Introduction
The National Credit Union Administration has spoken, and its 2025 supervisory priorities carry a clear message: business continuity and cybersecurity are no longer optional considerations—they're examination essentials. With loan delinquencies reaching their highest levels in over a decade and cyberattacks against financial institutions growing more frequent and sophisticated, the NCUA is sharpening its focus on how credit unions prepare for and respond to disruptions.
For credit union leaders, understanding these priorities isn't just about passing your next examination—it's about protecting your members, safeguarding your institution's reputation, and ensuring operational resilience in an increasingly volatile environment. This guide breaks down what you need to know and what actions to take before examiners arrive.
The Four Pillars of NCUA's 2025 Supervisory Focus
The NCUA's Letter 25-CU-01, released in January 2025, outlines four critical areas that will receive heightened examiner attention throughout the year. Credit risk tops the list as loan performance continues to deteriorate, with delinquency rates reaching their highest point since 2013 and charge-off rates hitting levels not seen since 2012. Credit card portfolios have been particularly hard hit, with delinquency and charge-off rates now exceeding peaks seen during the 2008 financial crisis.
Balance sheet management and risk to earnings and net worth represents the second priority area, with examiners evaluating how credit unions manage credit, liquidity, and market risk. Interest rate volatility continues to pressure net interest margins, making robust risk management frameworks essential. The third and fourth priorities—cybersecurity and consumer financial protection—directly impact business continuity planning and incident response capabilities.
Examination Update
Credit unions over $1 billion in assets with CAMELS composite 1 or 2 ratings and no CEO change since the last exam are now eligible for a 12- to 16-month extended examination cycle. This change reflects NCUA's risk-focused approach to supervision.
Business Continuity and Disaster Recovery: A Major Examination Finding
During NCUA's 2024 examinations, business continuity and disaster recovery emerged as a major weakness across the credit union system. At Rivial Security's 2025 Risk and Compliance Summit, NCUA Regional Information Security Officers revealed that credit unions consistently struggled with BCDR readiness, outdated risk assessments, and underdeveloped incident response plans. The root causes were clear: insufficient testing, over-reliance on third-party vendors, and unclear role assignments during crises.
When disruptions occur—whether from cyberattacks, natural disasters, or system failures—too many credit unions are unable to recover quickly. This finding should serve as a wake-up call. Examiners will be looking for evidence that your credit union has moved beyond static PDF plans and manual processes toward dynamic, tested, and regularly updated continuity programs. The business impact analysis, as outlined by the FFIEC, must include assessment of all business functions and processes, identification of potential disruption impacts, legal and regulatory requirements, and estimation of maximum tolerable downtime.
NCUA's Top 2024 Findings
Credit unions struggled with BCDR readiness, outdated or inconsistent risk assessments, and underdeveloped incident response plans—often due to lack of testing, vendor over-reliance, and unclear roles during crises.
The 72-Hour Cyber Incident Notification Rule: Compliance is Non-Negotiable
Since September 2023, all federally insured credit unions have been required to notify the NCUA within 72 hours of reasonably believing a reportable cyber incident has occurred. This rule aligns with federal banking agency requirements and the Cyber Incident Reporting for Critical Infrastructure Act. In 2025, examiners will verify that your incident response plan clearly defines what constitutes a reportable incident and that your team is prepared to meet this tight deadline.
A reportable cyber incident includes any substantial loss of confidentiality, integrity, or availability of a network or member information system resulting from unauthorized access, exposure of sensitive data, or disruption of vital member services. The 72-hour clock starts when you form a reasonable belief that an incident has occurred—not when your investigation concludes. This distinction is critical. Credit unions must also report when a third-party provider experiences a cyber incident affecting their institution, with the clock starting from either the notification or when the credit union becomes aware of the impact, whichever comes first.
Cybersecurity Governance and Board Engagement
The NCUA continues to emphasize that cybersecurity is not just an IT issue—it's a board-level governance responsibility. Letter 24-CU-02 specifically called on credit union boards to prioritize cybersecurity oversight, and this expectation carries forward into 2025. Examiners will assess whether board members understand the information security program reports they review and whether they are confident in asking meaningful questions about the institution's security posture.
Boards should be briefed at least annually on business continuity test results, incident response plan effectiveness, and any recommendations for improvements. Management must demonstrate that information security programs are proactively managed, not reactively scrambled together when threats emerge. The NCUA encourages credit unions to use the Automated Cybersecurity Evaluation Toolbox to assess their cybersecurity maturity and identify areas for improvement before examiners do.
Succession Planning: A New Requirement Effective January 2026
While not part of the 2025 examination priorities, credit unions should be aware that a new succession planning requirement takes effect on January 1, 2026. The NCUA Board approved this final rule in December 2024 to address one of the most common causes of unplanned credit union mergers: the failure to plan for leadership transitions. All federally insured credit unions must establish a board-approved, written succession plan consistent with their size and complexity.
The plan must cover, at minimum, members of the board of directors, management officials and assistant management officials, senior executive officers, and any other personnel the board deems critical. Boards must review succession plans at least every 24 months, and newly appointed board members must become familiar with the plan within six months of appointment. The NCUA has provided a template for smaller credit unions and offers training through its Learning Management System.
Preparation is Protection
Practical Steps for Examination Readiness
Begin by conducting a comprehensive review of your business continuity plan. Is your business impact analysis current? Have you identified all critical business functions and their interdependencies? Are your recovery time objectives and recovery point objectives realistic and tested? The NCUA expects management to brief the board at least annually on test results and recommendations. If you haven't tested your continuity plan recently, schedule a tabletop exercise before your next examination.
Next, ensure your incident response plan clearly defines what constitutes a reportable cyber incident under NCUA rules. Develop incident-specific playbooks and ensure your team understands the 72-hour notification requirement. Designate a response team responsible for evaluating incidents and making rapid determinations about reporting obligations. Implement a structured workflow that includes immediate internal reporting to senior leadership, legal counsel, and compliance officers. Finally, centralize your documentation—keeping policies, procedures, and incident reports updated and easily accessible makes it simpler to meet compliance requirements and handle examiner requests.
Summary
The NCUA's 2025 supervisory priorities signal a continued and intensified focus on operational resilience across the credit union system. With business continuity and disaster recovery identified as a major weakness in 2024 examinations, the stakes have never been higher. Credit unions that take proactive steps now—updating their business impact analyses, testing their continuity plans, ensuring 72-hour incident notification compliance, and preparing for the 2026 succession planning requirement—will be better positioned both for examinations and for the real-world crises that these regulations are designed to address.
Key Things to Remember
- ✓BCDR emerged as a major examination weakness in 2024, with credit unions struggling with outdated risk assessments, insufficient testing, and unclear crisis roles.
- ✓The 72-hour cyber incident notification rule requires reporting to NCUA as soon as you reasonably believe a reportable incident has occurred—not after investigation concludes.
- ✓Cybersecurity is a board-level governance responsibility, with examiners assessing board engagement and understanding of security programs.
- ✓New succession planning requirements take effect January 1, 2026, requiring written plans covering key leadership positions with biennial board review.
How Branchly Can Help
Branchly transforms how credit unions approach business continuity and incident response. Our AI-powered platform automatically generates compliant playbooks tailored to NCUA requirements, enabling your team to respond in seconds rather than hours when disruptions occur. With pre-approved communication templates, real-time incident tracking, and automated audit logging, Branchly ensures you're always examination-ready while protecting your members and your institution's reputation.
Citations & References
- [1]
- [2]
- [3]
- [4]NCUA Board Approves 2025-2026 Budget; Succession Planning Final Rule National Credit Union Administration View source ↗