An official website of the United States government
NCUA recognizes the importance of cybersecurity and using the web safely and securely.
The information on this page is offered as resources for research and informational purposes. It may not reflect all of the requirements or guidance in this area and should not be construed as requirements except as noted. The NCUA does not endorse any vendor, service, or product.
When you access the links below, you might leave the NCUA’s site.
NCUA Regulations and Guidance
Examiner’s Guide (opens new window)
The Examiner's Guide sets out guidance for an examiner on the NCUA's examination and supervision of credit unions. The primary goal is to ensure the overall safety and soundness of the credit union system via a risk-focused examination and supervision program. Chapter 6 provides guidance on information systems and technology.
AIRES IT Exam Questionnaires
The NCUA has updated its IT examination questionnaires to facilitate an increased risk focused review of a credit union’s information technology environment. The updated IT questionnaire workbook consists of two tiers: Tier I questionnaires focuses on the highest priority review areas, including electronic banking, while Tier II questionnaires are designed to address more technical network, security, and related technology issues. The new IT questionnaires now include a second workbook with two questionnaires for generalist examiners to review credit union information security programs, electronic banking security, and website compliance. Please note that most questions include comments to provide additional context or terminology for better comprehension.
Federal Government Requirements and Guidelines
FFIEC Cybersecurity Assessment Tool Frequently Asked Questions (opens new window)
The NCUA expects credit unions to have the appropriate procedures in place to anticipate, identify, and mitigate cybersecurity risks.Specific expectations can be found in the body and appendices of Part 748 of NCUA regulations (opens new window)as well as the FFIEC IT Examination Handbooks. FFIEC’s cybersecurity assessment tool is provided to help them assess their level of preparedness, and NCUA examiners will use the tool as a guide for assessing cybersecurity risks in credit unions. Credit unions may choose whatever approach they feel appropriate to conduct their individual assessments, but the assessment tool would still be a useful guide. FFIEC has posted frequently asked questions about the assessment tool here.
FFIEC Cybersecurity Assessment Tool (opens new window)
The FFIEC has released a new tool to help credit unions better evaluate their level of cybersecurity preparedness.
NIST Special Publications (opens new window)
Special Publications in the 800 series present documents of general interest to the computer security community. The Special Publication 800 series was established in 1990 to provide a separate identity for information technology security publications. This Special Publication 800 series reports on ITL's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.
Security and Privacy Controls for Federal Information Systems and Organizations (opens new window)
Information Sharing Forums on Cyber Threats
Financial Services Information Sharing and Analysis Center (opens new window)
Launched in 1999, FS-ISAC was established by the financial services sector in response to 1998's Presidential Directive 63. That directive - later updated by 2003's Homeland Security Presidential Directive 7 - mandated that the public and private sectors share information about physical and cybersecurity threats and vulnerabilities to help protect the U.S. critical infrastructure.
National Credit Union Information Sharing Analysis Organization (opens new window)
Following the signing of the Cybersecurity Information Sharing Act (CISA) into law, the National Credit Union ISAO was established in 2016 to address the unique needs of the nation’s Credit Unions, advancing cyber resilience through information sharing, education, operational guidance, and regulatory compliance.
FFIEC Cybersecurity Assessment General Observations (opens new window)
Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (opens new window)
United States Computer Emergency Readiness Team (US-CERT) (opens new window)
The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) leads efforts to improve the nation's cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks to the Nation while protecting the constitutional rights of Americans. US-CERT strives to be a trusted global leader in cybersecurity – collaborative, agile, and responsive in a dynamic and complex environment.
FBI Infragard (opens new window)
InfraGard is a partnership between the FBI and the private sector. It is an association of persons who represent businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the U.S.
Best Practices
Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook Infobase
The FFIEC Information Technology Examination Handbook is comprised of individual booklets. These booklets represent a series of updates to the existing 1996 FFIEC Information Systems Examination Handbook. They address significant changes in the financial institution technology since 1996.They incorporate changes in technology-related risks and controls and follow a risk-based approach to evaluating risk management practices. The booklets provide valuable information to both examiners and financial institution management.
IT Booklets (opens new window)
Resources (opens new window)
Twenty Critical Security Controls for Effective Cyber Defense (opens new window)
The Critical Security Controls effort focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on "What Works" - security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness. Standardization and automation is another top priority, to gain operational efficiencies while also improving effectiveness. The US State Department has previously demonstrated more than 94% reduction in "measured" security risk through the rigorous automation and measurement of the Top 20 Controls.
SANS Reading Room Best Practices (opens new window)
The SANS Institute was established in 1989 as a cooperative research and education organization. Its programs now reach more than 165,000 security professionals around the world. A range of individuals from auditors and network administrators, to chief information security officers are sharing the lessons they learn and are jointly finding solutions to the challenges they face. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community.
Technical Guide to Information Security Testing and Assessment (opens new window)
Privacy & Protecting Personally Identifiable Information
Additional Resources
Resources
FAQs on Ransomware and Supply Chain Risk Management
Ransomware Information (opens new window)
Payment Card Industry (PCI) (opens new window)
FFIEC InfoBase Booklets
Audit (opens new window)
Business Continuity Planning (opens new window)
Development and Acquisition (opens new window)
E-Banking (opens new window)
Information Security (opens new window)
Management (opens new window)
Operations (opens new window)
Outsourcing Technology Services (opens new window)
Retail Payment Systems (opens new window)
Supervision of Technology Service Providers (TSP) (opens new window)
Wholesale Payment Systems (opens new window)
FFIEC InfoBase NCUA Resources
Audit (opens new window)
Business Continuity Planning (opens new window)
E-banking (opens new window)
Information Security (opens new window)
Management (opens new window)
Outsourcing Technology Services (opens new window)
Retail Payment Systems (opens new window)
Federal Reserve Financial Services – Federal Reserve Bank Operating Circulars (opens new window)
Federal Reserve System - Regulations (opens new window)
- 12 CFR 205 – Electronic Fund Transfers (Regulation E)
- 12 CFR 210 – Collection of Checks and Other Items by Federal Reserve Banks and Funds Transfers through Fedwire (Regulation J)
- 12 CFR 229 – Availability of Funds and Collection of Checks (Regulation CC) (Check Clearing for the 21st Century Act)
- 12 CFR 233 – Prohibition on Funding of Unlawful Internet Gambling (Regulation GG)
- 31 CFR Chapter X - Financial Crimes Enforcement Network, Department of the Treasury (Bank Secrecy Act)