Credit Union Security: Your Compliance Roadmap

Cybersecurity for Credit Unions

Credit union cybersecurity compliance is the practice of adhering to a set of mandates and regulations that ensure the confidentiality and integrity of digitized member data.

Last year (September 1, 2023 – August 31, 2024) the National Credit Union Administration (NCUA) reported 1,072 cyberattacks among the 4,411 federally registered credit unions in the U.S. That translates to an attack on roughly one in every four credit unions; a concerning trend to note.

Maintaining regulatory compliance helps credit unions maintain a baseline level of cybersecurity necessary to mitigate attacks. Key stakeholders include the CEO and CISO, who set the tone, all the way down through management and to front-line workers, who must carry out compliant credit union practices.

Key Regulations Governing Credit Union Compliance

Core Credit Union Compliance Regulations

• NCUA 12 CFR Part 748: To maintain NCUA compliance, credit unions must develop a written cybersecurity program within 90 days of the effective date of insurance. This must ensure the confidentiality of member records, anticipate threats or hazards to the data, and protect against unauthorized access.
• NCUA Cyber Incident Notification Rule (72-hour): Credit unions must report cyber incidents to the NCUA no later than 72 hours after they reasonably believe they have occurred.
• ACET (Automated Cybersecurity Evaluation Toolbox): Developed by the NCUA, this voluntary tool helps credit unions and other financial institutions determine their risk and assess their cybersecurity preparedness.

Note: The FFIEC’s Cyber Assessment Tool (CAT), in use since June 2015, is being retired on August 31, 2025, and being replaced by the above ACET.

Additional Credit Union Regulations

Additional compliance standards, frameworks, and governing bodies to which credit unions may be subject include:

• Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)
• Office of the Comptroller of the Currency (OCC)
• Consumer Financial Protection Bureau (CFPB)
• And some larger state regulations like NYDFS 500 (New York) and CCPA/CPRA (California).

Consequences of Non-Compliance

The penalty for failing to comply with credit union cybersecurity mandates range from financial penalties and fines to legal actions, reputational damage, and loss of consumer trust. While not explicitly stated, consequences for not adhering to the 72-hour reporting rule can include enforcement actions such as cease-and-desist orders and informal actions such as warnings.

Violating the GLBA results in more unambiguous consequences: up to a $100,000 fine per infraction for institutions (plus an amount that can equal up to one percent of the credit union’s assets) and up to a $10,000 fine per senior executive. In addition, both the institution and its directors may also be subject to fines under Title 18 of the United States Code and up to 5 years imprisonment.

Your Credit Union Cybersecurity Compliance Roadmap

Step 1: Complete risk-based ACET assessment

Establish your security baseline by performing a risk-based assessment using the ACET. This voluntary maturity assessment allows credit unions to determine their cyber readiness over time and identify risks before they become a problem.

Step 2: Maintain a written GLBA-compliant security program

The GLBA, as enforced by the NCUA for credit unions, requires a written information security program that outlines how the financial institution (credit union, in this case) is going to safeguard customer data. The provisions should include technical, physical, and administrative safeguards.

Step 3: Implement a 72-hour incident reporting protocol

Map key stakeholders in the communication chain-of-command for reporting cyberattacks. All cyber incidents within a credit union must be reported to the NCUA within 72 hours of reasonable discovery and directed to [email protected].

Step 4: Conduct board-approved annual reviews of security program

The board should approve the mandated information security program at its outset and subsequently oversee its implementation and maintenance. Management must provide the board with yearly reports relating to the material matters of the program.

Step 5: Integrate business continuity and record preservation

12 CFR Part 749 of the NCUA regulations mandates a Records Preservation Program; this ensures that credit unions can find, store, and reconstruct critical records in the event of loss.

Step 6: Formalize third-party oversight

Under the GLBA, credit unions are responsible for protecting member information in all circumstances, including when it resides with third parties. Proper precautions should be taken, including vetting third parties beforehand with risk-assessments and offensive security tactics, contractually detailing data security and reporting procedures, and requiring external parties to fully comply with data privacy laws.

Conclusion

Credit unions are often targeted for their limited size and assumed limited cybersecurity capabilities. A strong security posture that follows current U.S. regulations is enough to challenge those assumptions.

At the end of the day, threat actors are opportunists looking for the next easy strike. Securing your credit union with industry-standard FinServ compliance practices is enough to make attackers look elsewhere.