What Credit Union Examiners Are Prioritizing in 2026: Cyber Edition

Four things worth knowing before your next exam: 

• Risk assessments are under the microscope. The 2026 Supervisory Priorities explicitly name risk assessments as something examiners will evaluate. If yours is a static exercise that isn’t actively guiding your program, that’s where they’ll dig in first. 

• Third-party risk governance falls entirely on you. NCUA lacks the statutory authority to examine your vendors directly. The governance burden is yours – and concentration risk through CUSOs and shared platforms makes it heavier. 

• “Deregulation” doesn’t mean softer exams. NCUA is moving items like the Guidelines for Safeguarding Member Information (Appendix A to part 748) from regulation to guidance. The expectations haven’t changed – but guidance is a faster vehicle, meaning NCUA can revise expectations more efficiently. 

• Board engagement is a measurable expectation. NCUA Letter 24-CU-02 laid out four explicit board-level expectations in cybersecurity oversight. The 2026 exam is where examiners check whether those expectations are being met. 

The Supervisory Posture Has Shifted — Read It Carefully 

Start with the 2026 Supervisory Priorities letter. Cybersecurity had its own standalone section in 2025. In 2026, under Chairman Hauptman, it’s been folded into a single sentence under Payment Systems within Operational Risk Management. That could read as a step back. It isn’t. 

That single sentence names governance, risk assessments, vendor management, and security frameworks as what examiners will continue to assess. The expectations didn’t shrink. Also found in the 2026 Supervisory Priorities is the shift to risk-based, tailored exams, meaning examiners now have more discretion on where they focus. The priorities letter says it directly: “examiners are expected to shift the areas of supervisory focus based on a credit union’s risk profile when appropriate.” When examiners have that kind of latitude, they go where the risk is. To be successful, ensure your risk management program is well documented and widely understood. Does executive management know where the risk lies? If you haven’t completed a thorough risk assessment and used it to drive your cybersecurity program, you risk being caught off guard by where examiners choose to focus. Know your risk to know how to prepare. 

Meanwhile, NCUA Letter 24-CU-02 Board of Director Engagement in Cybersecurity Oversight remains the governing document on what boards are expected to do. The expectations span cybersecurity education, information security program oversight, and operational oversight of technical domains like third-party due diligence, resilience planning, and backup management – areas where boards don’t always have deep familiarity but are nonetheless expected to govern. The 2026 exam is where examiners look at whether your board has been meeting those expectations, not just acknowledging them. Do your board minutes and board packages reflect this oversight? Expect examiners to review them closely. 

The backdrop makes the urgency concrete. From September 2023 through August 2024, federally insured credit unions reported 1,072 cyber incidents. Seven of ten involved a third-party vendor. That’s not a threat statistic, it’s a governance statistic. 

Deregulation Doesn’t Mean What You Think It Means 

NCUA’s Deregulation Project is real and it’s moving. Under Executive Order 14192, the agency is reviewing all its regulations and targeting items that are obsolete, duplicative, overly burdensome, or actually guidance rather than requirements. Two of the most relevant proposals for cybersecurity are the removal of 12 CFR 748 Appendix A (Guidelines for Safeguarding Member Information) and Appendix B (Guidance on Response Programs for Unauthorized Access to Member Information) from the Code of Federal Regulations. Both would be republished as Letters to Credit Unions. 

Read that carefully. The content isn’t disappearing. It’s being moved from regulation to guidance and Letters to Credit Unions don’t require the formal notice-and-comment rulemaking process that codified regulations do. That’s not softer expectations. That’s faster-moving expectations. 

NCUA’s own FAQ on the Deregulation Project page says it plainly: “The changes will not reduce your exam frequency or rigor, modify internal controls or cybersecurity expectations, or member-protection requirements.” That’s the agency telling you the exam doesn’t get easier. What changes is the vehicle – and guidance moves faster than regulation. Credit unions should expect the bar to evolve more quickly, not recede. 

Risk Assessments Are the Exam’s Starting Point 

The 2026 Supervisory Priorities name risk assessments explicitly as something examiners will evaluate. For credit unions that treat the risk assessment as an annual exercise – complete it, file it, move on – that’s a problem. A risk-based exam starts with the risk assessment. If the examiner finds it incomplete, outdated, or disconnected from how the program actually operates, that shapes the rest of the conversation. 

Many credit unions struggle with this. It’s common to see the risk assessment outsourced to a third party, and when that happens, the strategic value of the exercise often gets lost. The output sits in a folder instead of driving the program. The risk assessment should be the foundation everything is built on. It should inform what controls are in place, how they’re monitored, and the monitoring should defend control effectiveness. Ultimately, it should inform budget and resource allocation, strategic priorities, and program maturation. When examiners ask “how did you determine this was the right approach,” the answer should trace back to the risk assessment. If it doesn’t, the program looks reactive instead of risk-based – and that’s a harder exam. 

The ISE exam structure reinforces this. NCUA uses three tiers: SCUEP for credit unions at or below $50 million in assets, CORE for those above $50 million, and CORE+ at examiner discretion for higher-risk or more complex institutions. The tier determines the depth of the exam. Across all three, the starting question is the same: does the credit union understand its risk? 

Third-Party Risk: You Own It 

The vendor program is where the sharpest examiner questions land, and credit unions face a structural challenge banks don’t. NCUA lacks the statutory authority to examine third-party vendors directly. Chairman Hauptman has asked Congress to restore it citing the 2024 ransomware attack on a core service provider that disrupted more than 60 small credit unions. However, until that changes, the governance burden is entirely on the credit union. 

That means the examiner’s questions all point inward. Do you understand the risk profile of each critical vendor? Are the controls commensurate with the risk? How are you monitoring it? What governance processes are in place? How is concentration risk being evaluated and communicated to the board? For credit unions relying on shared vendors and CUSOs, the concentration question is particularly pointed. When hundreds of institutions share a platform, the risk isn’t just operational – it’s systemic. And examiners know it. 

Top of everyone’s mind is AI and how to manage the risks. Fourth-party risk is something to consider heavily as AI enters the conversation. Many credit unions aren’t deploying AI directly at scale. They’re using AI because their vendors have embedded it – in fraud models, core platforms, communication tools. The examiner’s question is whether the credit union knows that, has documented it, and has started thinking about governance. Are you considering what models back each embedded AI feature? Is there concentration among critical systems to be considered? Be prepared to talk through how that’s being documented and managed. 

AI Governance: Get Ahead of It 

NCUA has acknowledged AI as a priority. There’s a resource page on ncua.gov that curates links to NIST, CISA, Treasury, and FinCEN publications. But it’s a link page, not guidance. The two vendor management letters they lead with are from 2001 and 2007. There are no NCUA-authored AI governance expectations, no AI examination procedures, and no CU-specific framework. 

That doesn’t mean examiners won’t ask about it. It means when they do, there’s no regulator-provided playbook to point to. Credit unions that have started building an AI governance posture – even a basic one that documents what AI is in use, who owns the risk, and how it’s being monitored – will be in a fundamentally different position than those who haven’t started. 

The CRI Financial Services AI Risk Management Framework (February 2026) provides a structured approach. It was built in collaboration with 108 financial institutions, including credit unions. It’s the most actionable tool available for AI governance in financial services right now. If not adopted as one of your frameworks, it should at least be a reference point as you design your AI risk governance program. 

The CRI FS AI RMF has four functions: Govern, Map, Measure, Manage. Four adoption stages: Initial, Minimal, Evolving, Embedded. A credit union that can place itself on that curve and articulate a plan for maturing – even from the initial stage – is demonstrating the kind of governance posture examiners reward. When NCUA does publish AI-specific guidance, it’ll almost certainly come as guidance rather than regulation which means it can arrive fast. Being ahead of it is better than catching up. 

The ACET Isn’t a Framework 

A note on the ACET. NCUA updated it in September 2025, renaming it the “ACET Maturity Assessment” and mapping it to NIST CSF 2.0. It still contains all the original FFIEC CAT content. Unlike banks, who had to find their own CAT replacement, credit unions still have a regulator-supported self-assessment tool. That’s an advantage. 

But the ACET is a maturity measurement tool – not a governance framework and not exam procedures. NCUA’s own FAQ says it: “the ACET maturity assessment is a self-assessment and is not an IT examination.” Completing the ACET doesn’t mean you’ve adopted a framework. It means you’ve measured yourself. And just because the ACET still exists doesn’t mean you can’t adopt a framework like your bank neighbors have. There’s no requirement to use the ACET. The FFIEC retired the CAT after determining not to update it to reflect NIST CSF 2.0 or CISA’s Cybersecurity Performance Goals acknowledging that newer resources better serve institutions managing cybersecurity risk. It’s reasonable to question whether a tool built on that same foundation is the right resource to anchor your program around. Adopting a framework is still a good call. Be sure you’re prepared to answer what frameworks, if any, are shaping your program, how you’re using them, and where your deficiencies are. 

Credit unions that want a banking-specific governance framework have options. The CRI Profile maps to NIST CSF 2.0 and layers on regulatory expectations specific to financial services, including an additional function – Extend – that addresses third-party risk management. NIST CSF 2.0 is the broader option with a new Govern function that covers board oversight, risk appetite, and supply chain risk, making it more aligned with banking and more appropriate for credit unions already operating under defined regulatory expectations. 

Board-Level Metrics and Reporting 

The board oversight expectation is established and Letter 24-CU-02 makes it clear. The question is whether your board is receiving the information it needs to actually govern cyber risk. 

Meaningful information is often the gap. The board doesn’t need raw vulnerability data or incident counts presented in isolation. The board needs metrics tied to the credit union’s risk appetite, presented in a format that supports trend analysis and informed decisions. Many key metrics at credit unions are standardized – net interest margin, delinquency rates, loan concentration limits. Any board member can contextualize them. Cyber risk reporting is still largely ad hoc status slides without defined, repeatable, meaningful metrics behind them. That’s the gap examiners are probing. They’re looking for defined cyber metrics tied to risk appetite, a monitoring cadence, and a reporting structure the board can understand and question. 

A lot of this comes down to one shift. Cyber risk at credit unions is being evaluated as a risk management domain and examiners have more discretion to evaluate it that way. Credit unions that have built programs around annual compliance exercises are going to have harder exams than those where the risk governance framework is actively shaping decisions, informing the board, and proving the controls are effective and adequate in light of the risk. 

DefenseStorm’s Governance and Monitoring capability automates evidence collection and maps controls to the frameworks examiners reference, including CRI Profile v2.1, NIST CSF 2.0, and ISE exam procedures. If it would help to see what that looks like for a credit union your size, the DefenseStorm team is happy to walk through it. 

The checklist behind this post. Everything above translates into specific actions your team can take before the next exam. We’ve distilled them into a structured checklist covering governance documentation, third-party and fourth-party risk, framework self-assessment, and board reporting quality.
[Get the Checklist →]
Want to see what automated evidence collection and framework-mapped reporting look like for an institution your size? [Talk to the DefenseStorm team →]