Risk and Resilience

Created by Steven J. Berkowitz | Research Assistant: Claude AI

Subscribe to my newsletter and articles on LinkedIn: https://www.linkedin.com/newsletters/7392939880244355072/

or my free Substack:

Credit Union Strategic Insights Newsletter

The free Credit Union Strategic Insights Newsletter provides current news, emerging trends, and thought pieces of interest to credit unions with a focus on why it matters and actions to consider.

By Steven J Berkowitz

Examiners aren’t just checking your systems anymore; instead, they’re checking your board. For the first time, NCUA examiners are formally assessing whether board members can demonstrate active comprehension of cybersecurity risk. Not a summary read. Not a nod in a committee meeting. Real, documented, curriculum-backed understanding.

Add AI-driven fraud, payment system legal uncertainty, and tightening vendor oversight requirements, and the governance stakes for credit union boards have never been higher.

Board Cybersecurity Oversight and Payment System Integrity: What 2026 Examiners Assess

Two developments illustrate the intersection of cybersecurity, payment system risk, and legal exposure in ways that demand board level attention.

On cybersecurity, a compliance guide that First Call published on May 6, 2026, synthesizing NCUA 2026 supervisory priorities and FFIEC guidance, identifies the most operationally significant change in examiner expectations this cycle: for the first time, annual board cybersecurity training is a named and assessed criterion. NCUA examiners now expect board members to demonstrate active comprehension of cybersecurity risk, not passive awareness through management summaries. Evidence of structured cybersecurity education, documentation of the curriculum, and director capacity to ask substantive oversight questions are what examiners seek. IT risk assessments receive evaluation against eight specific criteria, and a gap in any one signals incomplete governance. Incident response plans must include scenario level playbooks for named threat types: ransomware, business email compromise, distributed denial of service attacks, data breaches, insider threats, and vendor incidents. Generic response language does not satisfy the standard. Third-party vendor management receives equally rigorous scrutiny. The mandatory 72-hour NCUA cyber incident notification requirement extends to incidents at vendors that affect the credit union, and vendor contracts must reflect that obligation.

On payment system risk and fraud, America’s Credit Unions reported on May 5, 2026, that credit union advocates engaged a House Homeland Security Committee member on the rising cost of fraud and the role that interchange revenue plays in funding the fraud prevention infrastructure that protects members. The discussion also addressed the dual nature of AI: a tool for operational improvement and a weapon in the hands of bad actors who now deploy it to attack payment systems, generate synthetic identities, and conduct sophisticated fraud campaigns. The combination of AI-driven fraud attacks, payment system legal uncertainty, and elevated NCUA examiner expectations for cybersecurity governance creates a risk environment that demands integrated board level attention rather than compartmentalized management response.

Actions to Consider

• Schedule a board cybersecurity education session before your next NCUA examination and document the curriculum and participant attendance.

• Review your incident response plan against the specific scenario playbooks NCUA requires and close any gaps before examination.

• Audit all vendor contracts for cyber incident notification obligations and align vendor agreements with the 72-hour regulatory reporting requirement.

Sources: First Call, May 6, 2026, https://firstsolution.com/ncua-ffiec-it-requirements-credit-unions-2026/

America’s Credit Unions, May 5, 2026, https://www.americascreditunions.org/news-media/news/credit-unions-host-supporter-rep-fong-discussion