2026 Credit Union Cyber Exam Readiness Checklist

Examiner perspective NCUA Letter 24-CU-02 is the central document examiners point to when assessing board engagement on cybersecurity. Knowing what's in it — and how your board's behavior maps to it — is table stakes for 2026.

• Most recent NCUA Supervisory Priorities letter reviewed for current exam focus areas
• NCUA Letter 24-CU-02 (Board of Director Engagement in Cybersecurity Oversight) reviewed and board expectations understood
• Risk management program well documented and widely understood by executive management
• Prepared for risk-based, tailored exams — examiners have more discretion on where they focus; areas of higher risk identified where they may dig in further
• Familiar with NCUA's Deregulation Project and its implications for cybersecurity guidance — expectations unchanged, vehicle faster
• Prepared for cybersecurity expectations to evolve through guidance rather than regulation

Next focus: Risk Assessments. Examiners want to see the linkage between your risk assessment and your actual control selections — not two separate exercises.

Examiner perspective A current risk assessment isn't enough. Examiners look for evidence it's actively informing controls, budget, and program maturation — not sitting in a binder waiting to be dusted off for the exam.

• Risk assessment completed, current, and reflective of the credit union's actual risk profile
• Risk assessment actively informing the cybersecurity program — not a periodic exercise disconnected from operations
• Controls in place informed by the risk assessment, with monitoring that defends control effectiveness
• Risk assessment informing budget and resource allocation, strategic priorities, and program maturation
• Able to trace program decisions back to the risk assessment when examiners ask
• ISE tier understood (SCUEP / CORE / CORE+) and prepared for the corresponding depth of exam

Next focus: Third- and Fourth-Party Risk. 2026 emphasis is concentration risk — particularly for shared vendors and CUSOs that many credit unions rely on.

Examiner perspective Concentration risk is the 2026 emphasis. If multiple critical vendors run on the same underlying platform — cloud provider, AI model, payments rail — examiners want to see you've evaluated it and communicated it to governing bodies.

• Vendor risk management program documented with governance processes understood by stakeholders — how risk is assessed, monitored, and reported
• Risk profile of each critical vendor articulated — not just due diligence confirmed
• Controls applied to each vendor commensurate with the risk, rationale documented
• Vendor consolidation and concentration risk evaluated and communicated to governing bodies — particularly for shared vendors and CUSOs
• Resilience implications of concentration risk considered — what happens if a shared platform goes down
• AI governance plan in place — or a plan for a plan — accounting for both direct and embedded AI use
• Fourth-party AI concentration considered: do you know what underlying models power critical vendor systems?

Next focus: AI Governance. Examiners are asking — have something to point to, even if it's a plan for a plan.

Examiner perspective "A plan for a plan" is acceptable. Inability to answer basic governance questions about your AI use — direct or embedded in vendor systems — is not.

• AI governance posture documented — what AI is in use, who owns the risk, and how it's being monitored
• Familiar with the CRI Financial Services AI Risk Management Framework (FS AI RMF, February 2026)
• Credit union positioned on the CRI FS AI RMF adoption curve (Initial, Minimal, Evolving, Embedded) with a plan for maturing
• If not adopting CRI FS AI RMF, able to answer AI governance questions through another framework or reference point

Next focus: Framework Adoption. ACET is sunsetting. Whatever you've adopted in its place, be ready to defend the choice and show how it shapes decisions.

Examiner perspective A framework on a shelf scores no better than no framework at all. Examiners want to see how it informs decisions and where you've identified gaps — being honest about deficiencies beats pretending they don't exist.

• Replacement framework(s) identified beyond the ACET
• Rationale for framework selection documented and defensible
• Self-assessment(s) against the adopted framework(s) completed and documented with evidence
• Deficiencies identified in the self-assessment documented with short-term and long-term remediation plans
• Framework(s) actively shaping the program — able to demonstrate how they inform decisions, not sitting on a shelf as a compliance artifact
• Prepared to answer how they're being used and where deficiencies are

Next focus: Board-Level Reporting. This is where oversight quality is judged — make sure your minutes tell the story examiners can read.

Examiner perspective Board minutes are where oversight quality is judged. Quality of challenge and substantive questions matter as much as the metrics being reported — examiners read them.

• Board package reflects meaningful information provided to support quality oversight
• Board and committee minutes reflect substantive questions and effective challenge on cyber risk
• Board oversight of technical domains evidenced — third-party due diligence, resilience planning, backup management, etc.
• Cyber metrics tied to the credit union's risk appetite, presented in a format that supports trend analysis — not ad hoc status slides or raw vulnerability data
• Board members able to contextualize cyber metrics, evidenced through quality of engagement in meeting minutes
• Informed decisions demonstrated — budgeting and resource allocation tied to reporting as evidence
• Reporting structure repeatable, defined, and meaningful enough that examiners can assess quality of board oversight

All sections complete. You're ready to defend your posture in 2026. Scroll down if you'd like a second set of eyes.