2026 NCUA Supervisory Priorities for Credit Unions

February 02, 2026

Introduction

Every year, the National Credit Union Association releases a statement on cybersecurity priorities that should be considered for the current year. With it, the NCUA provides guidance and resources relating to these supervisory priorities in order to help build a proper and current security posture. The latest threat landscape is always building new and updated methods of attack, so it’s important to keep up to date with the NCUA.

However, some years are a bit lighter than others. For this year, it’s simply a “keep doing what you’re doing” situation. While cyber attacks are still happening, not much is different when it comes to the proper defenses that credit unions need. The Information Security Examination (ISE) Program for 2025 still applies for 2026, so it’s a good idea to freshen up on what it contains.

What’s in the ISE Program?

This is the fourth year that the NCUA has applied the ISE program across the country. There is the Small Credit Union Examination Program (SCUEP), which applies to credit unions below $50 million in assets. If a credit union is over $50 million, the CORE Examination Program applies to them. This is the minimum for CORE, but a large credit union will need the CORE+ Examination Program. Here are a few things that are necessary when it comes to these programs:

Small Credit Union Examination Program (SCUEP)
  • Risk Assessment
  • IT Security Audit
  • Vulnerability Assessment
  • External Penetration Test
  • Security Awareness Training
  • Remote Social Engineering (Phishing & Vishing)
  • Tabletop Testing of Disaster Recovery and/or Business Continuity Plans
CORE Examination Program
  • Everything in the SCUEP Program above
  • An Annual Vulnerability Assessment
  • Internal Penetration Test
  • Onsite Social Engineering
CORE+ Examination Program
  • Additionally, a quarterly, authenticated Vulnerability Assessment
  • Remote Social Engineering (Smishing)
  • Physical Security Control Testing
  • Web Application Testing
  • Wireless Controls Testing
  • Remote Access Control Testing
  • Password Security Testing
  • Firewall Security Testing
  • Ransomware Readiness Assessment

Additional Recommendations

In addition to the ISE Requirements, the NCUA wants to make sure that payment systems are properly protected. They are becoming more complex, and as such, the risks of vulnerabilities and gaps in security become more prevalent. The NCUA examiners will continue to assess whether everything is in place for these payment systems, including vendor management, risk assessments, and more.

Another thing that has been under the microscope is third-party vendors and relationship. There has been a rise in attacks on supply chains and various other third-party organizations that may be part of the financial institution. This means that bad actors are getting through to the credit unions through these vendors, since they may not be up to date when it comes to information security. It is important to evaluate relationships with third-party vendors, making sure to review security and authorizations with them.

Resources and Guides

With these supervisory priorities, credit unions may be confused or unsure of where to turn. Thankfully, there are plenty of resources out there, including some from the NCUA themselves. These resources include:

  • Automated Cybersecurity Evaluation Toolbox (ACET)
  • Examiner’s Guide
  • National Supervision PolicyManual (NSPM)
  • FFIEC Information Technology Booklets
  • Credit Unions Service Organization (CUSO) Reviews
  • Common Best Practices with Publications and Framework
  • Information Sharing through the NCUA’s Organizations

While the NCUA has many free resources, another option includes third-party cybersecurity firms. Many information security organizations provide detailed steps and assist with roadmap creation, making things easy and stress-free when it comes to examinations. Some financial institutions may come at these cybersecurity requirements with little to no experience, but there are plenty of firms out there that will explain everything in as much detail as you want.

Conclusion

The 2026 NCUA supervisory priorities haven’t changed much from last year. When it comes to cybersecurity, it is pretty much the same as last year. The Information Security Examination Program that they created for 2025 still carries over to this year, meaning that credit unions will need to follow the SCUEP and CORE recommendations.

Of course, these are already things that credit unions should be doing anyway. It is important to get IT audits, penetration tests, risk assessments, and various other things. Security awareness is crucial for any organization, even past financial institutions like credit unions. Regardless, protecting your employees and customers should always be top-of-mind and a priority for any business.

Eddy Berry, Security Research Analyst

Eddy has been researching cybersecurity for a few years now. Finding specific trends and best practices is something he takes pride in, assisting in finding news and government regulation that are on the rise. He researches topics and writes articles based on current events and important vulnerabilities that are affecting people, always hoping to get the necessary cybersecurity steps to those that need them.