Is your credit union ready to handle the tougher cybersecurity exams that the NCUA has planned?
Over the last few years, there have been clear signs that the NCUA is paying closer attention to cybersecurity, and it looks like upcoming exams will be more rigorous in this area. In this article, I’ll point out those signs and share practical steps your credit union can take to get prepared for the next exam.
If we look at the NCUA’s Letters to Credit Unions from January 2022 through now, here’s what stands out about cybersecurity:
- January 2022: The NCUA is working on updating its information security exam procedures.
- January 2023: Cybersecurity continues to be a top priority during exams.
- January 2024: Cybersecurity is still front and center as a key focus in exams.
- October 2024: The NCUA shared statistics about the cyber incident response notification rule. From September 1, 2023, when the rule took effect, through August 31, 2024, federally insured credit unions reported 1,072 cyber incidents. Interestingly, 70% of those incidents involved third-party vendors.
- This letter also highlights four important areas that boards of directors should focus on:
- Keeping the board and employees up to date with ongoing cybersecurity training
- Approving a thorough information security program that covers risk assessments, security controls, and incident response plans, and making sure it’s reviewed and updated at least once a year
- Closely overseeing how operations are managed
- Making sure there’s a solid incident response plan that spells out specific requirements
January 2025: Cybersecurity is still a top supervisory priority, and the NCUA urges every credit union’s board to make it a central part of their oversight and governance.
How do these cybersecurity trends affect credit unions?
Although the NCUA has made cybersecurity a top priority in exams for 2023, 2024, and now 2025, the real wake-up call came from the October 2024 letter. In just one year, credit unions reported 1,072 cyber incidents, and nearly 70% were linked to third-party vendors. That number alone signals a growing risk landscape that credit unions can’t afford to ignore.
While the data doesn’t show how severe these incidents were or whether they were concentrated among specific vendors, it’s clear that cybersecurity oversight—especially around vendor management—is becoming a major point of focus. For examiners, these numbers reinforce why stronger governance and accountability are needed. For credit unions, they highlight how even one weak link in the vendor chain can lead to serious consequences.
But it’s not just about vendors. Roughly 320 of the reported incidents had no vendor connection at all, meaning the threats originated within the credit unions themselves—whether through phishing, insider mistakes, outdated systems, or gaps in security protocols. These internal issues can be just as damaging, particularly if they expose member data or disrupt operations.
This trend paints a bigger picture: cybersecurity exams aren’t just checking boxes anymore—they’re evaluating how well-prepared credit unions are to manage evolving risks in a digital-first environment. The NCUA is signaling that “good enough” security no longer cuts it. Examiners are likely to look beyond policies and paperwork, digging deeper into how effectively those policies are applied, tested, and updated.
For credit unions, this means a shift in mindset. It’s not only about passing an exam—it’s about building a security-first culture where every employee, vendor, and system plays a role in protecting member data. By tightening vendor oversight, investing in continuous training, and conducting regular risk assessments, credit unions can stay ahead of examiner expectations—and, more importantly, better safeguard their members’ trust.
Building a Culture of Cyber Awareness
When it comes to cybersecurity exams, culture plays a bigger role than many credit unions realize. Examiners don’t just look at whether you have the right tools and policies in place — they’re paying closer attention to how well cybersecurity is understood and practiced across the organization. A strong cybersecurity culture shows that protecting member data isn’t just a checklist item, but a shared value from the boardroom to the front line.
That starts with awareness and consistency. Employees should understand not only what the policies are, but why they matter. When staff can clearly explain how their daily actions tie into the credit union’s overall cybersecurity strategy, it tells examiners that security isn’t an afterthought — it’s part of everyday operations.
Ongoing training, regular assessments, and support from a managed IT services provider can help reinforce that culture across every level of the organization. Instead of relying on one long annual session, break training into shorter, engaging updates throughout the year. Focus on practical examples — like identifying phishing attempts, recognizing social engineering tactics, or following secure data-handling practices. Showing that employees are regularly trained and tested demonstrates to examiners that your credit union actively reinforces security awareness.
Encouraging open communication is just as important. Employees should feel comfortable reporting suspicious activity or potential security gaps without fear of blame. Many incidents can be prevented simply because someone spoke up early — and examiners take note when an organization promotes that kind of accountability.
Leadership also sets the tone. When the board and management consistently emphasize cybersecurity in meetings, budget decisions, and member communications, it sends a clear message that security is a top priority. This visible commitment helps shape the organization’s mindset and reinforces examiners that cybersecurity is embedded in your governance practices, not just your IT department.
Ultimately, building a culture of cyber awareness strengthens both your defenses and your exam readiness. It helps ensure your team can confidently demonstrate not just compliance — but a true, organization-wide commitment to protecting member information.
How Credit Unions Can Prepare for Cybersecurity Exams
With a strong culture in place, the next step is making sure your leadership team is fully equipped to meet the NCUA’s expectations. That means taking a closer look at how your board and senior management can prepare for the next round of cybersecurity exams — and ensure your credit union is ready for whatever comes next.
The October 2024 letter stands out for highlighting several key areas that credit union boards should prioritize. It gives practical recommendations for improving staff training, strengthening information security, overseeing daily operations, and ensuring a strong incident response plan is in place.
When it comes to overseeing operations, the letter gets very specific. It urges boards to:
- Set clear guidelines for evaluating third-party vendors, especially around information security.
- Make cybersecurity a fundamental value that shapes decisions throughout the credit union.
- Ensure the credit union has access to cybersecurity experts and enough funding for the right security tools and technologies.
- Focus on managing vulnerabilities, keeping systems updated with patches, whitelisting and blacklisting applications and websites appropriately, and staying up to date with threat intelligence.
- Bring in outside experts to audit the cybersecurity program from time to time.
- Put a reporting system in place to regularly update the board on the cybersecurity program’s status—covering things like risk assessments, how risks are managed, major control decisions, vendor relationships, test results, and any suggested improvements.
- Protect data backups by storing them securely and testing them regularly to make sure information can be recovered if needed, especially in case of a ransomware attack.
- Continue providing members with training to encourage safe cybersecurity habits.
These recommendations suggest that regulators may soon pay even closer attention to how well boards are overseeing cybersecurity. In the future, boards could be held more accountable if they don’t make cybersecurity a priority to protect against potential threats.
How can credit union leaders get ready?
Board members and senior management play a critical role in ensuring their credit union is ready to meet the cybersecurity expectations outlined in the NCUA’s October 2024 Board of Director Engagement in Cybersecurity Oversight (24-CU-02) letter. Cybersecurity oversight isn’t just a technical task—it’s a governance responsibility. Leaders set the tone for how seriously cybersecurity is taken across the organization, so preparation starts at the top.
The first step is to take a hard look at your credit union’s current cybersecurity framework. Review your information security program, policies, and incident response plans to make sure they’re not only up to date, but also practical and aligned with NCUA’s guidance. That means verifying that risk assessments are being conducted regularly, that staff training is ongoing, and that there’s a clear process for escalating and addressing security issues when they arise.
It’s also important for boards to make cybersecurity a standing agenda item—not something discussed only when there’s an issue. Regular updates from IT and compliance leaders help the board stay informed about new threats, audit findings, and mitigation plans. These discussions demonstrate to examiners that cybersecurity is an ongoing focus, not a one-time project.
While some credit unions have strong internal expertise, others find real value in bringing in an independent consultant to provide a fresh perspective. A third-party assessment can help identify blind spots that internal teams might miss, especially when it comes to vendor management, technical controls, and regulatory compliance. Consultants can also provide actionable tools—such as templates, checklists, and implementation guides—that help make recommendations easier to put into practice.
Beyond assessments, the right partner can work directly with your staff to implement improvements, conduct training, and strengthen your overall security posture. This collaboration ensures that cybersecurity isn’t siloed—it becomes part of your organization’s daily operations and long-term strategy.
Ultimately, preparation isn’t just about passing the next exam, it’s about building resilience. By fostering a culture of proactive oversight, investing in expertise, and staying engaged with evolving NCUA expectations, credit union leaders can protect both their institutions and their members from the growing wave of cyber threats.
Ready for What’s Next?
Cybersecurity exams are no longer just a formality—they’re a clear indication that regulators expect credit unions to be truly proactive. By strengthening your oversight, building a strong security culture, and keeping up with evolving rules, you’re not just preparing for an exam, you’re reinforcing the trust between your members and your institution.
If you’d like help assessing your current cybersecurity practices, improving vendor oversight, or aligning your operations with NCUA’s expectations, the team at Intech Hawaii is here for you. We offer tailored NCUA-compliance services that include expert assessments, NIST-based data-disposal support, continuous training, and audit-ready documentation—all designed specifically for credit unions.
Reach out to us today and let’s make sure your credit union is ready for what’s ahead—secure, compliant, and confident.
