Credit Union Cybersecurity: Beyond the Basics

In August 2025, a ransomware gang breached Marquis Software Solutions through an unpatched SonicWall firewall and stole the personal data of 1.3 million people across 74 banks and credit unions. Social Security numbers. Dates of birth. Financial account details. The attackers reportedly used a known vulnerability that Marquis hadn't remediated, and notifications to affected members didn't go out for more than three months. Marquis isn't a fringe vendor. It serves over 700 financial institutions with CRM, compliance reporting, and marketing tools.

That breach landed right alongside a hard number from the NCUA's own reporting: 73% of all cyber incidents reported by credit unions between September 2023 and May 2024 involved a third-party vendor. Not a phishing email to an employee. Not a brute-force attack on the firewall. A vendor that your credit union trusted with member data.

The NCUA's January 2026 supervisory priorities letter made the shift official. Cybersecurity is no longer a standalone examination category. It's been folded into "Operational Risk Management" alongside payment systems security and fraud prevention. Examiners will assess vendor management frameworks, incident response readiness, and whether your board actually understands the security risks on your balance sheet. The old model of treating cybersecurity as an IT checklist is over.

This article breaks down what that means in practice: the specific controls, vendor oversight disciplines, and security program structures that separate credit unions ready for their next examination from those about to get a findings letter.

Every credit union has antivirus on its workstations. Every credit union has a firewall. And nearly every credit union that got breached in the past three years had both of those things running when it happened.

The threats hitting credit unions in 2026 have moved past what perimeter defenses can stop. Attackers aren't probing firewalls from the outside. They're logging into your Microsoft 365 tenant with credentials they bought on the dark web, impersonating your CEO in an email to your controller, or riding in through a compromised vendor connection. A real credit union security program accounts for these scenarios. A checkbox list of basic controls does not.

This article covers the credit union cybersecurity best practices that go beyond antivirus and firewall: the controls, policies, and operational disciplines that separate credit unions passing their NCUA examinations with confidence from those scrambling to explain gaps.

This article focuses on credit unions and the National Credit Union Administration (NCUA), but the security controls and best practices apply equally to community banks examined by the OCC and FDIC. Mortgage companies subject to the FTC Safeguards Rule face parallel requirements for protecting consumer financial data.

---

Why "The Basics" Don't Protect Credit Unions Anymore

Five years ago, a credit union could argue that a managed firewall, endpoint antivirus, and annual security awareness training added up to adequate protection. That argument fell apart.

Here's what changed:

• Identity is the new perimeter. With Microsoft 365, remote access, and cloud-based core systems, your users authenticate from home networks, airports, and personal devices. The firewall at your branch doesn't protect a loan officer working from a coffee shop.
• Email compromise has become surgical. Attackers research credit union org charts, identify who approves wire transfers, and send emails that look identical to real internal messages. Spam filters catch mass phishing campaigns. They don't catch targeted business email compromise.
• Regulators raised the bar. NCUA cybersecurity expectations now include Conditional Access, data loss prevention, email authentication, and incident response testing. Showing an examiner that you have antivirus installed isn't a passing grade.
• Ransomware groups go after small financial institutions on purpose. Credit unions with 15 to 100 employees attract attackers who bet on weaker defenses than a large bank would have.

The gap between "we have the basics" and "we have an effective credit union security program" is where breaches happen.

---

Credit Union Cyber Threats That Actually Hit

Generic threat briefings don't help. You've sat through the "cyber threats are increasing" slides a hundred times. Here are the specific credit union cyber threats that result in actual incidents at institutions your size:

Business Email Compromise (BEC)

BEC is the most financially damaging attack type for credit unions. An attacker compromises one email account, studies the communication patterns, then sends a convincing email requesting a wire transfer, automated clearing house (ACH) file change, or vendor payment redirect. The email comes from a legitimate internal address. Standard email filtering won't flag it. It's not malware and it's not phishing. It's a real account sending a real message.

Stopping BEC requires Conditional Access policies that detect impossible-travel logins, DLP rules that flag financial instructions sent to external addresses, and audit logging that tracks mailbox rule changes.

Credential Stuffing Against Online Banking

Members reuse passwords. Attackers buy credential dumps from unrelated breaches and test them against your online banking portal in automated waves. If a member uses the same password for their email and their credit union login, the attacker gets in. Your core provider handles some of this at the application layer, but your responsibility is ensuring your Microsoft 365 environment (where password resets, MFA enrollment, and account recovery happen) is locked down so attackers can't pivot from online banking into your internal systems.

Ransomware via Remote Desktop and Legacy Protocols

Ransomware groups scan for exposed Remote Desktop Protocol (RDP) and legacy authentication endpoints. Credit union network security starts with disabling these exposed protocols. Credit unions that haven't disabled legacy authentication protocols in their Microsoft 365 tenant are leaving a door open. Once inside, attackers move laterally from a compromised account to file shares, backup systems, and domain controllers before encrypting everything.

Third-Party Vendor Compromise

Your credit union connects to core processors, loan origination platforms, card processors, online banking providers, and managed IT providers. The Marquis breach showed exactly how this plays out: one vendor gets hit, and suddenly 74 financial institutions are sending breach notification letters to their members. A breach at any one of these vendors can cascade into your environment through API connections, shared credentials, or compromised software updates. Your vendor management program needs to assess more than whether a vendor has a SOC 2 report on file.

Insider Threats

Not every insider threat is malicious. An employee who forwards member loan documents to a personal email address for convenience is an insider threat. A terminated employee whose Active Directory account wasn't disabled for 30 days is an insider threat. Credit unions often underinvest in controls that detect and prevent data movement by authorized users.

---

Credit Union Cybersecurity Best Practices Most Teams Skip

Antivirus and a firewall are a starting point. The controls below are where credit union cybersecurity best practices actually matter. Most credit unions we assess are missing at least three of these.

Conditional Access Policies

Conditional Access in Microsoft Entra ID lets you enforce rules about who can access what, from where, and under what conditions. A properly configured policy set blocks legacy authentication protocols, requires MFA for all users (no exceptions for the CEO), restricts access from unmanaged devices, and flags sign-ins from unusual locations. Without Conditional Access, MFA alone is insufficient because attackers can bypass it through legacy protocols that don't support MFA challenges.

Data Loss Prevention (DLP) Rules

DLP policies in Microsoft 365 detect and prevent sensitive data from leaving your environment through email, Teams, SharePoint, or OneDrive. For credit unions, this means rules that flag Social Security numbers, account numbers, and member financial data in outbound messages. Most credit unions we work with have DLP available in their licensing but haven't configured a single rule.

Sensitivity Labels

Sensitivity labels classify and protect documents based on their content. A document labeled "Member Confidential" can be automatically encrypted, restricted from external sharing, and watermarked. Labels apply at the document level and travel with the file, so protection persists even if someone copies the file to a USB drive or emails it outside your organization.

Email Authentication (DMARC/DKIM/SPF)

These three protocols prevent attackers from sending emails that appear to come from your credit union's domain. SPF tells receiving mail servers which IP addresses are authorized to send email for your domain. DKIM adds a cryptographic signature. DMARC ties them together with a policy that tells receivers what to do with emails that fail authentication. Without all three configured and enforced, an attacker can send emails that look like they're from yourcu.org to your members.

Audit Logging and Retention

If you can't see what happened, you can't investigate an incident. Microsoft 365 audit logging should be enabled, configured to capture sign-in events, file access, mailbox changes, admin activities, and DLP policy matches. Logs should be retained for at least one year to satisfy NCUA cybersecurity requirements. Many credit unions have audit logging turned on by default but haven't configured retention or set up alerts on high-risk events.

---

Build a Security Program, Not a Tool Collection

Tools don't make you secure. A credit union with 15 security products and no security program is less protected than one with five tools configured properly with documented policies behind them. Here are four layers your credit union security program needs:

Policy

Written, board-approved policies that define acceptable use, access management, incident response, data classification, and vendor management. These aren't shelfware. Your NCUA examiner reads them. Your employees should too. Policies need annual review dates and revision history that prove they're current.

Implementation

Every policy statement should map to a technical control. "Employees must use multi-factor authentication" maps to Conditional Access policies that enforce MFA. "Member data must not be shared externally without authorization" maps to DLP rules and sensitivity labels. If a policy exists without a corresponding control, it's aspirational, not operational.

Testing

Run phishing simulations quarterly. Test your incident response plan through tabletop exercises at least annually. Conduct vulnerability scans monthly and penetration tests annually. Testing proves your controls work. It also generates the documentation your NCUA examiner expects to see.

Documentation

Every control needs evidence. ABT's Guardian platform maintains continuous documentation of Microsoft 365 security configuration. But documentation goes beyond the technical layer. You need board meeting minutes showing security briefings, training completion records, access review sign-offs, incident response exercise reports, and vendor risk assessment records. If it isn't documented, it didn't happen.

---

Credit Union Data Protection and the Member Trust Factor

Credit unions exist because members chose them over a bank. That choice is built on trust. When 400,000 people get breach notification letters because their credit union's marketing vendor got ransomwared, that trust takes a direct hit. Credit union data protection is the foundation of the member relationship, not just a regulatory box to check.

Think about what your credit union holds: Social Security numbers, dates of birth, income verification documents, loan applications, account balances, and transaction histories. A breach that exposes this data doesn't just trigger regulatory action. It breaks the trust that keeps your members from switching to the bank down the street. GLBA (Gramm-Leach-Bliley Act) requires financial institutions to protect member data, but your members expect more than the legal minimum.

Effective credit union data breach prevention starts with knowing where member data lives across your systems. It's in your core, your loan origination system, your email, your file shares, and your employees' OneDrive folders. Sensitivity labels and DLP rules bring visibility and control to data that's already spread across your Microsoft 365 environment. Without those controls, you're relying on every employee to make the right decision about every document, every time. That's not a security strategy.

---

Managed Security vs. DIY: What's Realistic

A credit union with 15 employees doesn't have a security team. Credit union IT security work typically falls on one person who also manages the help desk, the phone system, and the printer fleet. Asking that person to configure Conditional Access policies, write DLP rules, implement DMARC enforcement, run quarterly phishing simulations, conduct annual penetration tests, and produce the documentation your examiner requires is not realistic. It's a staffing problem, not a competence problem.

Here's a practical breakdown of what a small credit union can handle internally vs. what typically requires a specialist:

Internal (Realistic for Small CU)	Specialist Required
Security awareness training administration	Conditional Access policy design and deployment
Policy document maintenance and board reporting	DLP rule configuration and tuning
Employee onboarding/offboarding access procedures	DMARC/DKIM/SPF implementation and enforcement
Vendor SOC 2 report collection	Penetration testing and vulnerability management
Incident reporting to NCUA	Incident response execution and forensics
Business continuity plan (BCP) tabletop exercise coordination	Continuous monitoring, alerting, and threat response
Training completion record keeping	Security posture benchmarking against 100+ controls

The managed security model works because it gives your credit union access to specialists who configure, monitor, and maintain security controls across hundreds of financial institutions at the same time. ABT's managed IT services include the security engineering that most credit union IT staff don't have time for. Guardian monitors your Microsoft 365 environment against 100+ security benchmarks mapped to FFIEC, NCUA, and GLBA requirements. Gaps get flagged and fixed. Documentation gets generated automatically.

That doesn't mean you outsource accountability. Your credit union is still responsible for its security posture. A free security assessment is the fastest way to see where your environment stands and where your examiner will find gaps.

---

Frequently Asked Questions

---

Next Steps

If your credit union still relies on antivirus and a firewall as its primary defense, the distance between where you are and where your examiners expect you to be is growing. Closing that gap starts with knowing where you stand.

• Get your free security grade. ABT's Microsoft 365 Security Assessment provides a credit union security assessment that benchmarks your environment against 100+ security controls mapped to financial services regulatory frameworks. You'll see the same types of gaps your NCUA examiner would identify.
• Talk to a financial institution security specialist. Schedule a conversation with ABT's team to discuss your institution's security posture, examination readiness, and the specific controls that matter most for your environment.

---

Technical Reference

The following tables define the regulatory frameworks and technical terms referenced throughout this article.

Regulatory Frameworks

Term	Full Name	What It Means
NCUA	National Credit Union Administration	The federal regulator that charters and examines federally insured credit unions.
FFIEC	Federal Financial Institutions Examination Council	The interagency body that writes the IT examination standards used by NCUA, OCC, and FDIC examiners.
GLBA	Gramm-Leach-Bliley Act	Federal law requiring financial institutions to protect the security and confidentiality of customer nonpublic personal information.
OCC	Office of the Comptroller of the Currency	The federal regulator that charters and examines national banks and federal savings associations.
FTC Safeguards Rule	Federal Trade Commission Standards for Safeguarding Customer Information	The updated FTC regulation requiring non-bank financial institutions (including mortgage companies) to implement comprehensive information security programs.

Glossary

Term	Definition
ACH	Automated Clearing House — the electronic payment network used for direct deposits, bill payments, and account-to-account transfers.
BCP	Business Continuity Plan — a documented plan for maintaining critical operations during and after a disruptive event such as a cyberattack, natural disaster, or system failure.
BEC	Business Email Compromise — an attack where an adversary gains access to a legitimate email account and uses it to impersonate the owner, typically to redirect payments or steal sensitive data.
Conditional Access	Microsoft Entra ID policies that enforce login requirements — such as multi-factor authentication, device compliance, and location restrictions — before granting access to Microsoft 365 resources.
DLP (Data Loss Prevention)	Microsoft Purview rules that detect and block sharing of sensitive data — such as Social Security numbers, account numbers, and loan data — outside the organization.
DMARC / DKIM / SPF	Email authentication protocols that prevent attackers from sending emails that appear to come from your organization's domain. SPF authorizes sending servers, DKIM adds cryptographic signatures, and DMARC sets the enforcement policy.
MFA	Multi-Factor Authentication — requiring two or more verification methods (password plus a phone prompt, hardware key, or biometric) to sign in.
RDP	Remote Desktop Protocol — a Microsoft protocol for remote access to Windows computers. Exposed RDP is a top ransomware entry point.
Sensitivity Labels	Microsoft Purview classifications applied to documents and emails that enforce encryption, restrict sharing, and apply watermarks based on content sensitivity.
SOC 2 Type II	An independent audit verifying that a service provider's security controls are designed properly and operating effectively over a sustained period (typically 6-12 months).