risk Management and how it can identify, remediate and control inherent risks to appropriate residual risk levels and 3rd party/vendor oversight to ensure implementation of an effective risk-based vendor management program. Although the ACET was deemed “voluntary” in the past, it is important to know that NCUA Examiners utilize the ACET output for a consistent and uniform measuring system, regardless of asset size. Ideally, the NCUA would like the credit union to populate the ACET criteria, creating greater internal awareness of the ACET, exam protocol and a deeper understanding of prudent cybersecurity practices.

With the roll-out to smaller asset sized credit unions, resources may be stretched to fulfill the data input requirements, (along with the validation of the input). A great place to start is to assign a champion(s) with the task of filling out what is known and then work as a team to complete any remaining items. Validation of your responses are a necessity.

Meet Baseline Requirements for Security Compliance and IT Risk Management

During your annual information security endeavors, work with your provider to assist you with advice on how best to meet minimum or baseline requirements or evolving to more mature levels. SCA Information Security Analysts are experts at working with credit unions to streamline their information security requirements and are a valuable resource for ACET tool assistance.

Contact Security Compliance Associates Today For More ACET and IT Risk Management Information

Contact SCA today to learn more about NCUA 2019 information security examination priorities. Our team has helped credit unions with information security compliance and risk assessment for more than 14 years!