The National Credit Union Administration (NCUA) recently released its annual Cybersecurity and Credit Union System Resilience Report to Congress (September 2025). The report provides a detailed overview of the evolving cyber threat landscape, highlights the agency’s supervisory initiatives and raises an important legislative concern: the NCUA’s lack of vendor examination authority. For boards, supervisory committees and information technology (IT) leaders, the report offers both a snapshot of systemic vulnerabilities, and a roadmap for strengthening resilience. 

 The Threat Landscape: Growing Complexity and Scale 

NCUA’s Chairman Todd Harper noted the credit union system, which serves more than 139 million Americans, continues to face “unprecedented challenges” from cyberattacks. Key risks include: 

• Ransomware and supply chain compromises – A 2024 ransomware event affecting a core service provider disrupted more than 60 small credit unions. This highlighted systemic risk where vendor failures cascade across institutions. 
• Nation-state and criminal actor targeting – Critical infrastructure sectors, including financial services, remain high-value targets for sophisticated adversaries. 
• Data confidentiality and integrity threats – Compromises of member information erode trust and invite regulatory scrutiny. 

These developments reinforce the need for layered defenses, robust monitoring and coordinated response capabilities. 

NCUA’s Supervisory Tools and Programs 

The report highlights several initiatives the NCUA has deployed to promote cybersecurity maturity across federally insured credit unions: 

• Information Security Examination (ISE) Program – A standardized framework driving consistency and transparency in supervisory reviews. 
• Automated Cybersecurity Evaluation Toolbox (ACET) – A risk assessment tool aligned with the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (sunsetting this year), enabling self-assessments and benchmarking. 
• Cyber Incident Notification Rule (2023) – Credit unions must report significant cyber incidents to the NCUA within 72 hours. This is aligned with broader regulatory trends in banking and critical infrastructure. 
• Targeted outreach and grants – The agency continues to offer training, educational resources and financial support for eligible credit unions to enhance cybersecurity posture. 

Collectively, these tools signal a shift from awareness-building to accountability and measurable resilience. 

The Vendor Authority Gap: A Critical Blind Spot 

Perhaps the most pressing issue raised in the report is the NCUA’s lack of supervisory authority over third-party service providers. Unlike banking regulators, the NCUA cannot directly examine or regulate core processors, cloud providers or fintech partners serving credit unions. 

The 2024 ransomware incident underscored this vulnerability. Without direct oversight, the NCUA was limited in its ability to mitigate risks on behalf of affected institutions. Independent bodies, including the Government Accountability Office and the Financial Stability Oversight Council, have urged Congress to restore this authority. Until then, credit unions must strengthen their own vendor risk management programs, including: 

• Rigorous due diligence and ongoing monitoring. 
• Contingency planning for vendor outages. 
• Clear incident notification and contractual obligations. 

Strategic Implications for Credit Union Leaders 

For boards and executives, the NCUA’s report should be viewed not as a compliance document, but as a call to action. Key implications include: 

• Cybersecurity as a governance issue – Oversight cannot be delegated solely to IT; it requires board-level visibility and reporting. 
• Systemic interdependence – Even well-prepared credit unions may face disruption through shared vendors, making collaborative defense strategies essential. 
• Member trust as a strategic asset – With consumer awareness of data breaches rising, strong cybersecurity directly supports brand reputation and member confidence. 
• Regulatory momentum – Incident notification, vendor oversight and resilience requirements are converging across the financial sector, signaling higher expectations for credit unions. 

Key Takeaways 

• The cyber threat environment facing credit unions is expanding in both sophistication and systemic risk. 
• NCUA is advancing supervisory tools, including ISE, ACET and a 72-hour incident reporting rule. 
• Vendor oversight remains a critical blind spot; Congressional action is needed to restore NCUA authority. 
• Boards and executives must prioritize governance, vendor risk management and resilience investments. 
• Member trust and systemic stability increasingly hinge on cybersecurity preparedness. 

As technology continues to evolve and become more sophisticated, it’s important for your credit union to stay ahead and prioritize cybersecurity. Rely on Doeren Mayhew’s cybersecurity pros to carry the weight of cybersecurity and offer valuable insights to keep your credit union and its members secure.