Key Takeaways from the NCU-ISAO Cybersecurity Conference


Last month, the National Credit Union Information Sharing and Analysis Organization (NCU-ISAO) held its second annual conference in Dallas, TX. Credit unions attending the event benefited from presentations by the NCUA, FBI, credit unions, and security partners, and were able to participate in a live incident-response tabletop exercise facilitated by the Department of Homeland Security.

“We encourage credit unions to use information sharing organizations like NCU-ISAO to help enhance their cybersecurity efforts,” said Katie Clark, NWCUA’s Regulatory and Compliance Analyst. “Sharing information on threats and best practices benefits the entire industry, so the more participation the better.”

Following are several insights your Association’s Compliance team brought home from the event.

Cybersecurity Examinations and GDPR

Attendees received guidance from Tim Segerson, Deputy Director of the Office of Examination and Insurance for the NCUA, about cybersecurity examinations. Recently, the NCUA announced it will begin using the Automated Cybersecurity Examination Tool (ACET) during examinations. According to Segerson, the tool matches up with the Cybersecurity Assessment Tool (CAT), a voluntary tool released by the FFIEC to provide financial institutions with a way to identify their risks, and determine their cybersecurity preparedness.

The NCUA will roll out the ACET at larger credit unions. This is preceded by the NCUA’s strong focus on training its examiners to understand the tool and utilize it accordingly. Additionally, Segerson noted that the ACET is being implemented at the exam level and will not require specialized examiners.

The conference also addressed the European Union’s General Data Protection Regulation (GDPR). Even though the regulation is mostly focused on entities in the European Union, credit unions that have members living in the EU are encouraged to look at this rule and determine if it will have an impact on their operations.

Disaster Recovery

Attendees also heard from a panel of experts on disaster recovery. One credit union shared its experiences dealing with complete loss of contact with its Puerto Rico branches during the recent hurricane. Credit unions were encouraged to consider disaster recovery programs that address rural, remote, and distant locations, in addition to ensuring that the main office, which often houses the records and infrastructure of the credit union, is adequately prepared for a disaster.

In addition to physical disasters, the group also participated in a tabletop exercise that demonstrated the need for a thoughtful and adequately tested cybersecurity incident response plan. The tabletop exercise, facilitated by the Department of Homeland Security, provided the group with several examples of data breaches and fostered idea sharing between credit unions to help them identify practical responses as well as best practices.

If you’d like to learn more about NCU-ISAO, visit their website, or contact Brian Hinze at 813.431.1221.

Questions about compliance? Contact NWCUA’s Compliance Hotline at 1.800.546.4465, or

Posted in Article Post.