What are NCUA's top cybersecurity exam priorities for 2026?

NCUA examiners are focused on four areas in 2026: payment system security (wire transfers, ACH, card processing), vendor and third-party oversight, member data protection and access controls, and insider threat programs. These priorities reflect the threat landscape facing credit unions and align with the supervisory focus outlined in Letter 26-CU-01.

How should a credit union prepare for an NCUA cybersecurity exam?

Start by reviewing your written information security program under 12 CFR Part 748 to ensure it addresses all four priority areas. Conduct a current risk assessment, verify that vendor agreements include security requirements, test your payment system controls, and document your insider threat measures. Examiners expect written documentation — verbal explanations of what you do are not sufficient.

What happens if a credit union fails an NCUA cybersecurity exam?

Exam findings can result in a Document of Resolution (DOR) that requires the credit union to take specific corrective actions within defined timeframes. Serious or repeat deficiencies can lead to formal enforcement actions, restrictions on operations, or increased examiner oversight. The severity depends on the nature of the findings and whether the credit union demonstrates a good-faith effort to remediate.

February 10, 2026·8 min read

NCUA Cybersecurity Exam Priorities for Credit Unions in 2026

NCUA has made its focus clear: cybersecurity is a top supervisory priority in 2026. Examiners are looking at four specific areas. Knowing what they are looking for is the first step to being ready when they arrive.

Why 2026 is different

NCUA has examined cybersecurity for years, but 2026 marks an escalation. The issuance of Letter 26-CU-01 in January 2026 formally elevated cybersecurity to a top supervisory priority. This is not a subtle distinction. Top priority means examiners have been directed to spend more time on it, dig deeper, and hold credit unions to a higher standard of documentation and readiness.

The timing reflects the threat environment. Credit unions saw a significant increase in ransomware attacks, business email compromise, and vendor-related incidents through 2024 and 2025. NCUA is responding by tightening examination focus on the areas where credit unions are most vulnerable.

Focus area 1: Payment security

Payment systems — wire transfers, ACH origination, card processing, and real-time payment networks — are high-value targets. Examiners will evaluate:

Dual authorization controls. Are wire transfers and ACH batches requiring approval from two separate individuals? Single-approval processes are a red flag.
Transaction monitoring. Do you have automated monitoring for unusual patterns — large transfers, out-of-pattern timing, new payees in high-risk geographies?
Callback verification. For wire transfer requests received via email, do you verify via a separate communication channel before executing? Business email compromise remains the most common payment fraud vector.
Access controls. Who has access to initiate payments? Is that access reviewed and recertified regularly? Are terminated employees removed from payment systems immediately?

Focus area 2: Vendor oversight

Credit unions outsource heavily, and a vendor breach is effectively your breach when it involves your member data. Examiners are asking tougher questions about vendor management:

Due diligence documentation. Can you produce written due diligence for each critical vendor? SOC 2 reports, security questionnaires, financial viability assessments?
Contractual requirements. Do your vendor agreements include information security provisions, breach notification timelines, and right-to-audit clauses?
Ongoing monitoring. Due diligence at contract signing is not enough. Examiners want to see evidence of ongoing monitoring — annual review of SOC reports, tracking of vendor incidents, periodic reassessment of risk ratings.
Concentration risk. If your core processor, online banking, and card processing all run through one vendor or one cloud provider, what is your continuity plan if that provider fails?

Focus area 3: Member data protection

Protecting member information is the core obligation under 12 CFR Part 748. In 2026, examiners are paying particular attention to:

Encryption. Is member data encrypted at rest and in transit? This includes data in your core system, backups, email attachments, and data shared with third parties.
Access management. Are access privileges based on least-privilege principles? Are they reviewed regularly? When someone changes roles, is their access updated?
Multi-factor authentication. MFA for remote access to systems containing member data is effectively a baseline expectation. Examiners will flag its absence.
Data loss prevention. What controls prevent member data from leaving the credit union through unauthorized channels — personal email, USB drives, unapproved cloud storage?

Focus area 4: Insider threats

This is newer territory for many credit unions. NCUA is recognizing that not all threats come from outside. Examiners will assess:

Access monitoring. Do you monitor for unusual access patterns by employees — accessing accounts outside their normal responsibilities, bulk data queries, after-hours system access?
Separation of duties. Can any single employee create a member account, initiate a transaction, and approve it without oversight from another person?
Termination procedures. When an employee leaves or is terminated, how quickly is their access revoked across all systems? Do you have a documented checklist?
Security awareness training. Are employees trained to recognize social engineering, phishing, and other tactics used to manipulate insiders?

How to prepare

The exam scope is not a mystery. NCUA has told you what they are looking for. The practical steps:

Self-assess against all four areas. Walk through each focus area above and identify gaps in your documentation and controls.
Update your risk assessment. If your current risk assessment does not address payment security, vendor concentration, or insider threats, it is incomplete.
Gather documentation. Examiners work from documents. Pull together your ISP, vendor contracts, access reviews, training records, and incident response plans before the exam, not during it.
Test your controls. Do not wait for the examiner to find that your dual-authorization process has an override nobody knew about. Test it yourself.

How BlackSheep helps

BlackSheep's credit union compliance platform covers all four 2026 exam priority areas. It provides guided risk assessments that address payment security and insider threats, vendor management tracking with contract review documentation, access control assessment tools, and exam-ready reporting that maps directly to what NCUA examiners evaluate.

Know what examiners will ask before they ask it.

Prepare for your NCUA exam with BlackSheep