NCUA Cybersecurity Exam Prep 2026: What RISOs Say Examiners Look For

Quick Answer: NCUA examiners prioritize a mature, quantitative risk assessment methodology above all else, regardless of your credit union's asset size. Beyond that, common deficiencies include insufficient MFA deployment (especially in cloud environments), unconstrained PowerShell configurations, weak vendor incident response alignment, lack of AI governance policies, and inadequate board reporting. The institutions that consistently pass exams with no findings share one trait: they invest in research and technical guidance rather than trying to figure everything out alone.

Why This Matters Right Now

Every year, NCUA Regional Information Security Officers examine credit unions across every asset size, from $50 million community institutions to $13 billion enterprises. The deficiencies they find aren't abstract compliance gaps. They're the same vulnerabilities that lead to ransomware attacks, data breaches, and regulatory actions.

We recently hosted a panel with two NCUA RISOs, Charles Voytan (27 years with the agency) and Murray Voight (who spent years at both the NCUA and a credit union before returning to the agency). Between them, they've examined hundreds of institutions. The insights they shared aren't theoretical. They're based on what they actually write up, what they let slide, and what separates the credit unions that pass clean from those that don't.

Here's what they told us.

The One Thing Examiners Care About Most: Risk Assessment Maturity

If there's a single message both RISOs hammered home, it was this: the most important thing any credit union can do, irrespective of asset size, is develop the most mature risk assessment methodology and process possible.

Charles called it "foundational." Murray described it as the "roadmap to how you implement your security controls."

But they weren't talking about a basic spreadsheet with high, medium, and low ratings. Both RISOs emphasized quantitative risk assessment, the practice of expressing cyber risk in dollar terms rather than color-coded categories.

Murray explained why it matters for board communication: telling your board that a risk could cost $1 million or $10 million gets attention in a way that "high risk" simply never will. When risk is expressed financially, it becomes something board members can act on because it matches the language they use for every other business decision.

Charles went further, recommending the book How to Measure Anything in Cybersecurity Risk by Douglas Hubbard and Richard Seiersen as essential reading. He explained that quantifying risk lets you calculate ROI on security investments and make a case to the people who sign the checks. It's impossible to eliminate risk entirely, but choosing the investments with the greatest impact on risk reduction starts with understanding the numbers.

Your Action Items:

• Evaluate your current risk assessment methodology. If you're still using qualitative scales (high/medium/low), begin exploring quantitative approaches that express risk in dollars.
  
  
• Calculate potential loss exposure for your top threats and present these figures to your board alongside investment recommendations.
  
  
• Implement a formal risk acceptance process with board-level sign-off. Examiners specifically look for documented risk acceptance when controls aren't fully implemented.
  
  
• Build a risk register that identifies threats, assesses likelihood, calculates inherent risk, maps controls, and determines residual risk.

Key Takeaway: High/medium/low risk ratings are subjective and don't drive action. Putting a dollar figure on your risk exposure transforms board conversations from compliance checkboxes into investment decisions.

An Examiner-Approved Cyber Risk Assessment

Start Quantifying Your Risk In Dollars Today

Access Controls: The Top Deficiency in 2025

Charles identified access controls as the number one deficiency across the Western region in 2025, a finding he noted aligns with the Verizon Data Breach Investigation Report.

The specific failures he flagged break down into several interconnected areas.

MFA Deployment Gaps

Insufficient MFA deployment in cloud environments was the most common finding. For Microsoft 365 specifically, the recommended control is MFA for everyone, regardless of where they're connecting from.

At a minimum, examiners want to see MFA on all privileged accounts. Any administrator in Active Directory should have some type of multi-factor authentication. While the requirements get more nuanced for general users on low-risk assets, the direction is clear: MFA everywhere is the goal, and anything less requires a documented risk acceptance.

On the question of phishing-resistant vs. standard MFA, Charles was pragmatic. Any MFA is better than none, though the industry consensus has moved beyond SMS-based verification. The right answer depends on your risk assessment and the assets you're protecting.

PowerShell Lockdown

This one surprised many attendees, but the data backs it up: approximately 80-90% of ransomware attacks use PowerShell. When examiners find PowerShell running in full language mode rather than constrained language mode, it becomes a conversation.

But constrained language mode is just the starting point. Examiners want to see script allow listing (only authorized, digitally signed PowerShell scripts can run), activity logging, and ideally Just Enough Administration to limit what even authorized scripts can do.

Application Allow Listing

With AI now being used to identify vulnerabilities and write exploit code at speed, the threat landscape around zero-day exploits has accelerated dramatically. Application allow listing, where only approved applications and scripts can execute in your environment, is becoming a baseline expectation rather than an advanced control.

Charles's framing was direct: anything that isn't on the approved list simply doesn't run. Combined with MFA and PowerShell restrictions, this approach dramatically reduces the attack surface.

Microsoft 365 Security Scores

Examiners are looking at your Microsoft 365 Secure Score, your Entra score, and your Purview (data loss protection) configuration. Charles reported seeing scores range from 29 to 98 across institutions he's examined.

The expectation isn't that you hit a specific number. It's that you've gone through each recommendation and made a deliberate decision: implement it, or document a risk acceptance for why you're not. Then you monitor the score periodically to make sure you haven't drifted.

Your Action Items:

• Audit MFA deployment across all cloud environments, especially Microsoft 365. Ensure all privileged accounts have MFA at minimum.
  
  
• Evaluate your PowerShell configuration. If it's running in full language mode, develop a plan to implement constrained language mode, script allow listing, and logging.
  
  
• Review your Microsoft 365 Secure Score, Entra score, and Purview configuration. Document a decision (implement or risk accept) for each recommendation.
  
  
• For any control you choose not to implement, create a formal risk acceptance document with compensating controls, a review timeline, and appropriate stakeholder sign-off.

Key Takeaway: Access control failures are the most common exam finding. Focus on MFA, PowerShell lockdown, and application allow listing as your highest-impact improvements.

Vendor Incident Response: The Gap Nobody Thinks About

Murray flagged vendor incident response alignment as one of the most persistent issues he encountered in 2025 exams. The problem isn't that credit unions lack incident response plans. Most have solid programs on their own side. The gap is in how those plans connect to critical vendors.

When a vendor that touches or has access to member information experiences a breach, examiners want to see clear answers to several questions: What are the notification expectations? What's the contractual obligation for the vendor to notify the credit union? How will the two organizations work together to manage the breach? Where does liability lie?

Murray emphasized that this needs to be addressed contractually before an incident occurs, not figured out during one. If your critical and high-risk vendors don't have incident response obligations built into their contracts, that's a finding waiting to happen.

Your Action Items:

• Review contracts with all critical and high-risk vendors for incident response notification requirements.
  
  
• Ensure vendor contracts specify notification timelines, cooperation obligations, and breach management expectations.
  
  
• Align your internal incident response program with vendor-specific response procedures.
  
  
• Conduct tabletop exercises that include vendor breach scenarios.

Key Takeaway: Your incident response plan is only as strong as its weakest vendor link. Build vendor breach response into your contracts and your exercises.

AI Governance: What Examiners Are Looking For Right Now

AI governance was a hot topic during the panel, and the RISO perspective was illuminating. Murray acknowledged openly that the NCUA has been "slow to catch up" on formal AI evaluation frameworks. But both examiners made clear that the foundational expectations haven't changed just because the technology is new.

The Basics Still Apply

Charles said the first thing he looks for is whether the credit union has some type of AI policy in place. Beyond that, the standard requirements still hold: risk assessments, access controls, data mapping, and understanding who has access to what.

Murray broke AI risk into two categories that credit unions need to address separately. First, there's vendor AI: the AI-laden features showing up in products you already use. How is your IT team vetting those features? What security controls surround those products? Second, there's internal AI: tools and capabilities the credit union implements directly. This requires training, controlled rollouts, and careful monitoring.

The Use Case Approach

Charles emphasized thinking in use cases rather than treating AI as a monolithic risk. Each AI implementation has different costs, different risk profiles, and different control requirements. He also flagged token costs as a practical concern that many credit unions aren't tracking, noting that cost variances between AI vendors are significant.

His advice was blunt: take baby steps. About 80% of AI implementations won't go as planned initially. There's a steep learning curve, and going too fast creates more risk than it mitigates.

AI as an Equalizer for Smaller Institutions

Both RISOs acknowledged a positive development: AI is becoming a great equalizer for smaller credit unions that historically couldn't afford access to expensive research bodies or dedicated security leadership. However, Murray cautioned that relying entirely on vendors to manage AI for you actually increases risk. The institutions that do best invest in developing internal expertise.

Your Action Items:

• Develop an AI-specific policy if you don't have one. This is the first thing examiners look for.
  
  
• Conduct a risk assessment for every AI use case, both vendor-provided AI features and internally implemented tools.
  
  
• Map where AI touches your data, who has access, and what permissions AI systems require on your network.
  
  
• Implement a phased rollout approach: start with a small segment of staff, train them, evaluate results, then expand.
  
  
• Track AI-related costs, including token costs, to avoid budget surprises from vendor implementations.

Key Takeaway: Examiners don't have a single required AI framework yet, but they absolutely expect policies, risk assessments, access controls, and data mapping. Get ahead of this before your next exam.

Board Reporting: How to Communicate Risk Effectively

The panel's final topic addressed two perennial questions: where should security sit in the organization, and what should be reported to the board?

Organizational Independence

Both RISOs emphasized that information security needs enough independence to make honest assessments. Charles asked a pointed question: if the CISO reports to the CIO, and the CIO writes the CISO's performance review, is that CISO really going to call out problems in IT operations?

At minimum, examiners want to see a dotted line from information security to an oversight committee with a board member on it. The ideal structure places the CISO under enterprise risk management rather than IT. Murray confirmed that recent exams show this shift is actually happening, with security officers being moved out from under the CIO and into internal audit or risk management functions.

What the Board Needs to See

Murray outlined what effective board reporting looks like: a summary of IT practices, risk assessment results, testing outcomes, training status, and the security controls in place. This should be communicated at least annually (the NCUA requirement), though many institutions break it into monthly or quarterly reports.

He highlighted two goals for these reports. First, the IT and security team gets to highlight their accomplishments. Second, and more importantly, they get to flag areas that need development and investment, backed by the testing data and risk assessments that justify the request.

The most effective technique? Translate everything into dollar amounts. Murray reiterated that when you can tell a board that may not be technically savvy that a particular risk could cost the institution millions, it grabs attention and drives action in a way that technical jargon never will.

Your Action Items:

• Evaluate your security function's reporting structure. If the CISO reports directly to the CIO with no independent oversight, consider restructuring or adding a dotted-line reporting relationship.
  
  
• Ensure board reports include risk assessment results expressed in financial terms, not just qualitative ratings.
  
  
• Provide the board with a roadmap showing recommended investments and their projected risk reduction, framed as ROI.
  
  
• Keep board reporting consistent in format. Add technical detail in appendices rather than changing the core report structure.

Key Takeaway: Boards understand dollars. Translate your risk findings and investment recommendations into financial language, and you'll get both the attention and the resources your security program needs.

Advice by Asset Size: One Standard, Different Resources

One of the most practical segments of the panel addressed how exam expectations vary by institution size. Murray and Charles examined credit unions from $50 million all the way up to $13 billion in 2025, and each end of the spectrum presents unique challenges.

For smaller institutions, the challenge is resources and skill sets. They may not have the budget for advanced solutions like privileged access management platforms or dedicated security staff. For these credit unions, examiners focus on strong internal controls: are employees set up correctly in core systems? Are access privileges limited to what each role actually needs? Are access lists reviewed and updated regularly as employees come and go?

For larger institutions, the challenge shifts to complexity. They have sophisticated systems and broad service offerings, which means more attack surface to manage and deeper configurations to validate. Examiners spend more time evaluating whether controls like access management and cloud security are configured correctly across a sprawling environment.

But regardless of size, the foundational expectation is the same: a mature risk assessment process, documented risk acceptance when controls can't be fully implemented, and board-level awareness of the institution's risk posture.

Key Takeaway: Your asset size determines your resources, not your obligations. Every credit union needs a mature risk assessment, documented risk acceptance, and board engagement. The tools may differ; the standard doesn't.

Key Takeaways: What Clean Exams Have in Common

1. Risk assessment maturity is the foundation. Quantitative methods that express risk in dollars outperform qualitative high/medium/low scales at every level.
   
   
2. Access controls are the top finding. MFA in cloud environments, PowerShell lockdown, and application allow listing are where examiners focus first.
   
   
3. Vendor incident response needs contractual alignment. Your plan means nothing if your critical vendors aren't obligated to notify and cooperate.
   
   
4. AI governance starts with the basics. Policy, risk assessment, access controls, and data mapping. Frameworks can come later.
   
   
5. Board reporting must speak in dollars. Financial language drives decisions. Technical language drives glazed eyes.
   
   
6. Document your risk acceptance decisions. When you can't implement a control, document why, what your compensating controls are, and get board sign-off.
   
   
7. Invest in research. The consistent differentiator between clean exams and problem exams is whether the institution taps into external research and technical guidance rather than trying to figure everything out internally.
   
   

Final Takeaway

The credit unions that consistently pass exams with minimal or no findings aren't the ones with the biggest budgets. They're the ones with the most mature risk assessment processes, the most deliberate approach to documenting and accepting risk, and the strongest connection between their security program and their board's understanding of it.

As Charles put it: the board is accountable, and accountability cannot be delegated. Every control decision, every risk acceptance, and every investment recommendation should trace back to that principle.

The good news? The tools to get there are more accessible than ever, whether that's quantitative risk assessment platforms, AI-augmented research, or virtual CISO services. The barrier isn't technology. It's intentionality.

Take the Next Step

Curious what your cyber risk looks like in dollar terms? Our free cyber risk assessment uses quantitative metrics to show your actual risk exposure, not just color-coded heat maps.

An Examiner-Approved Cyber Risk Model

Start Quantifying Your Risk In Dollars Today