What You Need to Know in 2022: Intrex-CU

By Krystal Rennie / Adlumin, Inc.
Dec 16, 2021

As 2022 quickly approaches, credit unions are in for a significant change to their examination protocols. Back at the beginning of this year, the National Credit Union Administration (NCUA) ’s 2021 Supervisory Priorities revealed that “the agency has reprioritized away from performing facilitated Automated Cybersecurity Evaluation Toolbox cybersecurity maturity assessments, to piloting the Information Technology Risk Examination for Credit Unions (InTREx-CU). […] ACET will become a self-assessment resource for credit unions, supported by the NCUA.” This program spent most of 2021 as a pilot and will come as a slight shift from what credit unions are used to preparing for. This blog will explore how this transition directly impacts your credit union.

What is InTREx-CU?

InTREx-CU is an enhanced program that focuses on cybersecurity preparedness assessment and discloses more in-depth examination results through component ratings. This new program will aid credit unions with identifying gaps in security controls and encourage examination harmony across the financial sector. Both examiners and credit unions will be armored with the tools needed to identify potential high-risk areas in its security programs and address any deficiencies within the program. The transition in InTREx has been broken down into several different phases. Phase 1 involves a pilot that will focus on statements and questions, associate job aids, and examination procedures.

According to the Federal Deposit Insurance Cooperation (FDIC), below are the following features of the program:

  • Enhanced Pre-Examination Process. The pre-examination scoping process has been revised and streamlined to focus on emerging risks and technologies.
    • Approximately 90 days before a scheduled IT examination, the financial institution will receive an Information Technology Profile (ITP) questionnaire through FDICconnect to be completed and returned to the FDIC. The ITP is designed to determine the resources needed to perform the IT examination and assist with scoping the examination. The ITP includes 65 percent fewer questions than the Officer’s Questionnaire used in the previous IT examination program.
    • The IT examiner-in-charge will risk focus the IT examination based on responses to the ITP and other available information (e.g., prior examination reports, new products or services, etc.). At least 45 days before the scheduled examination start date, an IT Request Letter reflecting the IT profile of the institution will be sent to the financial institution through FDICconnect. Management should upload requested information within the requested time frame to minimize on-site information requests.
  • Examination Procedures. Examiners will complete the InTREx Core Modules, the Cybersecurity Workpaper, and the Information Security Standards Workpaper to assess risk and to document examination procedures, findings, and recommendations. For financial institutions with a higher IT profile, examiners can use expanded examination procedures, supplemental work programs, and the FFIEC Information Technology Examination Handbook.
  • Report Presentation. A summary of the overall condition of the IT function supporting the URSIT composite rating will be included on the Examiner Conclusions and Comments page. The Information Technology Assessment page will document URSIT component ratings, examination findings, recommendations, management’s responses, including timeframes for corrective action, and supporting comments for cybersecurity preparedness and compliance with information security standards

InTREx can be broken down into four core analysis sections: audit, management, development and acquisition, and lastly, support and delivery. By combining its pre-examination process with its reporting capabilities, this program will provide credit unions with the critical guidance and information to ensure that they are within industry regulations.

How Do I Differentiate Between InTREx-CU and ACET?

To keep it simple, ACET is a self-assessment tool, and InTREx is an examination program. ACET will continue to be used alongside InTREx to help credit unions self-assess any cybersecurity risk they may face. Both examiners and credit unions will use InTREx to examine critical security controls.

What the Future Holds for CUs

Credit unions now must shift their understanding of how the examination process will work as the regulations shift. An educated guess is that this trend will continue in the years to come. Although we are months away from implementing the InTREX program, which will kick off in September 2022, now is the time to put it on your credit union’s radar. The last thing you need is your organization falling behind this shifting curve. Implementing a managed security services platform like Adlumin into your 2022 roadmap is a great way to avoid that. By doing this, you won’t have to worry about whether your credit union is prepared for these assessments.

None of us know what the next year will bring, but from the looks of it, cybercriminals will only become more aggressive, causing regulatory demands to increase. InTREx is just the beginning. Credit unions are in for an exciting ride in 2022 and beyond.