Picture this: your exam is six weeks out. Your board asked last month whether the credit union has an incident response plan for ransomware. Someone found a document from 2021 and updated the date. Your payment processor switched core platforms in March and nobody has run a vendor risk assessment since. And somewhere in the back of your mind, you know the NCUA rolled out new examination procedures in 2023 that your team has not fully mapped your program against.
This is not an unusual situation. It is, in fact, the situation many Montana credit unions find themselves in when an exam cycle approaches. The problem is rarely a lack of effort. It is usually that the regulatory landscape has moved faster than the program keeping up with it.
This guide covers what has changed, what examiners are actively looking for in 2026, and where the most common gaps show up. If any of the above scenario sounds familiar, start here.
What Governs IT Requirements for Credit Unions
Two bodies set the framework for IT oversight at federally insured credit unions: the NCUA and the FFIEC.
The NCUA (National Credit Union Administration) is the primary federal regulator for federally insured credit unions. It sets the specific regulations credit unions must comply with, conducts examinations, and publishes its supervisory priorities each January so credit unions know what examiners will focus on that year.
The FFIEC (Federal Financial Institutions Examination Council) is an interagency body that includes the NCUA, FDIC, Federal Reserve, OCC, and CFPB. It publishes the IT Examination Handbook, a set of eleven booklets covering information security, business continuity, architecture, outsourcing, payments, and more. NCUA examiners use these booklets directly. When the FFIEC updates a booklet, credit unions feel it.
The two frameworks are not separate. NCUA regulations reference FFIEC guidance. ISE examination procedures align with FFIEC booklets. In practice, you need both.
The Information Security Examination (ISE): What Replaced the Old Framework
For years, NCUA used the Automated Cybersecurity Examination Tool (ACET) as its primary IT exam framework. The ACET was suspended as an examination program in 2020 and formally replaced by the Information Security Examination (ISE), which has been in use since 2023 and continues as the standard in 2026.
The ISE comes in three tiers based on asset size:
SCUEP (Small Credit Union Examination Program) For credit unions under $50 million in assets. Focuses on compliance with Parts 748 and 749 of NCUA regulations, covering the core security program and records preservation requirements. Streamlined in scope, but not light on expectations.
ISE Core For credit unions over $50 million in assets. Builds on SCUEP requirements with a risk-focused examination approach. This is where the bulk of cybersecurity governance, vendor management, and operational resilience controls are assessed.
ISE Core+ Optional extended review elements for credit unions where specific risk factors warrant a deeper look. Examiners may apply Core+ controls based on what they find during scoping.
The ISE aligns closely with NIST frameworks, Center for Internet Security (CIS) controls, and CISA guidance rather than NCUA regulations alone. Your information security program needs to be defensible against industry standards, not just internally consistent.
NCUA Part 748: The Foundation Everything Sits On
Part 748 of NCUA regulations is the baseline for credit union information security compliance. Two appendices matter:
Appendix A: Guidelines for Safeguarding Member Information This is the operational core. It requires every federally insured credit union to maintain a written information security program covering risk assessment, risk management and control decisions, service provider oversight, testing, and board reporting. The board must receive an annual report on the status of the information security program.
Appendix B: Cybersecurity Incident Response This outlines the member notification requirements when sensitive member information is compromised or could have been misused.
In 2023, Part 748 was amended to add the 72-hour cyber incident notification requirement (covered in the next section). The compliance officer or president must also certify compliance with Part 748 requirements annually through NCUA’s CUOnline system.
The 72-Hour Cyber Incident Reporting Rule
Since September 1, 2023, all federally insured credit unions have been required to report qualifying cyber incidents to the NCUA within 72 hours of forming a reasonable belief that a reportable incident has occurred.
What qualifies as reportable:
- A substantial loss of confidentiality, integrity, or availability of a network or member information system resulting from unauthorized access or exposure of sensitive data
- Disruption of vital member services
- A serious impact on the safety and resiliency of operational systems and processes
Critically, the 72-hour clock starts when the credit union reasonably believes a reportable incident has occurred, not when the investigation is complete. The initial notification does not require a full incident assessment. It is an early alert, and the detailed analysis comes later.
What also triggers reporting: If a third-party vendor notifies your credit union that their systems have been compromised in a way that affects your members or operations, your 72-hour window starts from the moment you receive that notification.
This matters. In the first year of the reporting requirement, credit unions filed over 1,000 cyber incident reports. Roughly 70% of those incidents were traced back to third-party vendors. Vendor incidents are not an exemption. They are a reporting trigger.
How to report: Via the NCUA Cyber Incident Credit Union Reporting portal, phone, or secure email to the NCUA’s designated point of contact.
Most credit unions do not know exactly where their program stands until an examiner tells them. A TechStack Assessment gives you that picture before the exam does. See what the assessment covers.
What NCUA Examiners Are Focused On in 2026
The NCUA’s 2026 supervisory priorities were published on January 14, 2026 and are more operationally specific than previous years. For IT and cybersecurity, here is what examiners are actively assessing:
Board Cybersecurity Training and Engagement
For the first time, examiners are making annual board cybersecurity training a named priority. Boards must move beyond passive awareness to active comprehension.
Examiners are looking for evidence that board members have received structured cybersecurity education, not just a summary report from management, and that they understand enough to ask substantive questions and provide meaningful oversight. The NCUA has published dedicated guidance on board director engagement in cybersecurity oversight, and examiners reference it directly during reviews.
Comprehensive IT Risk Assessments
NCUA now evaluates IT risk assessments against eight specific criteria. Missing even one element signals incomplete governance.
A risk assessment that identifies threats without quantifying likelihood, impact, or the credit union’s current control effectiveness will not satisfy an examiner. Risk assessments must be documented, current, board-approved, and tied to actual security decisions. Producing one for the exam and filing it away is not sufficient.
Vulnerability Management
Examiners now expect vulnerability management to function as a strategic, evidence-based process with measurable improvement targets and documented exceptions, rather than a periodic patching cycle. They want to see defined thresholds, prioritization criteria, and a documented rationale when remediation is delayed.
Scenario-Based Incident Response Playbooks
Generic incident response procedures are not enough. Examiners expect scenario-specific playbooks for common attacks: ransomware, business email compromise, DDoS, data breaches, insider threats, and vendor incidents.
If your incident response plan uses language like “in the event of a cybersecurity incident, the IT team will respond accordingly,” it will receive a finding. Playbooks need to specify who does what, in what order, within what timeframes, and how the 72-hour NCUA notification obligation gets triggered and fulfilled.
Payment Systems Security
The NCUA’s 2026 priorities explicitly call out payment systems as a key operational risk area. With real-time payment rails expanding and payment environments relying on increasingly complex third-party integrations, the attack surface has grown considerably.
Examiners will look beyond your internal controls. They will assess the vendor management and risk assessment documentation for your payment processors specifically. A credit union that has a current risk assessment for its core processing platform but nothing on file for its real-time payments provider or ACH vendor is likely to receive a finding. The expectation is that security governance covers the full payment ecosystem, not just the infrastructure your team manages directly.
AI Use and Oversight
Concrete NCUA AI regulations have not been finalized, but examiners are already asking about AI use, policies, and risks. The NCUA updated its AI resource hub in December 2025 to consolidate key technical and policy references for federally insured credit unions.
If your credit union uses AI tools, whether for fraud detection, member service, lending decisions, or internal operations, examiners will ask about it. They will reference existing frameworks: NIST AI guidance, COSO enterprise risk management principles, and NCUA’s own third-party oversight guidance. The expectation is that AI governance sits within your existing risk management structure, not outside it.
The FFIEC IT Handbook: What Changed Recently
The FFIEC IT Examination Handbook is the reference material NCUA examiners use when conducting ISE reviews. Two updates are worth noting for 2026:
Development, Acquisition, and Maintenance (DA&M) Booklet, updated 2024 This booklet was rewritten to replace guidance that had not been updated since 2004. It introduces current expectations around IT project management, system development life cycles, and supply chain risk management. If your credit union manages software vendor relationships or relies on third-party platforms for core operations, this booklet is the reference point examiners now use to assess those processes.
Reputation Risk References Removed, February 2026 The FFIEC updated the IT Examination Handbook to remove all references to reputation risk across all booklets, in response to a broader regulatory direction emphasizing measurable financial risks over subjective reputational considerations. If your GRC documentation still uses reputation risk as a standalone risk category tied to IT decisions, it warrants review before your next exam.
What Examiners Actually Find
Regulations and frameworks aside, the most consistent pattern across NCUA IT exams is straightforward: the program looks fine on paper and falls apart when examiners ask for evidence.
Here is what that typically looks like in practice.
An examiner asks to see the incident response plan. The credit union produces one. The examiner asks when it was last tested. There is a pause. There has not been a tabletop exercise in two years, possibly longer. The plan references a contact list that includes staff who left the organization eighteen months ago. This is not a policy failure. It is a maintenance failure, and it is one of the most common findings in the ISE program.
The same pattern shows up in risk assessments. A credit union updates its risk assessment every January, as required. The examiner asks how that assessment influenced security spending decisions over the past year. The connection is not documented. The risk assessment exists, but it does not drive anything. To an examiner, that is the same as not having one.
Vendor management is where the third-party reality of modern credit union operations becomes a liability. A credit union has due diligence documentation for every vendor it onboarded in the past three years. The payment processor it has used for eleven years has no current assessment on file. Examiners know that long-standing vendor relationships are exactly where oversight tends to go thin, and they look there deliberately.
Board reporting is the last piece. The board receives a cybersecurity report each quarter. It contains metrics: number of phishing attempts blocked, patch completion rate, vulnerability count by severity. What it does not contain is any recommendation for board action, any decision the board is being asked to make, or any explanation of what those numbers mean for the credit union’s actual risk exposure. A report that informs without advising does not satisfy the 2026 board engagement priority.
These gaps are fixable. What they require is someone who can connect what the policy says with what the credit union can actually demonstrate. That is the work First Call’s advanced cybersecurity services are built around, and it is ongoing work, not a pre-exam sprint.
Where to Start
The gaps described above, untested incident response plans, risk assessments that exist but do not influence decisions, vendor checklists that stop at onboarding, board reports that inform but do not advise, are the same findings that come up across NCUA IT examinations. First Call’s credit union IT services are built to address exactly these.
We work with credit unions across Montana at multiple asset tiers. That means we understand how ISE expectations differ between a SCUEP-tier institution and one operating under Core or Core+, and we structure our support accordingly.
The TechStack Challenge is the practical starting point. In 20 minutes with a First Call expert, you get a clear read on which of the 2026 examiner priorities your program handles well, where the documentation gaps are, and what to address first. No preparation required on your end.
Frequently Asked Questions
Does the 72-hour reporting rule apply to state-chartered credit unions?
Yes. The rule applies to all federally insured credit unions, which includes both federal credit unions and federally insured state-chartered credit unions. If your deposits are covered by the NCUA Share Insurance Fund, the 72-hour reporting obligation applies to your institution.
What happens if we miss the 72-hour reporting window?
The NCUA expects notification as soon as possible within the 72-hour window, not at hour 72. Missing the window does not automatically trigger a penalty, but it will likely result in an examiner finding and a requirement to update your incident response procedures to demonstrate how you will meet the obligation in future incidents. Repeated or egregious failures to report could result in more serious supervisory action.
Does the 72-hour rule require a full incident report?
No. The initial notification is an early alert only. It should include basic information: the nature of the incident, its potential impact, and any immediate response actions taken. A full incident assessment is not required within the 72-hour timeframe. You will have the opportunity to provide additional detail as the investigation progresses.
What is the difference between ISE Core and ISE Core+?
ISE Core is the baseline examination for credit unions over $50 million in assets. Core+ represents additional examination elements that examiners may apply when a credit union’s risk profile warrants a deeper review, for example if the institution has complex third-party dependencies, high transaction volumes, or prior examination findings in specific areas. Core+ is not a separate program you opt into. It is applied at examiner discretion based on scoping.
How often do NCUA IT examinations occur?
The NCUA updated its examination scheduling policy in January 2025. For most credit unions under $1 billion in assets with strong CAMELS ratings, examinations are typically conducted every 12 to 18 months. Credit unions with assets between $1 billion and $10 billion may qualify for extended cycles. The NCUA retains the authority to examine any federally insured credit union more frequently if conditions warrant it.
This guide reflects NCUA supervisory priorities and FFIEC guidance current as of May 2026. Regulatory requirements are subject to change. First Call recommends consulting your examiner, legal counsel, or compliance advisor for institution-specific guidance.
