TL;DR for credit union directors and senior leadership
- NCUA 12 CFR Part 748 Appendix A requires your board to approve the written information security program and receive a written report on its status at least annually.
- NCUA Letter 24-CU-02 (October 2024) raised the bar by organizing board cybersecurity oversight into four areas: recurring training, program approval, operational oversight, and incident response and resilience planning.
- The 72-hour Cyber Incident Reporting Rule (12 CFR 748.1(c)) does not impose a separate board-notification deadline, but examiners expect your incident response plan to include board escalation for any incident that meets the NCUA reporting threshold.
- Microsoft Secure Score and Microsoft Purview Compliance Manager produce percentage-based posture metrics that map cleanly into the board-level summary FFIEC and NCUA examiners expect to see.
- If your board minutes do not contain evidence of these reports, the gap is yours to defend during the next examination cycle.
The first sign that your board IT reporting is in trouble usually shows up in a single examiner question. The NCUA examiner sits down at the conference table, opens a laptop, and asks for the board minutes from the last four quarters. Specifically, the pages where management briefed the board on the information security program, the risk assessment update, the cyber incidents that were reported during the year, and the third-party service provider reviews. If the credit union cannot put those pages in front of the examiner inside fifteen minutes, the examination shifts from a routine check to a documented governance finding.
This article walks through exactly what NCUA, FFIEC, and the federal Interagency Guidelines expect a credit union board to see, in what format, on what frequency, and with what level of supporting evidence. The same framework applies to banks and mortgage companies that fall under FFIEC oversight, because the Interagency Guidelines Establishing Information Security Standards apply to all federally regulated financial institutions. We will close with the specific Microsoft 365 metrics that translate cleanly into the board language examiners want to see, and how a Tier-1 Microsoft Cloud Solution Provider like ABT manages your Microsoft 365 tenant and packages the underlying data into the report your board needs to approve.
What NCUA Part 748 Appendix A Requires Your Board to Approve and Review
NCUA's Guidelines for Safeguarding Member Information, codified at 12 CFR Part 748 Appendix A, give credit union directors the clearest statement of what the board must do for information security oversight. The rule is short, but examiners cite it more often than any other Part 748 reference during the IT portion of a credit union examination.
Section III.A of Appendix A, titled Involve the Board of Directors, requires the board or an appropriate committee to do three things. First, approve the written information security policy and program. Second, oversee the development, implementation, and maintenance of the program, including assigning specific responsibility for implementation to a named individual or role. Third, review reports from management on the security program.
Section F of Appendix A, titled Report to the Board, is where the specific reporting obligation lives. The rule states that each credit union should report to its board or an appropriate committee at least annually, and the report should describe the overall status of the information security program and the credit union's compliance with the Guidelines. Six topic areas are required:
| Required topic | What examiners expect to see |
|---|---|
| Risk assessment | A current risk assessment covering threats, vulnerabilities, and the controls that reduce them. Examiners will trace risks to controls and controls to evidence. |
| Risk-management and control decisions | The decisions management made about which risks to accept, mitigate, transfer, or avoid, along with the rationale. |
| Service provider arrangements | The status of third-party reviews, the inventory of critical vendors, and any changes to the vendor portfolio during the reporting period. |
| Results of testing | Penetration tests, vulnerability scans, social engineering tests, and audit results, plus the remediation status of findings. |
| Security breaches or violations and management's responses | Every incident that met the credit union's internal escalation threshold during the year, with the response, the lessons learned, and any process changes made. |
| Recommendations for changes | The specific updates management is asking the board to approve for the next program cycle, with the rationale and the resource implications. |
The NCUA legal opinion that accompanied the publication of Appendix A clarifies that the Appendix itself does not contain binding requirements in the strict regulatory sense. The Appendix is guidance. However, NCUA examiners use Appendix A as the standard for an effective information security program that satisfies the binding requirements of 12 CFR 748.0, which is the rule that obligates every federally insured credit union to develop a written security program. In practice, the distinction between guidance and rule matters only in legal briefs. During an examination, the examiner expects what Appendix A describes.
One common mistake at the board level is to assume that quarterly committee meetings where IT topics are mentioned count as the annual report. They do not. The annual report under Section F is a written document that addresses all six required topics in one place. A page of meeting minutes summarizing a brief management update does not satisfy the rule. Examiners look for the written report and they look for the board's action on it.
NCUA Letter 24-CU-02: The Four Areas of Board Cybersecurity Oversight
In October 2024, NCUA issued Letter to Credit Unions 24-CU-02, Board of Director Engagement in Cybersecurity Oversight. The letter is the most recent authoritative NCUA guidance on what the board must do, and NCUA reinforced it in the 2025 Supervisory Priorities. Every board chair and audit committee chair at a federally insured credit union should have read this letter.
The NCUA urges credit union boards of directors to prioritize cybersecurity as a top oversight and governance responsibility.NCUA Letter to Credit Unions 24-CU-02 (October 2024)
Letter 24-CU-02 organizes board expectations into four areas. The letter is not a rule and does not change Part 748. What it does is set the supervisory expectation. When an NCUA examiner asks whether the board is doing its job on cybersecurity, the examiner will measure the board against these four areas.
Provide for recurring training
The board itself must engage in ongoing education on cyber threats, trends, and best practices. The letter is explicit that this applies to the directors, not just the staff. A board that has not received cyber training during the year is a finding. The board must also ensure that employees receive regular cybersecurity education, including phishing simulation, secure handling of member information, and incident reporting expectations.
Approve the information security program
The board must approve a comprehensive information security program that meets Part 748 requirements. The program must address risk assessments, security controls, and incident response plans. The board must review the program at least annually to ensure it evolves with the threat landscape and lessons learned from incidents during the year. A program approved three years ago and not revisited is a finding even if Part 748 Appendix A Section F's annual reporting was technically delivered.
Oversee operational management
This is the longest section in 24-CU-02 because it covers the day-to-day cybersecurity work that the board must supervise. The eight specific oversight areas the letter calls out are third-party due diligence, embedding cybersecurity into culture, providing adequate resources and cyber expertise, vulnerability and patch management with threat intelligence, an audit function commensurate with size and risk, periodic management reporting, protecting and managing backups, and member education on cybersecurity hygiene like multi-factor authentication and password discipline.
Ensure incident response planning and resilience
The board must ensure the credit union has resilience plans that allow it to operate effectively during and after a cyberattack, internal and external communication strategies for incidents (including prompt board notification, member communications, and regulatory notification within the 72-hour rule), cyber insurance evaluation and adequacy, a designated incident response team with cross-functional membership, and regular tabletop exercises to test the plan and clarify roles. Tabletop exercises are not optional. The 2025 Supervisory Priorities specifically reinforce them.
Read once, return often. NCUA Letter 24-CU-02 is short enough to read in fifteen minutes and detailed enough to anchor your board's IT oversight charter. Distribute the letter to every director before your next board meeting and walk through the four areas together. Your board secretary should keep a copy with each year's annual information security report so the examiner can see the alignment.
The 72-Hour Cyber Incident Reporting Rule and Board Escalation
The NCUA Cyber Incident Reporting Rule took effect September 1, 2023. The rule, codified at 12 CFR 748.1(c) and published in the Federal Register at 88 Fed. Reg. 12158 on February 27, 2023, requires every federally insured credit union to notify NCUA of a reportable cyber incident as soon as possible and no later than 72 hours after the credit union reasonably believes the incident occurred.
What counts as a reportable cyber incident
A reportable cyber incident is a substantial incident that leads to one or more of the following outcomes:
- Substantial loss of confidentiality, integrity, or availability of a network or member information system, resulting from unauthorized access to or exposure of sensitive data, disruption of vital member services, or serious impact on the safety and resiliency of operational systems and processes.
- Disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
- Disruption of business operations or unauthorized access to sensitive data facilitated through or caused by a compromise of a third party, including a credit union service organization (CUSO), cloud service provider, managed service provider, other third-party data hosting provider, or supply-chain compromise.
Unsuccessful attacks do not have to be reported. Failed login attempts, blocked malware, and scans that are stopped by normal defenses are not reportable. The threshold is substantial impact, not attempted compromise.
The 72-hour clock begins when the credit union forms a reasonable belief that a reportable cyber incident has occurred. For third-party incidents, it begins when the credit union receives the third-party notification or forms a reasonable belief, whichever is sooner. The initial notice is an early alert, not a full incident assessment. NCUA only asks for basic information at the 72-hour mark: name, charter number, point of contact, and a brief description of the incident and the impacted functions or sensitive data.
The reporting channels are cyberreports.ncua.gov, the 1-833-CYBERCU phone line, or a secure email to cybercu@ncua.gov. Your incident response plan must name the individual responsible for making the call and the backup if that individual is unavailable.
The rule itself does not impose a separate board-notification deadline. There is no language in 12 CFR 748.1(c) that says the board must be notified within X hours. However, NCUA examination expectations require the credit union's incident response plan to include board escalation for any incident that meets the NCUA reporting threshold. In practice this means three things. First, your incident response policy must define which incidents trigger board notification and how quickly. Second, your board minutes must record the notification when it happens. Third, the annual report under Part 748 Appendix A Section F must list every reportable cyber incident from the year and management's response to each.
Tuesday morning: A reportable incident lands on your desk
At 8:47 a.m. your managed service provider calls. A ransomware attack against one of their other tenants spilled into a shared management tool. The provider is not sure yet whether your tenant is affected, but the diagnostic logs they pulled show one of their service accounts authenticated against your Microsoft Entra ID environment overnight.
You have a reasonable belief that a reportable cyber incident has occurred. The 72-hour NCUA notification clock has started. Your incident response plan should produce four parallel workflows within the next two hours. Internal escalation triggers the call to your CEO and board chair. External escalation triggers the call to NCUA at cyberreports.ncua.gov. Member-impact analysis begins forensic work to determine whether sensitive data was accessed. Third-party coordination logs every communication with the provider for the eventual after-action report. The board does not need a perfect picture at 9 a.m. The board needs to know the clock has started and who is making which call.
If your NCUA IT exam preparation does not include a documented test of this escalation sequence, that gap is the one finding most likely to show up in your next examination report.
What the FFIEC Management Booklet Adds to NCUA's Expectations
The FFIEC IT Examination Handbook covers banks, savings institutions, and credit unions in a single framework. The Management Booklet, last revised in 2015, and the Information Security Booklet, last revised in 2016, are the primary supervisory references for IT governance and information security. Both apply to credit unions, banks, and mortgage companies subject to federal oversight, because the Interagency Guidelines Establishing Information Security Standards are the underlying federal rule that all three booklets implement.
Section II.A of the Management Booklet, titled Governance, describes the board's responsibility to approve the IT and information security strategy, set the risk appetite, ensure an effective governance framework, receive reports from management on IT performance and information security risk, and hold senior management accountable for implementing board-approved strategies. The language tracks Part 748 Appendix A closely, with two important additions. First, FFIEC explicitly expects the board to set the risk appetite, a step that NCUA Part 748 implies but does not name. Second, FFIEC expects the board to approve significant outsourcing and third-party relationships, not just review them after the fact.
Section II.B of the Management Booklet, titled Information Security Program Management, ties the board to the written program. The board must approve the program and significant changes to it, oversee implementation and maintenance, and receive at least an annual report covering the topics required by the Interagency Guidelines. FFIEC's required content tracks Part 748 Appendix A Section F closely, but it adds two refinements. First, FFIEC explicitly calls out material control deficiencies and significant audit or examination findings related to information security that remain outstanding, along with management's remediation plans and timelines. Second, FFIEC explicitly calls out resource adequacy: staffing, tools, training, and budget needed to address risks.
NCUA Part 748 Appendix A Section F
- Annual written report to board or committee
- Risk assessment
- Risk-management and control decisions
- Service provider arrangements
- Results of testing
- Security breaches or violations and management's responses
- Recommendations for changes
FFIEC Management Booklet II.B
- Annual written report to board or committee
- Overall status of the information security program
- Material risk assessment findings
- Material control deficiencies and outstanding audit findings
- Significant information security incidents and breaches
- Third-party service provider security issues
- Status of compliance with laws and regulations
- Significant program changes and resource adequacy
The practical implication for a federally insured credit union is that your annual information security program report should satisfy both NCUA Part 748 Appendix A and the FFIEC Management Booklet. The two are aligned, and combining them produces a single document that satisfies every reasonable supervisory request. Banks and mortgage companies that fall under OCC, FDIC, or Federal Reserve oversight follow the same FFIEC reference, so an internal report template built to these standards travels well across institution types.
Need a board-ready annual report template? ABT's M365 Guardian engineering team builds custom annual information security reports for credit unions, banks, and mortgage companies, drawing data directly from your Microsoft 365 tenant. Talk to an ABT expert about an examiner-ready board report aligned to NCUA Part 748 and FFIEC Management Booklet expectations.
The Eight Sections of an Examiner-Ready Board IT Report
NCUA Part 748 Appendix A lists six topics. FFIEC Management Booklet II.B lists seven. Combined and reorganized for actual board readability, an examiner-ready board IT report has eight sections. Each section has a single purpose and the report flows from current state to forward look. Banks, credit unions, and mortgage companies can all use the same structure because the underlying federal requirements come from the same Interagency Guidelines.
1 Executive summary and trend chart
Two pages maximum. State the overall posture, the headline metrics with year-over-year movement, and the two or three items requiring board action this cycle. Most directors will read this section and skim the rest. The Microsoft Secure Score percentage, the Microsoft Purview Compliance Manager percentage, the number of cyber incidents reported to NCUA this year, and the number of open audit findings are the four metrics that belong in this section.
2 Risk assessment update
The current risk assessment. New risks added during the year. Risks closed during the year. Risk acceptance decisions made by management with the rationale. Examiners trace risks to controls and controls to evidence. If the risk assessment is six months old and the threat landscape has changed since, the board needs to see the gap and a remediation plan.
3 Control environment and testing results
Penetration test summary. Vulnerability scan trend. Phishing simulation results. Internal and external audit findings with remediation status. NCUA examination findings carried forward. Every test that ran during the year, the result, and what changed because of it.
4 Cyber incidents and the response log
Every reportable cyber incident under 12 CFR 748.1(c) during the year. Every internal incident that triggered board escalation under your incident response policy. Time to detect, time to contain, time to recover, time to notify NCUA, time to notify members if applicable. Lessons learned and process changes made as a result. If zero incidents required NCUA notification during the year, state that explicitly. Silence on the topic invites the examiner to wonder why.
5 Third-party service provider review
Inventory of critical vendors. Status of SOC 2 Type II reports on file for each. Any changes to the vendor portfolio during the year. Vendor incidents that affected the credit union. The third-party section is where examiners spend the most time when the credit union runs on Microsoft 365 because the tenant management relationship is itself a third-party service provider arrangement. The ABT relationship, if you use a Tier-1 Microsoft Cloud Solution Provider, belongs here with the current SOC 2 attestation date.
6 Regulatory compliance status
Status of compliance with Part 748, the Interagency Guidelines Establishing Information Security Standards, the Bank Secrecy Act and anti-money laundering requirements, the FFIEC IT Examination Handbook, and any applicable state regulatory requirements. Banks subject to OCC, FDIC, or Federal Reserve oversight track their primary regulator citations in the same section. Mortgage companies track CFPB and state-level mortgage requirements here. Any compliance gap from the prior period and the status of the remediation plan.
7 Information security program changes for board approval
The recommendations management is asking the board to approve for the next program cycle. New policies. Material policy revisions. New tooling investments. Staffing changes. Insurance changes. Budget changes. The board needs to make a decision on each item, and the minutes should reflect the decision.
8 Forward outlook and emerging threats
The threat trends management is watching. Regulatory changes on the horizon. Microsoft product changes that affect the tenant. Industry incidents that should inform planning. This section is where a board chair will often ask the sharpest questions. A board that asks sharp questions is a board that is doing its job, and the meeting minutes that reflect that exchange are the strongest evidence an examiner can find of effective oversight.
Microsoft 365 Metrics Your Board Can Actually Read
If your credit union, bank, or mortgage company runs on Microsoft 365, you already have most of the data your board IT report needs. The hard work is translating tenant-level telemetry into board language. The Microsoft 365 admin center, the Microsoft Defender portal, and Microsoft Purview each surface metrics that line up directly with the topics NCUA Part 748 Appendix A and the FFIEC Management Booklet expect to see.
ABT is a Tier-1 Microsoft Cloud Solution Provider serving more than 750 financial institutions. We manage your Microsoft 365 tenant through delegated administration, and the same management plane gives us direct access to the four metric families that translate cleanly into board reporting: Microsoft Secure Score for security posture, Microsoft Purview Compliance Manager for regulatory posture, Microsoft Defender XDR for incident volume and response, and Microsoft Entra ID Protection for identity-attack signal. Each metric carries Microsoft's own documentation, which is the most defensible source possible when an examiner asks where the number came from.
Microsoft Secure Score: security posture as a percentage
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. The Defender portal displays Secure Score as a percentage of achievable points across identity, devices, data, applications, and infrastructure. It is not a FICO-style 300 to 850 range and it is not a letter-grade A through F system. Microsoft documents the metric and the underlying scoring logic on the canonical Microsoft Learn page at learn.microsoft.com/en-us/defender-xdr/microsoft-secure-score.
For board reporting, Secure Score works best when framed as a percentile against peer organizations of similar size and industry, which Microsoft refers to as comparing your score with other organizations. This is grading on a curve, which is the appropriate framing for a percentage that represents the relative state of implementation, not a binary pass or fail. A Secure Score of 65 percent that sits in the top quartile for community financial institutions of similar size is a stronger board story than the same 65 percent presented as a standalone number with no context.
Microsoft Purview Compliance Manager: regulatory posture as a percentage
Microsoft Purview Compliance Manager produces a risk-based compliance score that measures the organization's progress in completing recommended improvement actions against more than 360 regulatory templates. The default Data Protection Baseline draws from the NIST Cybersecurity Framework, ISO/IEC 27001, FedRAMP, and the EU GDPR. For credit unions, banks, and mortgage companies, the most relevant assessment templates are NIST CSF 2.0, NIST SP 800-53, ISO/IEC 27001, HIPAA HITECH for institutions that handle health-related data, and PCI DSS for institutions that handle cardholder data. Microsoft documents the scoring methodology at learn.microsoft.com/en-us/purview/compliance-manager-scoring.
Compliance Manager produces a per-regulation score that you can roll up into a board-level compliance posture summary. Six monthly assessments of NIST CSF 2.0 paired with a single annual assessment of ISO/IEC 27001 gives a board a stable trend line over the year and supports the FFIEC Management Booklet II.B requirement for status of compliance with laws and regulations.
Microsoft Defender XDR executive dashboard
The Defender portal aggregates four metric families that belong in the cyber incidents section of your board report. Active incidents and the 30-day incident volume, with the top incident categories like phishing, malware, and identity compromise. Phishing emails detected and blocked across Exchange, SharePoint, OneDrive, and Microsoft Teams. The percentage of devices onboarded to Microsoft Defender for Endpoint and the number of devices currently at high or critical risk. Risky user signals from Microsoft Entra ID Protection. Each metric carries a documented Microsoft Learn definition, which gives the board a defensible source for every number it sees.
The compound math problem with board metrics
One mistake credit union boards see often is the compound estimate. A presenter will multiply a phishing-rate figure by a workforce size by an average-cost-per-incident dollar figure to produce a single dramatic exposure number. The dramatic number is not wrong on the math, but it is wrong on the source. Each of the three factors comes from a different study with a different methodology, and combining them inflates the apparent precision. The correct board presentation is the single-source metric. Phishing blocked count comes directly from your Microsoft Defender for Office 365 reports. Device coverage comes directly from the Defender for Endpoint dashboard. Risky user count comes directly from Microsoft Entra ID Protection. Each number has one source and one definition, and the board can interrogate any of them by going to the Microsoft Learn URL on the same slide.
What Examiners Look For in Board Minutes
The board IT report is necessary but not sufficient. Examiners look at the minutes of the meeting where the report was delivered. The minutes are the audit trail. The report itself can be perfect, but if the minutes do not record the board's review and any decisions taken, the examiner has no evidence that oversight actually happened.
Three specific patterns in board minutes signal effective IT oversight to an examiner. The first is the recorded vote or motion to approve the information security program for the year. The minute entry should reference the document by title and date, and the motion should be specific. A motion to approve the 2026 Information Security Program as presented by the Chief Information Security Officer is a strong entry. A general note that the board reviewed IT topics is not.
The second pattern is the recorded discussion of specific items in the report. Directors asking questions, management answering them, and the minutes capturing the exchange. The board does not need to debate every line, but the minutes should reflect that at least two or three substantive issues were discussed. Cyber incident response, third-party vendor changes, and resource adequacy are the three areas examiners look at most closely.
The third pattern is the action item list with named owners and due dates. If the board asks management to come back with a plan, a number, or a follow-up, the minutes should capture that ask, name the responsible individual, and set a due date. The follow-up should then appear in the next board packet. Open action items that drift across multiple meetings are a finding.
The board minutes test: would your examiner read them and conclude oversight is real?
Before your next examination, pull the board minutes from the last four quarters and read them as if you were the examiner. Look for the four signals: a recorded vote approving the information security program, recorded discussion of cyber incidents (or explicit notation that there were none), recorded discussion of third-party vendor reviews, and a clean action item list with named owners and closed-out follow-ups. If any of those four signals is missing, the gap is the finding.
Credit unions, banks, and mortgage companies that operate at the same scale often share the same problem here. The IT report is comprehensive. The meeting agenda allocates time. The minutes are thin. The fix is not more meeting time. The fix is a board secretary who understands what the examiner will look for and writes minutes that reflect the substance of the discussion.
How ABT Helps Credit Unions Build Examiner-Ready Board IT Reports
ABT is a Tier-1 Microsoft Cloud Solution Provider with more than 25 years of experience serving credit unions, banks, and mortgage companies. As a Tier-1 CSP, ABT manages your Microsoft 365 tenant through delegated administration. Microsoft owns the underlying infrastructure. ABT operates the tenant on your behalf, with direct access to the same admin center, Defender portal, and Purview console your board IT report draws from. For workloads that run in Azure, including hosted line-of-business applications, ABT hosts the Azure environment in the customer's subscription as the partner of record. The distinction matters at examination time, because regulators expect the institution to know exactly who is doing what.
The Guardian operating model is how ABT translates Microsoft 365 telemetry into the board language NCUA and FFIEC examiners expect. Each engagement includes monthly metric extraction from the tenant, quarterly third-party review packets, an annual information security program report mapped to Part 748 Appendix A and FFIEC Management Booklet II.B, and the on-call response for the 72-hour cyber incident reporting clock. The Guardian operating model is documented in our companion Microsoft 365 security guide for credit unions and our Microsoft 365 license tier guide for financial institutions, which together cover the licensing prerequisites for the metrics your board will see.
Two other ABT resources matter for board reporting. The phishing-resistant multi-factor authentication guide covers the FIDO2, passkey, and hardware key controls examiners now expect to see in the identity protection section. The BSA/AML compliance configuration guide covers the regulatory-evidence layer for the compliance section. Each guide draws from primary federal sources and each one cross-references the same Microsoft 365 controls that feed your board metrics.
If your next NCUA examination is in 90 days and your board IT report still has gaps, the time to close them is now. The report itself is two to three weeks of focused work. The supporting data lives in your Microsoft 365 tenant. The board approval can happen at your next scheduled meeting. The examiner will see a credit union that takes IT governance seriously, and the finding that would have shown up in the report will not.
Build a board IT report your examiner will respect
ABT's M365 Guardian operating model packages Microsoft 365 tenant data into examiner-ready board IT reports aligned with NCUA Part 748 Appendix A and FFIEC Management Booklet II.B. We manage your Microsoft 365 tenant as a Tier-1 Microsoft Cloud Solution Provider, and we deliver the annual report your board needs to approve. Banks, credit unions, and mortgage companies welcome.
Frequently Asked Questions
How often must a credit union board receive a written information security program report?
At least annually. NCUA 12 CFR Part 748 Appendix A Section F requires each credit union to report to its board or an appropriate committee at least annually on the overall status of the information security program. The FFIEC Management Booklet Section II.B aligns with the same annual minimum through the Interagency Guidelines Establishing Information Security Standards. Many credit unions deliver more frequent updates, often quarterly, but the written annual report covering all six required topics is the regulatory minimum and the document examiners ask for first.
What does the NCUA 72-hour cyber incident reporting rule require the board to do?
The rule itself, 12 CFR 748.1(c) effective September 1, 2023, requires the credit union to notify NCUA within 72 hours of forming a reasonable belief that a reportable cyber incident has occurred. The rule does not impose a separate board notification deadline. However, NCUA examination expectations require the credit union's incident response plan to include board escalation for any incident that meets the NCUA reporting threshold, and the annual report under Part 748 Appendix A Section F must list every reportable cyber incident from the year along with management's response.
Can a credit union board use Microsoft Secure Score in its board IT report?
Yes. Microsoft Secure Score is a measurement of an organization's security posture displayed in the Microsoft 365 Defender portal as a percentage of achievable points, where a higher number indicates more recommended security actions taken. Microsoft documents the score and its scoring logic on Microsoft Learn, which gives the board a defensible source. The score works best for board reporting when framed as a percentile against peer organizations, which Microsoft supports through its comparison feature. Secure Score is a percentage from 0 to 100 percent, not a FICO-style 300 to 850 range and not a letter grade A through F.
What is NCUA Letter to Credit Unions 24-CU-02 and how does it affect board oversight?
NCUA Letter to Credit Unions 24-CU-02, Board of Director Engagement in Cybersecurity Oversight, was issued in October 2024 and is the most recent authoritative NCUA guidance on board cybersecurity expectations. The letter organizes board expectations into four areas: recurring training for directors and staff, approval of a comprehensive information security program that meets Part 748 requirements, oversight of operational management including third-party due diligence and vulnerability management, and incident response planning with resilience plans and tabletop exercises. NCUA reinforced the letter in its 2025 Supervisory Priorities.
What evidence do NCUA and FFIEC examiners expect to find in board minutes?
Examiners look for three specific patterns. A recorded vote or motion to approve the written information security program by title and date. Recorded substantive discussion of specific items in the report, with directors asking questions and management answering. An action item list with named owners and due dates, and follow-up items closed out at subsequent meetings. The board minutes are the audit trail that turns the report into evidence of effective oversight. If the report exists but the minutes are silent, the examiner has no evidence that oversight occurred.
Do FFIEC and NCUA board reporting requirements apply to banks and mortgage companies too?
Yes. The FFIEC IT Examination Handbook applies to credit unions, banks, savings institutions, and mortgage companies subject to federal oversight. The Interagency Guidelines Establishing Information Security Standards are the underlying federal rule that NCUA implements through Part 748 and that OCC, FDIC, and the Federal Reserve implement through their own regulations for banks. Banks, credit unions, and mortgage companies can all use the same eight-section board IT report structure because the underlying requirements come from the same source.
