2025 NCUA Supervisory Priorities for Credit Unions

Introduction

The National Credit Union Association (NCUA) has released their latest Letter to Credit Unions – the Supervisory Priorities for 2025. The letter details the updates to the NCUA’s examination program for the coming year and what should be top of mind for all credit unions. The Cybersecurity section included some important updates – let’s get into it.

Evolving Threat Landscape

Year over year, cyberattacks continue to increase in frequency and sophistication. Credit unions rely more and more on technology, which in turn creates increased risk of cyber incidents. Technologies, vendors, and employees are all potential weak points that require proactive, ongoing security management and due diligence.

The NCUA considers Cybersecurity to be a crucial top priority to properly manage information security and avoid compromise of systems, fraud, financial loss, and reputational harm.

Examination Program

The NCUA will continue using the Information Security Examination (ISE) Program for 2025, entering its third year of being applied to credit unions. The Small Credit Union Examination Program (SCUEP) applies to credit unions below $50 million in assets. The CORE Examination Program applies to all credit unions over $50 million in assets as a baseline for security practices. Larger credit unions will also be required to comply with additional requirements under CORE+, which represents additional requirements for credit unions where applicable.

If you want to read about the ISE Program in more detail, check out our other blog: https://www.tracesecurity.com/blog/articles/ncua-ise-requirements

ACET Availability

Credit unions can still voluntarily complete the Automated Cybersecurity Evaluation Tool (ACET) to assess cybersecurity maturity level. The results of this self-assessment are based on the size and complexity of credit unions around the same size and complexity of the credit union completing the assessment.

The ACET was originally developed as a credit union specific version of the FFIEC’s Cybersecurity Assessment Tool (CAT). It’s unclear if the NCUA will follow suit, but the FFIEC will be sunsetting the CAT in August of this year. You can read more about the CAT sunset here: https://www.tracesecurity.com/blog/news/ffiec-to-sunset-the-cat-in-2025

Cyber Incident Notification Requirements

The Supervisory Priorities for 2025 also included a reminder about the Cyber Incident Notification Requirements that went into effect on September 1, 2023. Credit unions are required to report cyber incidents to the NCUA within 72 hours of detection, including incidents that stem from a vendor or third-party provider.

In the first year of this requirement being in place, credit unions reported 1,072 cyber incidents. A whopping 70% of reported incidents were related to third-party vendors, which goes to show how important due diligence and vendor management can be.

You can read more about the Cyber Incident Notification Requirements here: https://www.tracesecurity.com/blog/news/new-ncua-cyber-incident-reporting-rules

Board of Director Engagement

In October 2024, the NCUA released a special letter to credit union Boards of Directors and CEOs calling for increased oversight and governance of cybersecurity. Cybersecurity is not just an IT issue, and must be prioritized across your entire credit union.

It’s been proven time and time again – a culture of security awareness and resilience starts from the top. If board members and C-levels are invested in cybersecurity, it can significantly increase your credit union’s cybersecurity posture and better protect your members.

You can read the full Board of Director Engagement in Cybersecurity Oversight letter here: https://ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/board-director-engagement-cybersecurity-oversight

Conclusion

Credit unions can rest easy knowing that there are not any major changes to the NCUA’s cybersecurity requirements compared to last year. The NCUA expects examiners to pay special attention to third party risk, technology, and cybersecurity this year. You can read the official NCUA release here: https://ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/ncuas-2025-supervisory-priorities?utm_medium=email&utm_source=NCUAgovdelivery

TraceSecurity is here to help with your 2025 cybersecurity compliance goals, and provide guidance on what is to be expected from examiners. Get in touch today!