The 2026 NCUA Exam Now Scores Eight IT Criteria. Would Your Credit Union Pass?

Key takeaways 

• For 2026, NCUA evaluates IT risk assessments against eight specific essential elements. Missing any one signals incomplete governance to an examiner. 

• Annual board cybersecurity training is, for the first time, a top examiner priority, boards are expected to actively understand the program, not passively receive a briefing. 

• Vendor oversight, payment-system risk, scenario-specific incident playbooks, and mature vulnerability management round out the 2026 focus areas. 

• Modernizing around the core, done in documented increments, produces exactly the evidence, asset inventories, control testing, vendor records, that these criteria demand 

Most credit unions have an IT risk assessment. The question for 2026 is no longer whether one exists, it is whether it holds up against the specific structure examiners now use to evaluate it. NCUA’s 2026 supervisory priorities raise the bar in a way that turns a familiar document into a scored exhibit. 

This is the dimension the deposit and modernization conversations usually lack: a deadline. The everyday case for modernization is about member experience and balance-sheet health. The regulatory case adds urgency, because the exam is coming on a fixed schedule whether the work is done or not. 

What are the eight IT criteria examiners now score? 

NCUA now evaluates the IT risk assessment against eight essential elements. Examiners look for each one to be present, specific, and evidenced, generic, high-level documents that gesture at risk without measuring it draw findings. 

The element drawing the most new attention is risk appetite. A defensible statement is quantified, a specific, measurable limit rather than a direction like “keep vulnerabilities low”, explicitly board-approved, tied to actual assessment results, and able to trigger action when breached. “We take security seriously” is not a risk appetite. A documented, board-approved limit is.

Why is board cybersecurity training suddenly a priority? 

For the first time, NCUA is treating annual board cybersecurity training as a top examiner priority. The expectation is a shift from passive awareness to active comprehension: board members are expected to interpret program metrics, understand the risks the institution faces in business terms, and document that the training happened. 

In practice, examiners want to see formally documented briefings, retained materials and attendance records, and evidence that the board can actually engage with what it is shown, not a slide deck that was presented once and forgotten. For many credit unions this is a genuinely new piece of governance work, and it cannot be assembled the week before an exam. 

What else is on the 2026 examiner agenda? 

The eight-element risk assessment and board training sit alongside several other focus areas. Each one rewards documentation and measurable improvement over good intentions. 

A common thread runs through all of it: examiners review evidence, not intentions. Every priority area resolves to a documentation question, can you show, on paper, that the control exists, was tested, and is reported on? 

How does modernization connect to passing the exam? 

Here is the connective point that turns a compliance burden into a strategic argument. The same modernization work that improves member experience also generates the artifacts these criteria demand, when it is done as a sequence of bounded, documented steps rather than as either a stalled environment or a chaotic conversion. 

Modernizing around the core forces you to inventory your information assets and the systems that process them (elements 2 and 3). It surfaces and documents integration and security controls, with testing evidence (element 5). It produces the metrics and reporting that elements 6 and 8 ask for. And because the work is incremental and well-scoped, vendor oversight and change documentation accumulate naturally rather than being reconstructed under exam pressure. 

The risk of waiting is not only another year of member-experience drift. It is walking into a scheduled exam with a risk assessment that no longer matches how examiners score, and a board that cannot demonstrate the comprehension now expected of it.