NCUA cybersecurity examinations have become significantly more rigorous over the past two years. What was once a relatively straightforward review of basic security policies has evolved into a detailed technical and operational assessment that is catching many credit unions unprepared.

If your credit union has an exam scheduled in the next 6-12 months, this article covers the most common findings examiners are surfacing—and what you can do about them before your examiner walks through the door.

How NCUA Cybersecurity Examinations Have Changed

The NCUA's Automated Cybersecurity Evaluation Toolbox (ACET) has become the standard framework for examining credit union cybersecurity maturity. Based on the FFIEC Cybersecurity Assessment Tool, ACET evaluates credit unions across five domains: Cyber Risk Management and Oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience.

Examiners are no longer just checking whether policies exist. They're testing whether those policies are actually followed, whether staff understand their responsibilities, and whether the controls in place would actually work under real conditions.

The Top Findings from NCUA Cybersecurity Examinations

1. Outdated or Incomplete Information Security Policies

This is the most frequently cited finding. Many credit unions have information security policies that were written 3-5 years ago and never updated. Policies need to reflect current technology environments, current threats, and current regulatory expectations. If your policies still reference systems you no longer use, or don't address cloud environments and remote work, they will be flagged.

2. Vendor Management Gaps

Credit unions rely heavily on third-party vendors for core processing, online banking, payment systems, and more. NCUA examiners expect to see a formal vendor management program that includes initial due diligence before onboarding, annual security reviews of critical vendors, contractual security requirements, and documented exit strategies. Most credit unions have a vendor list. Far fewer have a true vendor risk management program.

3. Incident Response Plans That Have Never Been Tested

Having a written incident response plan satisfies the documentation requirement. Having a plan that your team has actually practiced is what satisfies examiners. Tabletop exercises—simulated incident scenarios that walk your team through their response—are increasingly expected as evidence that your plan would actually work under pressure.

4. Weak Multi-Factor Authentication Implementation

MFA is required for administrative access to critical systems. Examiners are finding gaps where MFA is enabled for some systems but not others, where employees can bypass MFA under certain conditions, or where the MFA implementation itself is outdated. Text message-based MFA is also coming under increasing scrutiny as SIM-swapping attacks have demonstrated its vulnerability.

5. Insufficient Board Oversight of Cybersecurity

The NCUA expects your board to be meaningfully engaged in cybersecurity oversight—not just receiving a brief report once a year. Examiners look for evidence that the board receives regular, meaningful cybersecurity reporting in language they can understand and act on, and that cybersecurity risk is integrated into the credit union's overall risk management framework.

6. Inadequate Business Continuity and Disaster Recovery Testing

Business continuity and disaster recovery plans need to be tested, not just documented. Many credit unions test recovery of core systems but haven't tested recovery of all critical systems, haven't validated recovery time objectives under real conditions, or haven't tested scenarios involving ransomware or extended outages of key third-party vendors.

How to Prepare If You Have an Exam Coming Up

If you have an NCUA examination scheduled in the next 12 months, the most valuable thing you can do is conduct an internal assessment against the ACET framework before your examiner does. This identifies gaps while you still have time to address them.

Specifically focus on: reviewing and updating all information security policies for current relevance, documenting your vendor risk management process and pulling evidence of recent vendor reviews, scheduling a tabletop incident response exercise and documenting the results, validating that MFA is enabled consistently across all administrative access points, preparing a board-level cybersecurity report that demonstrates meaningful oversight, and testing your business continuity and disaster recovery procedures.

The Resource Challenge

The honest challenge for many credit unions is resource constraints. Building and maintaining a comprehensive cybersecurity program requires expertise that is expensive to hire full-time and difficult to find in many markets. A fractional vCISO model—where an experienced cybersecurity executive works with your credit union on a part-time basis—has become an increasingly practical solution for credit unions that need CISO-level expertise without the cost of a full-time hire.