Ticket Submission

Credit Union IT Risk & Compliance Checklist 

NCUA IT Compliance Checklist For Montana Credit Unions

Most Credit Unions Are Doing More Right Than They Realise. The Problem Is Proving It When It Counts.

A thirty-minute self-assessment built specifically for Montana credit unions. Work through it based on what you know today. By the end you will have a clear picture of where your information security program stands before an examiner, insurer, or board member asks the question first.

Get Your Free Checklist

What NCUA Examiners Are Looking For In 2026

The Gap Between What Is In Place And What Can Be Clearly Demonstrated To An Examiner

NCUA examiners are arriving with more specific questions than they were three years ago. They want documentation, not verbal confirmation. Evidence, not intention. A policy that exists but has never been tested or tied to actual security decisions will receive a finding the same as having no policy at all.

We work with credit unions across Montana at multiple asset tiers. What we see consistently is that most credit unions have more in place than they realise. The problem is that controls which exist but are not documented, tested, or clearly owned are controls an examiner cannot verify.

That gap is where credit unions get caught out. This checklist helps you find it before someone else does.

Credit Union Information Security Program Requirements

Six Areas The ISE Examination Covers And Where Most Credit Unions Have Documentation Gaps

  • Governance and NCUA readiness -- who is accountable and whether you can demonstrate it clearly
  • Access control and identity management -- who has access to what and whether that is still appropriate
  • Data protection and member information security -- where member data lives and how it is handled
  • Vendor and third-party risk -- what your core banking vendors cover and what they do not
  • Incident response and business continuity -- whether your plan has ever been tested against a real scenario
  • Staff awareness and compliance culture -- the human layer where most incidents actually begin

Each section ends with a reflection question and a space to score your current posture.

Who Needs An NCUA Cybersecurity Compliance Review

Built For The People Responsible For Getting Through The Next Examination

CEOs and Executive Leadership

IT Managers and Technology Staff

Compliance and Risk Officers

Operations Leaders Responsible For Vendor Oversight

If you would be asked to answer for IT risk in a board meeting or examiner conversation, this checklist is for you.

NCUA ISE Examination Requirements 2026

What Has Changed For Montana Credit Unions Since The ISE Replaced The ACET Framework

The NCUA replaced its ACET examination framework with the Information Security Examination in 2023. In 2026 examiners are actively assessing board cybersecurity training records, IT risk assessments against eight specific criteria, scenario-based incident response playbooks for common attack types, and vendor risk documentation covering the full payment ecosystem rather than just internally managed infrastructure.

The 72-hour cyber incident reporting rule has been in effect since September 2023. In the first year credit unions filed over 1,000 reports. Roughly 70 percent were traced back to third-party vendors. If a vendor notifies you of a breach affecting your members, your 72-hour reporting window starts the moment you receive that notification, not when your investigation is complete.

Credit unions that come through examinations well are rarely the ones with the most sophisticated technology. They are the ones who can show their work.

Credit Union Vendor Risk Assessment Requirements

Long-Standing Vendor Relationships Are Exactly Where Examiner Oversight Goes Thin

A payment processor your credit union has used for eleven years with no current risk assessment on file is one of the most consistent ISE findings. Examiners know that long-standing relationships are where oversight tends to lapse and they look there deliberately.

The same applies to any third-party platform handling payments, data, or member services. A credit union that has current documentation for recently onboarded vendors but nothing on file for a core processor used for over a decade is likely to receive a finding regardless of how well that relationship has performed.

The checklist covers what examiner-ready vendor oversight documentation looks like and where the most common gaps appear.

What Happens When You Download The Checklist

Work Through It Once And See Where Things Are Clear Versus Where They Are Not

You do not need perfect information to complete this checklist. Work through it based on what you know today.

Some sections will be straightforward. Others may surface uncertainty you have been aware of but have not had time to address. That uncertainty is useful. It tells you where to focus first.

You go through the checklist, compare what you expected with what you found, and decide whether anything needs a closer look.

There is no sales sequence waiting on the other side of this download. Just a clearer picture of where your credit union stands today.

NCUA Credit Union IT Risk Assessment

Take The Free TechStack Challenge To Get A Clear Read On Where Your Program Stands

If the checklist surfaces gaps you want to understand more clearly, the TechStack Challenge is a free thirty-minute working session with a First Call expert.

We work with credit unions across Montana at multiple asset tiers and understand how ISE expectations differ between SCUEP-tier institutions and those operating under Core or Core+. In the session we will review what you found, confirm real versus perceived risk, and identify the two or three things worth addressing first.

  • Review your checklist results with an experienced Montana IT advisor
  • Confirm which 2026 examiner priorities your program handles well and where the gaps are
  • Identify what to address first based on your asset tier and examination history
  • Get a straight answer on next steps with no obligation to engage further

We have supported Montana businesses for over 25 years. We will give you a useful conversation, not a sales pitch.

Book Your Free TechStack Challenge

Montana Credit Union IT Support Since 1998

Over 1 million tickets closed
0 M
Years of experience
0 +
More than 250 happy clients
0 +
Montana owned and operated
0
RavalliCU_logo_tagline
butte-credit-union
Valley-CreditU
hpfcu
montana-credit-unions-480x192

Credit Union NCUA Cybersecurity Compliance Questions

Common Questions From Montana Credit Union Leaders

Yes. The rule applies to all federally insured credit unions, including federally insured state-chartered credit unions. If your deposits are covered by the NCUA Share Insurance Fund, the 72-hour reporting obligation applies.

ISE Core is the baseline examination for credit unions over $50 million in assets. Core+ represents additional examination elements applied at examiner discretion when a credit union's risk profile warrants a deeper review. It is not a separate program you opt into.

It depends on whether it has been tested and maintained since then. A plan with an updated date but no evidence of testing, no current contact lists, and no scenario-specific playbooks will receive a finding regardless of when it was last formally reviewed. The checklist covers what examiners actually look for when they ask to see your plan.

No. Your vendor's compliance and your credit union's compliance are separate questions. Examiners will assess your vendor management documentation, your risk assessment of that relationship, and your oversight processes independently of whatever compliance posture your vendor holds. This is one of the most common misunderstandings we encounter and one of the most consistent examination findings.

For most credit unions under $1 billion in assets with strong CAMELS ratings, examinations are typically conducted every 12 to 18 months. The NCUA updated its examination scheduling policy in January 2025 and retains the authority to examine any federally insured credit union more frequently if conditions warrant it.

Download The NCUA IT Compliance Checklist

Find Out Where Your Credit Union Stands Before The Examiner Does

firstsolution.com
First Call – Montana owned and operated since 1998