Principle Security Principle Security.

Original research · Principle Security

The Credit Union Cyber Incident Landscape 2026 edition

What actually happens to credit unions in a cyber year — assembled from NCUA incident-reporting data, examination findings, and supervisory priorities. The headline: the credit union cyber problem is overwhelmingly a vendor problem.

1,072
Incident reports in the rule's first year

Sept 2023 – Aug 2024, under NCUA's 72-hour cyber incident notification rule

69%
Traced to third parties

742 of 1,072 reports originated with vendors — not the credit unions themselves

13
Vendor events behind those 742 reports

The two largest alone touched 434 credit unions

Finding 1

Sixty-nine percent of incident reports weren't about the credit union at all

In the first twelve months of NCUA's 72-hour cyber incident notification rule (September 1, 2023 – August 31, 2024), federally insured credit unions filed 1,072 incident reports. Seven in ten — 742 reports — stemmed from incidents at third-party service providers: core processors, hosting providers, and technology vendors, not the credit unions' own systems.

Incident reports by category — first year of the rule

Third party 742 reports · 69.2%
ATM / ITM 118 reports · 11%
Other 101 reports · 9.4%
Email compromise 95 reports · 8.9%
Ransomware 16 reports · 1.5%

Source: NCUA Cybersecurity Board Briefing, October 24, 2024. Reporting period Sept 1, 2023 – Aug 31, 2024.

Finding 2

Thirteen vendor events. Two of them hit 434 credit unions.

Those 742 third-party reports collapse into just 13 distinct vendor events. The largest single event generated reports from 234 credit unions; the second largest, 200. Five events account for 78% of all vendor-related reports.

This is concentration risk in its purest form: when one shared provider stumbles, hundreds of institutions file the same 72-hour report on the same day — and their members feel the same outage. The average vendor event in year one touched 57 credit unions.

Credit unions impacted per vendor event

Largest event 234 credit unions
2nd largest 200 credit unions
3rd largest 55 credit unions
4th largest 50 credit unions
5th largest 40 credit unions
Remaining 8 events 163 credit unions

Counts may include credit unions impacted by multiple events. Source: NCUA, Oct 2024.

Finding 3

Ransomware is loud. Vendors are lethal.

Ransomware dominates security headlines — and produced just 16 of 1,072 reports (1.5%). Credit unions filed 46 times more vendor-related reports than ransomware reports. The stakes per ransomware event remain brutal (FBI/CISA put typical demands at $1–10 million, and financial services ranks 5th most-targeted among the 16 critical infrastructure sectors) — but the frequency story examiners see is vendors, ATM/ITM fraud, and email compromise.

Strip out third-party events and the credit unions' own incidents split largely between ATM/ITM cyber-fraud (36%) and business email compromise (29%) — operational fraud surfaces, not exotic intrusions.

Finding 4

Examiners find strong tools — and weak programs

Across four years of Information Security Examinations, NCUA reports consistent strengths in anti-malware, patching, access controls, policies, and network security controls — the things you can buy. Its named "opportunities for improvement" are information security risk assessments, business continuity programs, incident response programs, and third-party vendor examination — the things you have to operate.

Read together with Finding 1, the gap is coherent: the sector's biggest reported exposure (vendors) maps directly to one of its weakest examined disciplines (vendor oversight).

The trendline continues: NCUA's 2026 supervisory priorities (Letter 26-CU-01) put payment-system security squarely in examiners' scope — "governance and risk assessment frameworks, vendor management and oversight, security controls to protect member data" — and NCUA's own cybersecurity briefing urges boards to provide for recurring training, approve the information security program, and ensure effective incident response planning.

Finding 5

Reporting volume is normalizing — the risk isn't

NCUA's 2025 resilience report counts 539 incidents for the twelve months ending April 30, 2025 — roughly half the rule's first-year volume. The likely drivers: institutions calibrated what "reportable" means after an over-inclusive first year, and no vendor event matched the scale of year one's largest. Notably, NCUA assessed that no reported incident was systemic to the credit union system — a system that processed over $86 trillion in transactions in 2024.

More than 300 credit unions now use CISA's free Cyber Hygiene vulnerability-scanning services — encouraging adoption, against roughly 4,400 federally insured institutions.

What to do with this

Five moves the data argues for

  • Risk-tier your vendor inventory and put real evidence requirements on the critical tier — 69% of the sector's incident reports started there.
  • Wire vendor-incident intake into your 72-hour reporting path; most of the reports you'll ever file will originate with a provider's outage notice, not your own SOC.
  • Rehearse the reporting decision before the clock starts — criteria, templates, and a tabletop beat improvisation at 2 a.m.
  • Fund the programs, not just the tools: risk assessment, business continuity, and incident response are where examinations consistently find gaps.
  • Get recurring board cybersecurity training on the calendar — NCUA's own guidance calls for it, and the 2026 letter is addressed to your board.

Methodology & citation

Sources and how to cite

All incident figures are drawn from public NCUA sources: the NCUA Cybersecurity Board Briefing (October 24, 2024) for first-year rule data (Sept 1, 2023 – Aug 31, 2024) and category/event breakdowns; the 2025 Cybersecurity and Credit Union System Resilience Report to Congress (period May 1, 2024 – April 30, 2025); NCUA's 2026 Supervisory Priorities letter (January 14, 2026); FBI IC3 / CISA advisories for sector context; and NCUA quarterly credit union data for the approximate count of federally insured institutions (~4,400). Percentages computed by Principle Security; event-impact counts may include credit unions affected by multiple events, per NCUA's own caveat.

Principle Security, "The Credit Union Cyber Incident Landscape — 2026 Edition," July 2026. https://www.principlesec.com/research/credit-union-cyber-incident-landscape

Journalists and researchers: we're glad to provide underlying calculations or commentary — contact us or email info@principlesec.com.

Your examiners have read this data. Have you?

We build the vendor-oversight and incident-reporting programs this landscape demands — from a team that has run credit-union security programs through real exam cycles.