Principle Security Principle Security.

NCUA · Vendor Due Diligence

Their breach is your exam finding

Credit unions run on third parties — core processors, digital banking platforms, MSSPs, fintech integrations. NCUA expects documented, risk-tiered oversight of every one. Most credit unions have a spreadsheet; examiners want a program.

The expectation

Oversight that scales with criticality

NCUA guidance expects due diligence proportional to the relationship's risk: deep review for the core processor and anything touching member data, lighter touch for the landscaping contract. That means risk-tiering your vendor inventory, defining what evidence each tier requires (SOC reports, security questionnaires, financials, incident-notification terms), and reviewing on a schedule you can prove.

The 72-hour incident reporting rule raised the stakes: a substantial cyber incident at your provider can trigger your reporting obligation. Contracts and intake processes have to make sure you hear about vendor incidents fast enough to comply.

Our approach

A program your team can actually run

We inventory and tier your vendors, build the per-tier evidence requirements and review calendar, remediate the contract gaps that matter (notification clauses, right-to-audit, data handling), and stand up intake for vendor incidents. Then we size the ongoing operation to your staff — or run it for you through Resident Engineering.

How it runs

The engagement

Delivered fixed-scope, or operated continuously through our vCISO and Resident Engineering models.

What you get

  • Risk-tiered vendor inventory with per-tier evidence requirements
  • Review calendar with documented completions — examiner-ready
  • Contract gap analysis: incident notification, audit rights, data handling
  • Vendor incident intake wired to your 72-hour reporting process
  1. 01

    Inventory & tier

    Weeks 1–2

    Every third party catalogued and risk-tiered by data access and operational criticality.

  2. 02

    Evidence & calendar

    Weeks 3–4

    Per-tier requirements set; the review schedule built and backfilled for critical vendors.

  3. 03

    Contract remediation

    Weeks 4–8

    The clauses that matter fixed at renewal: notification windows, audit rights, data terms.

  4. 04

    Operate

    Ongoing

    Reviews execute on schedule with evidence filed — by your team, or ours.

Your next exam is already on the calendar.

A 45-minute conversation tells you where you stand — and what to fix first.