NCUA · Vendor Due Diligence
Their breach is your exam finding
Credit unions run on third parties — core processors, digital banking platforms, MSSPs, fintech integrations. NCUA expects documented, risk-tiered oversight of every one. Most credit unions have a spreadsheet; examiners want a program.
The expectation
Oversight that scales with criticality
NCUA guidance expects due diligence proportional to the relationship's risk: deep review for the core processor and anything touching member data, lighter touch for the landscaping contract. That means risk-tiering your vendor inventory, defining what evidence each tier requires (SOC reports, security questionnaires, financials, incident-notification terms), and reviewing on a schedule you can prove.
The 72-hour incident reporting rule raised the stakes: a substantial cyber incident at your provider can trigger your reporting obligation. Contracts and intake processes have to make sure you hear about vendor incidents fast enough to comply.
Our approach
A program your team can actually run
We inventory and tier your vendors, build the per-tier evidence requirements and review calendar, remediate the contract gaps that matter (notification clauses, right-to-audit, data handling), and stand up intake for vendor incidents. Then we size the ongoing operation to your staff — or run it for you through Resident Engineering.
How it runs
The engagement
Delivered fixed-scope, or operated continuously through our vCISO and Resident Engineering models.
What you get
- Risk-tiered vendor inventory with per-tier evidence requirements
- Review calendar with documented completions — examiner-ready
- Contract gap analysis: incident notification, audit rights, data handling
- Vendor incident intake wired to your 72-hour reporting process
- 01
Inventory & tier
Weeks 1–2Every third party catalogued and risk-tiered by data access and operational criticality.
- 02
Evidence & calendar
Weeks 3–4Per-tier requirements set; the review schedule built and backfilled for critical vendors.
- 03
Contract remediation
Weeks 4–8The clauses that matter fixed at renewal: notification windows, audit rights, data terms.
- 04
Operate
OngoingReviews execute on schedule with evidence filed — by your team, or ours.
Your next exam is already on the calendar.
A 45-minute conversation tells you where you stand — and what to fix first.
Explore
Also from Principle Security
ISE / ACET Readiness
Walk into the Information Security Examination with your maturity already measured, gaps a…
NCUA programPart 748 Program
The written, board-approved security program 12 CFR 748 Appendix A requires — designed aro…
Case studyFrom no CISO to examiner-ready
A federal credit union's four-quarter program, delivered by resident engineers.