New NCUA Exam Prep

A couple of months ago, the National Credit Union Administration (NCUA) released its new Information Security Exam framework that they planned to begin using this year. With the rise of cyber threats, credit unions must ensure that their members' sensitive information is protected, and the NCUA updated its information security exam to strengthen credit unions' cybersecurity posture. 

In our last blog post, we covered a lot of the changes and an overview of the control set. Now that it’s been a couple of months, we wanted to discuss changes we have seen to the exam process, the feedback we have received from clients who have gone through the exam, and how credit unions can best prepare for the new NCUA information security audit.

Client Feedback 

We have had four credit union clients go through their annual NCUA exam since the release of the framework this year. There has been one key theme from all four clients: THOROUGH! Some clients have had relatively light audits in years past, and some have had in-depth audits, but this has been the most thorough exam that any of the clients have received to date. Some had two RISOs as part of the process this year compared to one in past years, and the exam process lasted twice as long as last year. 

Examiner Focus 

Every few years there is a big focus for NCUA examiners as changes in cybersecurity occur. Based on the feedback we have gotten and meetings we have had with examiners this year, it appears to be a similar focus to the last few years that include:

• Risk Assessment and ongoing risk assessments
• Ensuring policies cover all information security areas
• Ensuring business continuity planning and testing is completed
• The credit union has properly prepared for a ransomware attack and how they would respond

It is still the core information security controls that make up a solid cybersecurity foundation. 

How to Prepare 

Understanding the exam requirements is the first step in preparing for the NCUA information security exam. As with anything,  you can’t prepare if you don’t fully understand what will be required of you. 

Spend some time reviewing the new control framework and wording of each of the controls. It is still a lot of the same security requirements that make up the foundational security program, but some new items will be required in the CORE+ section. 

After reviewing the controls and doing some research, walk yourself and your team through a self-assessment. Ensure that you have each of the controls in place and evidence to back each of those up.  

Automate It

At Rivial we believe in automation. We have all of the NCUA ISE requirements mapped to the required evidence items that examiners will be looking for. Our platform can reach out to the employees who are responsible for that cybersecurity function and request the evidence or even pull it directly from some of the tools you use. 

If the evidence is in place, it will automatically switch the control to in place or not in place, so at any time you can log in and see your exact compliance with the NCUA ISE framework and other control sets with no additional effort. 

We helped one client transition from the ACET to the new ISE framework in under an hour with all their evidence items mapped and included. 

Schedule a personal demo below and see your current compliance with the NCUA ISE framework!