NCUA Examiner Insights: 2025 Top Priorities

At Rivial’s 2025 Risk & Compliance Summit, NCUA RISOs shared valuable insights on how credit unions can strengthen their cybersecurity programs. Their message was clear: protecting your credit union and member data requires a thoughtful, strategic approach focused on key areas of risk and compliance.

In this blog, we’ll review their top cybersecurity findings in 2024, and review the key strategic areas to focus on for 2025, and provide actionable steps security leaders can take to help protect their credit unions for the year ahead.

Top 3 Findings for 2024

On the webinar, one of the RISOs shared a list of the top findings across all credit unions in 2024. These included: 

Business Continuity and Disaster Recovery (BCDR) emerged as a major weakness. When disruptions happen—whether from cyberattacks, natural disasters, or system failures— credit unions struggle to get back online quickly. A big part of the problem is inadequate testing. Some institutions aren’t testing their BCDR plans regularly or under realistic conditions, leaving them unprepared for real-world scenarios. Over-reliance on a single vendor for critical services also poses a risk—if that vendor goes down, it could cause serious operational issues. On top of that, unclear communication and poorly defined roles during a crisis were mentioned as factors that lead to confusion and slow response times.

Risk Assessment was another weak spot. A solid risk assessment process is the foundation of any effective cybersecurity strategy, but many institutions are falling short. Outdated risk registers are a common problem, with some institutions failing to update their assessments to reflect new threats, like AI-driven attacks. Inconsistent methodologies for risk assessment also lead to gaps in identifying and managing vulnerabilities. Another issue is limited Board involvement—when senior leadership isn’t fully engaged in risk oversight, critical risks can slip through the cracks.

Incident response was identified as the final common weakness. Quick and effective action is crucial during a cyber incident, but many institutions lack the necessary structure to respond efficiently. The absence of clear playbooks often causes confusion and delays during a breach. Incomplete post-incident reviews are another issue, leading to missed opportunities to learn from mistakes and improve future responses.

Key Areas of Focus for 2025

Looking ahead to 2025, the NCUA has outlined several key focus areas for the year. It’s essential to start by reviewing the NCUA’s 2025 Supervisory Priorities. During our panel, the examiners discussed critical areas they will be closely monitoring this year and shared insights on how you can prepare.

1. Incident Response: The 72-Hour Rule
   To stay compliant, clearly define the 72-hour rule and develop incident-specific playbooks. One of the most common areas we see is that credit unions haven’t clearly defined what constitutes a reportable incident. Make sure this definition is included in your incident response plan and playbooks. Regularly test your incident response plan at least once a year and maintain thorough documentation to ensure readiness.
   
   
2. Board Training: Building Confidence and Understanding
   Ensure your Board of Directors are well-informed and confident about the information security program reports they review. To achieve this, provide annual training sessions focused on the content of your reports and the key aspects of the security program they will be responsible for. This will empower them to make informed decisions with clarity and assurance.
   
   
3. Risk Assessment: Aligning Risk Appetite and Methodology
   Begin by establishing a Board-approved risk appetite, ideally tied to financial metrics to align with business objectives. Use a standardized methodology for IT risk assessments. This ensures a consistent approach to evaluating the likelihood and impact of potential threats.
   
   
4. Vulnerability Management: A Continuous Improvement Process
   Treat vulnerability management as an ongoing cycle that includes credentialed scans, progress tracking, and iterative improvements. Conduct credentialed scans regularly, use the findings to prioritize patching efforts, and systematically assign and track vulnerabilities. Monitor remediation timelines closely to ensure you meet your defined mitigation goals.

How Organizations Can Prepare For Their NCUA Exam 

To stay ahead of examiner expectations, financial institutions need to be proactive. Here’s what we recommend on how to stay ready:

Begin by reviewing the key focus areas above and ensure you are properly managing all of them. Next, organize your documentation. Keeping policies, procedures, and incident reports updated and easy to access makes it simpler to meet compliance requirements and handle examiner requests. Using a centralized platform to manage this can save time and prevent last-minute stress.

Next, train your employees and Board regularly. Human error is still a top reason for breaches, so make sure your team knows how to spot phishing attempts, handle ransomware threats, and follow cloud security best practices. Well-trained employees are your first line of defense.Training the Board ensures they have a clear understanding of the security program to make informed decisions. 

Make sure to test your defenses regularly. Audits and simulated attacks are a great way to uncover weak spots before real threats strike. Bringing in third-party experts for penetration testing and red team exercises can give you a fresh perspective and help identify gaps you might have missed. A trusted vendor that provides a thorough, well-rounded risk assessment can make a big difference in strengthening your overall security.

Finally, build a culture of security. Cybersecurity isn’t just the IT department’s problem—it’s everyone’s responsibility. Encourage employees to report suspicious activity and make security a natural part of everyday operations. When security is baked into the company culture, your 

Watch the NCUA Panel Recording 

We hope this blog provides you with the clarity and direction needed to feel confident heading into this year’s exam. Preparing for evolving threats and regulatory expectations can be challenging, but having the right information and strategies in place makes all the difference.

We also want to extend our sincere thanks to the NCUA representatives for joining our Risk and Compliance Summit. Their valuable insights and expert guidance play a crucial role in helping the credit unions they serve to strengthen their defenses and navigate the complex world of cyber threats more effectively. Their commitment to supporting the industry’s security and resilience is truly appreciated.

If you’d like to dive deeper, you can watch the full webinar here: NCUA Panel: Infosec & Cybersecurity in 2025