Top-Level Takeaways
- The NCUA is steering credit unions toward flexible, risk-informed cybersecurity tools. Forward-thinking credit unions are using the transition to strengthen resilience, modernize compliance strategies, and adopt real-time threat response capabilities.
- Integrating cybersecurity with fraud prevention and enterprise risk is now a leadership imperative, not a suggestion.
Credit unions are facing a shift in how they evaluate cybersecurity risk. With the FFIEC’s Cybersecurity Assessment Tool (CAT) now sunset, the NCUA recommends member-owned financial cooperatives turn to other tools to assess their preparedness and satisfy examiners.
These include those from the Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST), along with the NCUA’s own Automated Cybersecurity Evaluation Tool (ACET).
These regularly updated tools help credit unions assess cybersecurity maturity at their own pace by guiding them as they measure their cyber hygiene, identify gaps, and prioritize mitigation efforts in a risk-informed way.
“We’re still maintaining ACET,” says Amanda Parkhill, deputy director in the NCUA’s Office of Examination and Insurance. “It’s based on CAT, but a little more targeted for smaller institutions.”
Recent updates to ACET reflect the sunsetting of CAT and align with expected changes from CISA. The NCUA expects to make more enhancements in the next year and beyond as tools and standards evolve in response to external threats.
Acronyms In Action: Credit Unions Adjust To New Realities
As credit unions adapt to the post-CAT era, many are using the transition as a catalyst to upgrade their cybersecurity posture.
At Teachers Federal Credit Union ($9.9B, Hauppauge, NY), chief technology officer Suresh Renganathan sees the regulatory shift as a strategic opportunity.
“The key is staying ahead of regulatory expectations while building genuine resilience against emerging threats, not just checking compliance boxes,” he says.
The big Long Island shop is aligning its program with its regulator’s 2025 Supervisory Priorities and the newly updated NIST Cybersecurity Framework 2.0. Focus areas include timely cyber incident reporting and bolstering third-party risk management — especially critical after a spike in vendor-related breaches. To stay nimble, the team has adopted automated, real-time compliance systems and runs regular tabletop exercises to keep incident response plans sharp, Renganathan says.
On the other side of the country, Seattle Credit Union ($1.1B, Seattle, WA) is leaning into ACET as a modern self-assessment framework.
“As the CAT tool is being sunsetted, we are adopting ACET at our credit union moving forward to ensure we continue to safely and soundly manage the credit union,” says Dave Means, chief information officer of the eight-branch cooperative headquartered in the SoDo neighborhood near downtown Seattle.
With its foundations in FFIEC guidance and NIST standards, ACET offers a familiar yet forward-looking structure for institutions to evaluate cybersecurity maturity, Means says.
For Sunward Federal Credit Union ($4.3M, Albuquerque, NM), the transition goes beyond tools — it’s a mindset shift. The credit union has fully adopted the NIST Cybersecurity Framework and paired it with a maturity model and enterprisewide risk strategy, says Zachary Hill, Sunward’s senior vice president of technology.
The New Mexico credit union, which rebranded from Sandia Laboratory FCU last fall, has adopted practices like threat modeling, purple teaming, and secure DevOps pipelines to blend compliance with real-world readiness, and the regulators and auditors apparently approve.
“The results speak for themselves” Hill says. “We’ve hit high marks in our examination, audits, and cybersecurity KPIs, and we’ve transformed into a proactive team who can identify and squash risks quickly.”
Rethinking Risk And Compliance Priorities
Fraud risk and cybersecurity are increasingly interwoven, yet they remain distinct areas in most institutions. With the sunsetting of CAT, there’s no dramatic change in expectations, but there is a growing emphasis on broad risk integration, according to Parkhill.
“You can continue to assess progress in all areas,” the NCUA deputy director says. “Then any changes in cybersecurity should be incorporated into the broader framework of risk assessment.”
Credit unions should also avoid seeing cybersecurity as simply checking off boxes on a list. The NCUA emphasizes a maturity-based approach, where institutions continuously improve preparedness in line with their risk profile. Parkhill adds a credit union might need to shift tools, but the core responsibility remains the same: understand risk and act accordingly.
As credit unions reassess their cyber tools, many are finding legacy systems are deeply ingrained in operations, making updates more resource-intensive. The NCUA acknowledges that balancing innovation and compliance is especially difficult for smaller institutions. Still, modernization is key.
“There’s always a learning curve,” Parkhill says. “Changing platforms is really cumbersome, and it’s so ingrained in what credit unions do.”
Breaking Down Silos Between Fraud And Cyber Teams
Cybersecurity and fraud prevention often fall under different teams, especially in larger organizations, but it is vital that credit unions build intentional bridges between those functions. The NCUA stresses such coordination and communication are non-negotiable.
“It’s the age-old answer — make sure the right people are at the table,” Parkhill says.
That’s because a strong cybersecurity framework means nothing if fraud prevention teams aren’t informed of cyber incidents or trends that signal potential risk. Likewise, fraud detection teams might spot suspicious activity to flag for IT or cybersecurity review. These teams must work in sync — especially in real-time when dealing with emerging threats.
Parkhill puts the responsibility squarely on leadership.
“It’s incumbent on the board and management to ensure communication happens,” she says.
That means creating routine processes for sharing data, intelligence, and trend insights across departments, even in resource-strapped environments. Without this cross-pollination, blind spots remain.
LETS INCLUDE A CALL-OUT TO THE POLICY EXCHANGE
Tools, Resources, And What’s Ahead
To support these efforts, the NCUA offers a cybersecurity resources page, which includes links to ACET, regulatory guidance, and tools from agencies like CISA and NIST. This centralized hub is a good starting point for credit union managers looking to benchmark their institutions against current best practices and federal expectations.
The NCUA doesn’t endorse specific vendors or consultants. Whether to seek third-party help is up to each credit union, based on its internal capacity and risk profile.
“Institutions are in the best position to know when and what assistance they might need,” Parkhill says.
That flexibility helps credit unions tailor their response based on real-world demands.
Looking ahead, the NCUA plans to publish updated supervisory priorities by the end of this year or early next.
“Cybersecurity is something everyone identifies as a growing risk,” Parkhill says. “We want to ensure credit unions remain resilient, and having a strong cybersecurity framework is part of that.”
As compliance burdens grow, updated tools and guidance aim to strike a balance between oversight and operational reality.