In this article:
- Why "The Basics" Don't Protect Credit Unions Anymore
- Credit Union Cyber Threats That Actually Hit
- Credit Union Cybersecurity Best Practices Most Teams Skip
- Build a Security Program, Not a Tool Collection
- Credit Union Data Protection and the Member Trust Factor
- Managed Security vs. DIY: What's Realistic
- Frequently Asked Questions
- Next Steps
- Technical Reference
In August 2025, a ransomware gang breached Marquis Software Solutions through an unpatched SonicWall firewall and stole the personal data of 1.3 million people across 74 banks and credit unions. Social Security numbers. Dates of birth. Financial account details. The attackers reportedly used a known vulnerability that Marquis hadn't remediated, and notifications to affected members didn't go out for more than three months. Marquis isn't a fringe vendor. It serves over 700 financial institutions with CRM, compliance reporting, and marketing tools.
That breach landed right alongside a hard number from the NCUA's own reporting: 73% of all cyber incidents reported by credit unions between September 2023 and May 2024 involved a third-party vendor. Not a phishing email to an employee. Not a brute-force attack on the firewall. A vendor that your credit union trusted with member data.
The NCUA's January 2026 supervisory priorities letter made the shift official. Cybersecurity is no longer a standalone examination category. It's been folded into "Operational Risk Management" alongside payment systems security and fraud prevention. Examiners will assess vendor management frameworks, incident response readiness, and whether your board actually understands the security risks on your balance sheet. The old model of treating cybersecurity as an IT checklist is over.
This article breaks down what that means in practice: the specific controls, vendor oversight disciplines, and security program structures that separate credit unions ready for their next examination from those about to get a findings letter.
Every credit union has antivirus on its workstations. Every credit union has a firewall. And nearly every credit union that got breached in the past three years had both of those things running when it happened.
The threats hitting credit unions in 2026 have moved past what perimeter defenses can stop. Attackers aren't probing firewalls from the outside. They're logging into your Microsoft 365 tenant with credentials they bought on the dark web, impersonating your CEO in an email to your controller, or riding in through a compromised vendor connection. A real credit union security program accounts for these scenarios. A checkbox list of basic controls does not.
This article covers the credit union cybersecurity best practices that go beyond antivirus and firewall: the controls, policies, and operational disciplines that separate credit unions passing their NCUA examinations with confidence from those scrambling to explain gaps.
This article focuses on credit unions and the National Credit Union Administration (NCUA), but the security controls and best practices apply equally to community banks examined by the OCC and FDIC. Mortgage companies subject to the FTC Safeguards Rule face parallel requirements for protecting consumer financial data.
Why "The Basics" Don't Protect Credit Unions Anymore
Five years ago, a credit union could argue that a managed firewall, endpoint antivirus, and annual security awareness training added up to adequate protection. That argument fell apart.
Here's what changed:
- Identity is the new perimeter. With Microsoft 365, remote access, and cloud-based core systems, your users authenticate from home networks, airports, and personal devices. The firewall at your branch doesn't protect a loan officer working from a coffee shop.
- Email compromise has become surgical. Attackers research credit union org charts, identify who approves wire transfers, and send emails that look identical to real internal messages. Spam filters catch mass phishing campaigns. They don't catch targeted business email compromise.
- Regulators raised the bar. NCUA cybersecurity expectations now include Conditional Access, data loss prevention, email authentication, and incident response testing. Showing an examiner that you have antivirus installed isn't a passing grade.
- Ransomware groups go after small financial institutions on purpose. Credit unions with 15 to 100 employees attract attackers who bet on weaker defenses than a large bank would have.
The gap between "we have the basics" and "we have an effective credit union security program" is where breaches happen.
Credit Union Cyber Threats That Actually Hit
Generic threat briefings don't help. You've sat through the "cyber threats are increasing" slides a hundred times. Here are the specific credit union cyber threats that result in actual incidents at institutions your size:
Business Email Compromise (BEC)
BEC is the most financially damaging attack type for credit unions. An attacker compromises one email account, studies the communication patterns, then sends a convincing email requesting a wire transfer, automated clearing house (ACH) file change, or vendor payment redirect. The email comes from a legitimate internal address. Standard email filtering won't flag it. It's not malware and it's not phishing. It's a real account sending a real message.
Stopping BEC requires Conditional Access policies that detect impossible-travel logins, DLP rules that flag financial instructions sent to external addresses, and audit logging that tracks mailbox rule changes.
Credential Stuffing Against Online Banking
Members reuse passwords. Attackers buy credential dumps from unrelated breaches and test them against your online banking portal in automated waves. If a member uses the same password for their email and their credit union login, the attacker gets in. Your core provider handles some of this at the application layer, but your responsibility is ensuring your Microsoft 365 environment (where password resets, MFA enrollment, and account recovery happen) is locked down so attackers can't pivot from online banking into your internal systems.
Ransomware via Remote Desktop and Legacy Protocols
Ransomware groups scan for exposed Remote Desktop Protocol (RDP) and legacy authentication endpoints. Credit union network security starts with disabling these exposed protocols. Credit unions that haven't disabled legacy authentication protocols in their Microsoft 365 tenant are leaving a door open. Once inside, attackers move laterally from a compromised account to file shares, backup systems, and domain controllers before encrypting everything.
Third-Party Vendor Compromise
Your credit union connects to core processors, loan origination platforms, card processors, online banking providers, and managed IT providers. The Marquis breach showed exactly how this plays out: one vendor gets hit, and suddenly 74 financial institutions are sending breach notification letters to their members. A breach at any one of these vendors can cascade into your environment through API connections, shared credentials, or compromised software updates. Your vendor management program needs to assess more than whether a vendor has a SOC 2 report on file.
Insider Threats
Not every insider threat is malicious. An employee who forwards member loan documents to a personal email address for convenience is an insider threat. A terminated employee whose Active Directory account wasn't disabled for 30 days is an insider threat. Credit unions often underinvest in controls that detect and prevent data movement by authorized users.
The NCUA's January 2026 supervisory priorities letter folded cybersecurity into "Operational Risk Management" alongside payment systems security and fraud prevention. Examiners are no longer checking whether you have security tools installed. They are assessing whether your security program detects threats, responds to incidents, and produces documentation that proves both. If your last examination treated cybersecurity as a standalone checklist, expect a different conversation this year.
Credit Union Cybersecurity Best Practices Most Teams Skip
Antivirus and a firewall are a starting point. The controls below are where credit union cybersecurity best practices actually matter. Most credit unions we assess are missing at least three of these.
Conditional Access Policies
Conditional Access in Microsoft Entra ID lets you enforce rules about who can access what, from where, and under what conditions. A properly configured policy set blocks legacy authentication protocols, requires MFA for all users (no exceptions for the CEO), restricts access from unmanaged devices, and flags sign-ins from unusual locations. Without Conditional Access, MFA alone is insufficient because attackers can bypass it through legacy protocols that don't support MFA challenges.
Data Loss Prevention (DLP) Rules
DLP policies in Microsoft 365 detect and prevent sensitive data from leaving your environment through email, Teams, SharePoint, or OneDrive. For credit unions, this means rules that flag Social Security numbers, account numbers, and member financial data in outbound messages. Most credit unions we work with have DLP available in their licensing but haven't configured a single rule.
Sensitivity Labels
Sensitivity labels classify and protect documents based on their content. A document labeled "Member Confidential" can be automatically encrypted, restricted from external sharing, and watermarked. Labels apply at the document level and travel with the file, so protection persists even if someone copies the file to a USB drive or emails it outside your organization.
Email Authentication (DMARC/DKIM/SPF)
These three protocols prevent attackers from sending emails that appear to come from your credit union's domain. SPF tells receiving mail servers which IP addresses are authorized to send email for your domain. DKIM adds a cryptographic signature. DMARC ties them together with a policy that tells receivers what to do with emails that fail authentication. Without all three configured and enforced, an attacker can send emails that look like they're from yourcu.org to your members.
Audit Logging and Retention
If you can't see what happened, you can't investigate an incident. Microsoft 365 audit logging should be enabled, configured to capture sign-in events, file access, mailbox changes, admin activities, and DLP policy matches. Logs should be retained for at least one year to satisfy NCUA cybersecurity requirements. Many credit unions have audit logging turned on by default but haven't configured retention or set up alerts on high-risk events.
"Most credit unions we assess already have DLP and Conditional Access available in their Microsoft 365 licensing. They just haven't configured a single rule. The gap between what they own and what they've deployed is where examiners find their findings."
ABT Security Engineering Team, based on 750+ financial institution assessmentsBuild a Security Program, Not a Tool Collection
Tools don't make you secure. A credit union with 15 security products and no security program is less protected than one with five tools configured properly with documented policies behind them. Here are four layers your credit union security program needs:
Policy
Written, board-approved policies that define acceptable use, access management, incident response, data classification, and vendor management. These aren't shelfware. Your NCUA examiner reads them. Your employees should too. Policies need annual review dates and revision history that prove they're current.
Implementation
Every policy statement should map to a technical control. "Employees must use multi-factor authentication" maps to Conditional Access policies that enforce MFA. "Member data must not be shared externally without authorization" maps to DLP rules and sensitivity labels. If a policy exists without a corresponding control, it's aspirational, not operational.
Testing
Run phishing simulations quarterly. Test your incident response plan through tabletop exercises at least annually. Conduct vulnerability scans monthly and penetration tests annually. Testing proves your controls work. It also generates the documentation your NCUA examiner expects to see.
Documentation
Every control needs evidence. ABT's Guardian platform maintains continuous documentation of Microsoft 365 security configuration. But documentation goes beyond the technical layer. You need board meeting minutes showing security briefings, training completion records, access review sign-offs, incident response exercise reports, and vendor risk assessment records. If it isn't documented, it didn't happen.
Credit Union Data Protection and the Member Trust Factor
Credit unions exist because members chose them over a bank. That choice is built on trust. When 400,000 people get breach notification letters because their credit union's marketing vendor got ransomwared, that trust takes a direct hit. Credit union data protection is the foundation of the member relationship, not just a regulatory box to check.
Think about what your credit union holds: Social Security numbers, dates of birth, income verification documents, loan applications, account balances, and transaction histories. A breach that exposes this data doesn't just trigger regulatory action. It breaks the trust that keeps your members from switching to the bank down the street. GLBA (Gramm-Leach-Bliley Act) requires financial institutions to protect member data, but your members expect more than the legal minimum.
Effective credit union data breach prevention starts with knowing where member data lives across your systems. It's in your core, your loan origination system, your email, your file shares, and your employees' OneDrive folders. Sensitivity labels and DLP rules bring visibility and control to data that's already spread across your Microsoft 365 environment. Without those controls, you're relying on every employee to make the right decision about every document, every time. That's not a security strategy.
When Marquis Software Solutions was breached through an unpatched SonicWall firewall, 74 banks and credit unions had to send breach notification letters to their members — for a vulnerability that existed in a vendor's environment, not their own. Your vendor management program needs to go beyond collecting SOC 2 reports. Ask vendors about patch cadence, incident response plans, and whether they carry cyber liability insurance. If a vendor won't answer those questions, that tells you something about their security posture.
Managed Security vs. DIY: What's Realistic
A credit union with 15 employees doesn't have a security team. Credit union IT security work typically falls on one person who also manages the help desk, the phone system, and the printer fleet. Asking that person to configure Conditional Access policies, write DLP rules, implement DMARC enforcement, run quarterly phishing simulations, conduct annual penetration tests, and produce the documentation your examiner requires is not realistic. It's a staffing problem, not a competence problem.
Here's a practical breakdown of what a small credit union can handle internally vs. what typically requires a specialist:
| Internal (Realistic for Small CU) | Specialist Required |
|---|---|
| Security awareness training administration | Conditional Access policy design and deployment |
| Policy document maintenance and board reporting | DLP rule configuration and tuning |
| Employee onboarding/offboarding access procedures | DMARC/DKIM/SPF implementation and enforcement |
| Vendor SOC 2 report collection | Penetration testing and vulnerability management |
| Incident reporting to NCUA | Incident response execution and forensics |
| Business continuity plan (BCP) tabletop exercise coordination | Continuous monitoring, alerting, and threat response |
| Training completion record keeping | Security posture benchmarking against 100+ controls |
The managed security model works because it gives your credit union access to specialists who configure, monitor, and maintain security controls across hundreds of financial institutions at the same time. ABT's managed IT services include the security engineering that most credit union IT staff don't have time for. Guardian monitors your Microsoft 365 environment against 100+ security benchmarks mapped to FFIEC, NCUA, and GLBA requirements. Gaps get flagged and fixed. Documentation gets generated automatically.
That doesn't mean you outsource accountability. Your credit union is still responsible for its security posture. A free security assessment is the fastest way to see where your environment stands and where your examiner will find gaps.
Frequently Asked Questions
“The credit unions getting breached aren't the ones without firewalls. They're the ones where conditional access policies have gaps, sensitivity labels aren't applied, and nobody has reviewed sharing permissions in two years. The basics aren't basic anymore.”
Serving 750+ financial institutions since 1999
See where your credit union actually stands
Our assessment maps your Microsoft 365 configuration against the specific threats targeting credit unions today.
The most impactful controls include Conditional Access policies that enforce multi-factor authentication and block legacy protocols, data loss prevention rules that detect sensitive member data in outbound communications, email authentication through DMARC, DKIM, and SPF, sensitivity labels on documents containing member information, and audit log retention of at least one year for incident investigation and regulatory compliance. For more details, see our guide on managed IT for community banks. For more details, see our guide on NCUA IT examination preparation.
Business email compromise remains the most financially damaging threat, followed by ransomware delivered through exposed remote access and legacy authentication protocols. Credential stuffing attacks against online banking portals, third-party vendor compromises that cascade into credit union environments, and insider threats from improper data handling round out the top threat categories targeting credit unions.
NCUA examiners assess cybersecurity maturity across the domains defined in the FFIEC Cybersecurity Assessment Tool. Credit unions that demonstrate a documented security program with enforced controls, regular testing, and maintained evidence packages receive fewer findings. Institutions with repeated gaps, missing documentation, or untested controls face increased examination frequency and potential supervisory actions.
A complete credit union security program includes four layers: written board-approved policies covering access management, incident response, data classification, and vendor oversight; technical controls that enforce each policy; regular testing through phishing simulations, vulnerability scans, penetration tests, and tabletop exercises; and continuous documentation that proves controls are active and effective.
Small credit unions can handle policy maintenance, training administration, and vendor report collection internally. Technical security engineering, including Conditional Access configuration, DLP rule tuning, email authentication enforcement, penetration testing, and continuous monitoring, typically requires a managed security provider with financial services experience and SOC 2 Type II certification.
The Gramm-Leach-Bliley Act requires financial institutions, including credit unions, to implement safeguards that protect the security and confidentiality of member nonpublic personal information. This includes conducting risk assessments, designing information security programs, overseeing third-party service providers, and adjusting security practices as threats evolve. NCUA enforces GLBA compliance through its examination process.
Credit unions should configure Conditional Access policies enforcing multi-factor authentication for all users, blocking legacy authentication, and requiring device compliance. Data Loss Prevention rules should detect member Social Security numbers and account numbers in outbound communications. Additional priorities include DMARC email authentication, sensitivity labels for document classification, and audit log retention of at least one year for NCUA examination evidence.
Technical Reference
The following tables define the regulatory frameworks and technical terms referenced throughout this article.
Regulatory Frameworks
| Term | Full Name | What It Means |
|---|---|---|
| NCUA | National Credit Union Administration | The federal regulator that charters and examines federally insured credit unions. |
| FFIEC | Federal Financial Institutions Examination Council | The interagency body that writes the IT examination standards used by NCUA, OCC, and FDIC examiners. |
| GLBA | Gramm-Leach-Bliley Act | Federal law requiring financial institutions to protect the security and confidentiality of customer nonpublic personal information. |
| OCC | Office of the Comptroller of the Currency | The federal regulator that charters and examines national banks and federal savings associations. |
| FTC Safeguards Rule | Federal Trade Commission Standards for Safeguarding Customer Information | The updated FTC regulation requiring non-bank financial institutions (including mortgage companies) to implement comprehensive information security programs. |
Glossary
| Term | Definition |
|---|---|
| ACH | Automated Clearing House — the electronic payment network used for direct deposits, bill payments, and account-to-account transfers. |
| BCP | Business Continuity Plan — a documented plan for maintaining critical operations during and after a disruptive event such as a cyberattack, natural disaster, or system failure. |
| BEC | Business Email Compromise — an attack where an adversary gains access to a legitimate email account and uses it to impersonate the owner, typically to redirect payments or steal sensitive data. |
| Conditional Access | Microsoft Entra ID policies that enforce login requirements — such as multi-factor authentication, device compliance, and location restrictions — before granting access to Microsoft 365 resources. |
| DLP (Data Loss Prevention) | Microsoft Purview rules that detect and block sharing of sensitive data — such as Social Security numbers, account numbers, and loan data — outside the organization. |
| DMARC / DKIM / SPF | Email authentication protocols that prevent attackers from sending emails that appear to come from your organization's domain. SPF authorizes sending servers, DKIM adds cryptographic signatures, and DMARC sets the enforcement policy. |
| MFA | Multi-Factor Authentication — requiring two or more verification methods (password plus a phone prompt, hardware key, or biometric) to sign in. |
| RDP | Remote Desktop Protocol — a Microsoft protocol for remote access to Windows computers. Exposed RDP is a top ransomware entry point. |
| Sensitivity Labels | Microsoft Purview classifications applied to documents and emails that enforce encryption, restrict sharing, and apply watermarks based on content sensitivity. |
| SOC 2 Type II | An independent audit verifying that a service provider's security controls are designed properly and operating effectively over a sustained period (typically 6-12 months). |
