BlackSheep Security Research
The State of
Credit Union Cybersecurity
2026 Report
We scanned the public infrastructure of 611 federally insured credit unionswith $100M+ in assets. 36% have critical vulnerabilities. 46% don't redirect to HTTPS. NCUA Letter 25-CU-01 raised the bar. Most credit unions haven't cleared it.
By the numbers
What we found
Key findings
Credit unions face the worst HTTPS gap in financial services
NCUA Letter 25-CU-01 and the GLBA Safeguards Rule require specific controls. The basics — HTTPS, email authentication, security headers — are missing across the majority of credit unions we scanned.
Nearly half don't enforce HTTPS
45.8% of credit unions don't redirect HTTP to HTTPS.Members visiting the credit union's website by typing the address or clicking an old link are served an unencrypted page. Any data submitted — loan applications, contact forms, member inquiries — can be intercepted in transit.
This is a critical finding. For comparison, only 8.5% of community banks and 14.1% of RIAs have this same gap. Credit unions are 3–5x more likely to leave members on unencrypted connections.
Email authentication is weak
58.1% of credit unions have no DMARC recordon their primary domain, and another 14.6% have it set to "none" (monitoring only, no blocking). Combined, nearly 73% have no effective email spoofing protection.
31.9% have no SPF record at all, and an additional 25.4% use a weak "softfail" policy that doesn't actually block unauthorized senders. For credit unions that communicate account changes, loan approvals, and payment instructions via email, this is a direct path to member fraud.
Note: DMARC and SPF are measured on each credit union's primary website domain. Credit unions running email on a different domain may have records configured elsewhere.
The data
Security gaps across 611 credit unions
| Finding | Affected | % |
|---|---|---|
| No Content-Security-Policy header | 506 | 82.8% |
| No X-Frame-Options (clickjacking risk) | 464 | 75.9% |
| No HSTS enforcement | 392 | 64.2% |
| No DMARC record | 355 | 58.1% |
| No privacy policy visible | 320 | 52.4% |
| No HTTP-to-HTTPS redirect | 280 | 45.8% |
| No SPF record | 195 | 31.9% |
| Weak SPF (softfail only) | 155 | 25.4% |
| DMARC set to “none” (monitoring only) | 89 | 14.6% |
| Robots.txt exposes admin paths | 76 | 12.4% |
| Server version exposed | 58 | 9.5% |
| SSL certificate expired | 36 | 5.9% |
| Open CORS policy (data theft risk) | 31 | 5.1% |
| Self-signed SSL certificate | 5 | 0.8% |
Overall grades
1 in 5 credit unions scores D or F
The average score is 51 — a low C. Credit unions have the lowest average of any financial vertical we've assessed.
8.2%
50 credit unions
80-100 pts
30.3%
185 credit unions
60-79 pts
40.4%
247 credit unions
40-59 pts
7.0%
43 credit unions
20-39 pts
14.1%
86 credit unions
0-19 pts
By asset size
The largest credit unions score the worst
Unlike banks and RIAs where larger institutions score slightly higher, the $10B+ credit unions average just 38.5 — a D+ grade. More than half have critical vulnerabilities, and 65% have no DMARC.
| Asset Tier | Avg Score | No DMARC | Critical |
|---|---|---|---|
| $10B+ | 38.5 | 65.0% | 55.0% |
| $1B–$10B | 52 | 58.2% | 35.8% |
| $500M–$1B | 50.9 | 62.8% | 36.5% |
| $100M–$500M | 56.5 | 20.8% | 20.8% |
Email infrastructure
Where we confirmed the email platform, 25% still lack DMARC
MX records only show the first hop. We used autodiscover CNAME records, Microsoft TXT verification, SPF includes, and SMTP EHLO banner grabbing to identify the actual email platform. We confirmed the platform for 268 of 611 credit unions.
34.2%
Microsoft 365
209 CUs confirmed
9.7%
Google Workspace
59 CUs confirmed
3.4%
GoDaddy
Shared hosting email
3.6%
Self-Hosted
Postfix, Exim
48.6%
Unknown
No MX / CDN / proxy
Confirmed-domain DMARC stats
Of the 268 credit unions where we confirmed the email platform runs on the website domain: 25.4% have no DMARC and 10.1% have no SPF. The all-domain figure (58.1%) is higher because many CU websites run on marketing domains separate from their email domain.
Why so many unknowns?
48.6% of credit unions could not be matched to an email platform. Most are running email through their core processor, a CUSO, or a shared branch network on a separate domain. Their public website is a marketing site that doesn't handle email — so checking DMARC on that domain isn't measuring their actual email security.
Behind gateways: still Microsoft
Proofpoint: 93.3% Microsoft behind the gateway. Mimecast: 94.1% Microsoft. Barracuda: 100% Microsoft. Credit unions using email security gateways are almost universally running Microsoft 365 underneath.
Regulatory context
What NCUA expects from your credit union
NCUA Letter 25-CU-01 (January 2025) reinforced cybersecurity expectations for all federally insured credit unions. Combined with GLBA Safeguards and FFIEC guidance, examiners are evaluating:
Board-approved security program
Written, comprehensive, reviewed annually
Risk assessment
Identifies threats to member information
Access controls
MFA, role-based access, session management
Email authentication
SPF, DKIM, DMARC to prevent spoofing
Incident response plan
Tested, with 72-hour notification requirement
Vendor due diligence
Third-party risk assessments on all CUSOs and processors
What an NCUA finding looks like
Recommendations
Five actions your credit union can take this week
Force HTTPS everywhere
46% of credit unions don’t redirect HTTP to HTTPS. This is the single most critical fix — every page, especially member-facing forms, must be encrypted in transit.
Deploy DMARC with a “reject” policy
30 minutes of DNS work to prevent anyone from spoofing your credit union’s domain. Protects members from phishing emails that impersonate your CU.
Enable HSTS
One HTTP header that tells browsers to always use HTTPS. Prevents downgrade attacks on your online banking portal.
Add Content-Security-Policy and X-Frame-Options headers
83% of CUs are missing CSP, 76% have no X-Frame-Options. These prevent cross-site scripting and clickjacking attacks against members.
Document your NCUA-compliant security program
Written policies, annual risk assessment, vendor oversight procedures, incident response plan with 72-hour notification. This is what examiners ask for first.
Your turn
Find out where your credit union stands
Enter your work email and we'll scan your credit union's domain for the same gaps we found across the industry. Full report in your inbox in minutes.
Based on publicly accessible infrastructure only. No systems accessed or tested beyond what any internet user can observe.
Methodology
Behind the data
BlackSheep analyzed the publicly accessible infrastructure of 611 federally insured credit unions with $100M or more in total assets across four categories: SSL/TLS security, email authentication (SPF, DMARC, DKIM), HTTP security headers, and technology configuration.
Each credit union received a composite score (0–100) and letter grade (A through F). All data was collected from publicly accessible infrastructure only — no systems were accessed, penetrated, or tested beyond what any internet user can observe.
Credit union data sourced from NCUA quarterly call reports. Asset tiers range from $100M to over $10B. Email authentication statistics (DMARC, SPF) are measured on each credit union's primary website domain. Credit unions running email through a CUSO, shared branch network, or parent domain may have authentication records configured elsewhere. Most credit unions use third-party online banking platforms hosted on separate domains — our scans measured the credit union's public marketing website, not the hosted banking application.
This report covers 611 of the 1,818 credit unions in our dataset with $100M+ in assets — the remainder had websites that could not be scanned (down, behind Cloudflare challenges, or no website found). Data collected April 2026. Individual credit union results are not disclosed in this report.
This report was produced by BlackSheep, a cybersecurity compliance platform purpose-built for regulated industries. 21 frameworks. $249/month.
Copyright 2026 BlackSheep Security. This report may be shared freely with attribution.