Small enough to lack a SOC. Big enough to pay. In November 2023, the ALPHV/BlackCat ransomware group attacked MeridianLink — and 60+ credit unions lost loan processing, digital banking, and member portal access simultaneously. That was one vendor. Texas has roughly 400 credit unions, the majority without a security operations center. NCUA examiners now arrive with cybersecurity questionnaires and CAT expectations. CoreRecon delivers NCUA-mapped SOC coverage, 24/7 monitoring, and 30-minute breach response at $89–$129/endpoint — no enterprise contract required.
Credit unions concentrate exactly what ransomware operators want: member PII, SSNs, account numbers, and ACH routing data — all in systems that run 24/7 and cannot tolerate downtime without directly harming members. The threat profile is specific to the model.
NCUA began integrating cybersecurity into its examination process following the 2014 FFIEC Cybersecurity Assessment Tool release. Since 2023, examiners routinely assess: written information security program (required by Part 748 Appendix A), incident response plan documentation, board-level cybersecurity reporting, vendor oversight program, and FFIEC CAT maturity self-assessment. The absence of documentation is itself an examination finding — credit unions that lack a written security program or cannot demonstrate board engagement receive examination findings that trigger corrective action requirements and follow-up examinations.
The GLBA Safeguards Rule (amended December 2021, effective June 2023) added specific requirements for "financial institutions" — which includes credit unions — including a designated information security coordinator, risk assessment, and a 30-day FTC breach notification requirement for breaches affecting 500+ customers. This is separate from, and in addition to, NCUA's 72-hour significant cyberattack notification requirement and state breach notification laws. Texas Finance Code Chapter 59 applies to state-chartered credit unions and adds Texas Department of Banking oversight.
NCUA examiners don't want to hear about your plans — they want documented evidence of an operating security program. Here's how CoreRecon controls map to what examiners actually audit.
| Requirement | Standard | Common Exam Finding | CoreRecon Coverage |
|---|---|---|---|
| NCUA Part 748 | Written Information Security Program — Risk Assessment + Board Reporting | WISP is a template document, not an operational program; board receives no cybersecurity reporting; risk assessment was completed once and not updated | Sentinel Operational security program documentation, quarterly risk posture updates, annual board cybersecurity report package aligned to NCUA Part 748 Appendix A |
| NCUA Part 748 | Incident Response Plan — Detection, Notification, Recovery | IRP exists on paper but has never been tested; no designated IR contacts; breach discovered via member complaint, not monitoring | Fortress Documented IRP with tested procedures, designated CoreRecon IR contact, 24/7 monitoring with escalation, NCUA 72-hr notification workflow support |
| NCUA Part 749 | Records Preservation — Financial and Operational Records, 6-Year Retention | Backup exists but retention period is insufficient; no tested recovery; core banking backups stored in same location as primary systems | Fortress Encrypted offsite backup, 6-year retention for covered record categories, tested recovery procedures with documented RTO/RPO |
| GLBA Safeguards | Designated Information Security Coordinator + Written Program | No designated coordinator; security program is informal; GLBA compliance treated as an IT function without documented governance | Sentinel CoreRecon serves as documented security operations partner; written program documentation support; board-level reporting cadence |
| GLBA Safeguards | 30-Day FTC Breach Notification (500+ members) | No breach notification workflow; credit union lacks the documentation to determine breach scope within 30 days; notification drafting begins after containment | Command Real-time breach scope documentation during IR, 30-day FTC notification package prepared in parallel with containment, NCUA 72-hr notification workflow |
| GLBA Safeguards | Vendor Oversight — Service Provider Agreements + Security Assessments | Vendor inventory exists but no security assessments; core banking and digital banking vendors have not been assessed; no contractual security requirements | Fortress Vendor risk monitoring support, security questionnaire facilitation, CUSO and fintech vendor oversight documentation for examiner review |
| FFIEC CAT | Cybersecurity Controls — Access Management, Threat Monitoring, Anomalous Activity Detection | CAT self-assessment at Baseline maturity despite significant online banking risk profile; no MFA on member-facing applications; no behavioral anomaly detection | Fortress MFA enforcement, 24/7 behavioral monitoring, anomalous activity detection on core banking and online banking platforms, FFIEC CAT maturity documentation |
| FFIEC CAT | Cyber Incident Management — Response, Recovery, and Resilience | No tested incident response; recovery capabilities not documented; credit union cannot demonstrate resilience commensurate with its digital banking risk | Command 30-min SLA IR, pre-authorized containment protocol, tested recovery procedures, FFIEC CAT Intermediate-Advanced maturity documentation support |
Full NCUA examiner evidence package, GLBA program documentation, and FFIEC CAT maturity mapping available through the free assessment. Reach out at corerecon.polsia.app/assessment.
10-endpoint minimum. Month-to-month. Designed for credit unions without a dedicated security team — priced so the CEO and board can approve it without a 6-month procurement cycle. Use the pricing calculator to model your endpoint count.
30-minute SLA applies to Command tier. The GLBA 30-day FTC notification clock starts at discovery — not containment. Having an analyst engaged within 30 minutes means you're building the breach scope and notification package in real time, not reconstructing it under regulatory deadline pressure. Command tier includes the pre-built NCUA 72-hour notification workflow and GLBA FTC notification package, drafted before the clock runs.
Generic MSSPs handle IT security. Credit unions need NCUA-mapped programs, ACH fraud detection, CUSO vendor oversight, and a documented FFIEC CAT maturity posture. Here's how the dimensions that matter to NCUA examiners compare.
| Dimension | CoreRecon | Cybriant | Trustwave |
|---|---|---|---|
| NCUA Part 748 / GLBA Mapping | All key requirements explicitly mapped to service tiers. NCUA examiner evidence package. GLBA FTC 30-day notification workflow. FFIEC CAT maturity documentation at each tier. | IT-focused MDR and SIEM. NCUA/GLBA compliance framed as customer responsibility. No documented regulatory alignment published for credit union market. | Compliance support available through professional services. Requires separate regulatory engagement at enterprise pricing. Not included in standard MSSP contract. |
| 30-Min Breach SLA | 30-minute SLA on Command tier. Pre-authorized containment protocol. GLBA FTC notification package and NCUA 72-hr notification prepared in parallel with IR. | 4-hour SLA documented in published agreements. No credit union-specific breach response SLA or regulatory notification support documented. | SLA varies by contract tier. Enterprise SLAs start at 1-hour. No credit union regulatory notification commitment in published materials. |
| Transparent Pricing | $89/$129/endpoint published publicly. Command at $2,500+/month custom. 10-endpoint minimum, month-to-month. Pricing calculator at /pricing. | Quoted per engagement. No published pricing. Financial institution prospects report 6–12 month sales cycles before a contract number. | Enterprise contracts. No published pricing. Minimum engagements typically reported at $100K+ annually by industry sources. |
| SDVOSB & TX-Native | SDVOSB-certified. Texas-based team. TX Finance Code Chapter 59 compliance built into Fortress tier. ACH fraud monitoring built for credit union workflows. | National firm. No SDVOSB certification. No Texas-specific SOC or TX credit union regulatory compliance support documented. | Global MSSP. No SDVOSB designation. Texas-specific credit union regulatory requirements framed as professional services add-on. |
We map your member data attack surface, assess controls against NCUA Part 748 and GLBA Safeguards requirements, evaluate your CUSO vendor risk posture, score you against FFIEC CAT maturity levels, and benchmark your breach notification readiness. No credit card. No commitment. Delivered in 14 days.
Request your free $2,500 NCUA/GLBA assessment →Delivered within 14 days • No credit card • SDVOSB-certified team
See a sample report — redacted 12-page PDF, real findings.
Need a SOW for your board or supervisory committee? Build your Scope of Work PDF →
GLBA §314.4(f) requires vendor oversight documentation. Score your vendor risk against GLBA & NCUA requirements →
Texas credit unions are subject to NCUA Part 748 (security program requirements) and Part 749 (records preservation). Part 748 Appendix A mandates a written information security program, board-level annual reporting, incident response plan, and vendor oversight. GLBA Safeguards Rule (amended 2023) adds a designated security coordinator, formal risk assessment, and 30-day FTC breach notification requirement for 500+ member breaches. FFIEC CAT provides the framework NCUA examiners use to assess cybersecurity maturity. Texas-chartered credit unions also fall under Texas Finance Code Chapter 59 and Texas Business & Commerce Code §521 for breach notification. Command tier includes documentation support for all of these frameworks — one engagement, one examiner evidence package.
In November 2023, ALPHV/BlackCat ransomware attacked MeridianLink — a loan origination and digital banking platform used by dozens of Texas credit unions and hundreds nationally. The attack disrupted loan processing, member portal access, and core banking integrations simultaneously across institutions that had no direct breach. NCUA issued emergency guidance. The attack demonstrated the CUSO concentration risk inherent in the credit union model: institutions that share technology infrastructure share breach exposure. CoreRecon vendor risk monitoring (Fortress tier) tracks the security posture of your core platform providers and alerts on indicators of vendor compromise before it cascades into your institution.
The FTC Safeguards Rule (amended 2023) requires credit unions to notify the FTC within 30 calendar days of discovering a breach that affects 500 or more members. The notification must include: institution name and contact, type of information involved, date range of the breach, number of members affected, and a description of remediation steps taken. The 30-day clock starts at discovery — not containment, not forensic confirmation. If your monitoring infrastructure detects a breach on day 1, you have 30 days. If a member complaint surfaces a breach you should have detected on day 1, you may already be late. NCUA separately requires notification of significant cyberattacks within 72 hours. CoreRecon Command tier maintains pre-drafted FTC and NCUA notification templates and builds breach scope documentation in real time during incident response — so you're not drafting regulatory correspondence from scratch under deadline.
The FFIEC Cybersecurity Assessment Tool measures cybersecurity maturity across five domains: Cyber Risk Management & Oversight, Threat Intelligence & Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management & Resilience. NCUA examiners assess whether a credit union's maturity level is commensurate with its inherent risk profile — the more digital services, members, and transaction volume, the higher the expected maturity. A credit union offering online banking, ACH, and mobile app services that self-assesses at Baseline maturity will face examiner questions. CoreRecon Sentinel covers Baseline maturity documentation; Fortress covers Evolving/Intermediate; Command covers Intermediate/Advanced. We provide CAT self-assessment support and examiner-ready maturity documentation as part of the engagement.
Yes — CoreRecon integrates with major credit union core banking platforms for security event monitoring. Symitar (Jack Henry), Corelation Keystone, and FiServ DNA all expose audit log streams and access event APIs. Digital banking platforms (Q2, Alkami, Digital Insight/NCR), lending systems (MeridianLink, Encompass), and payment processing platforms are also supported. We aggregate security events from core, digital banking, lending, and network infrastructure into a single SIEM — giving NCUA examiners a unified audit trail rather than siloed logs from multiple systems. Integration setup is included in onboarding at Fortress and Command tiers. If your core platform is not on this list, we assess compatibility during the free engagement and typically support integration within the first 30 days.
Pricing is $89/endpoint/month (Sentinel) or $129/endpoint/month (Fortress), with a 10-endpoint minimum and no multi-year contract requirement. A 50-endpoint credit union pays $4,450/month (Sentinel) or $6,450/month (Fortress). A 100-endpoint institution pays $8,900/month (Sentinel) or $12,900/month (Fortress). Command tier starts at $2,500/month with a custom scope for larger institutions or those needing dedicated vCISO support. Use the pricing calculator to model your exact endpoint count with add-ons. For context: a single NCUA examination finding requiring corrective action typically costs $50,000–$500,000 in remediation, legal, and follow-up examination costs over 1–3 years. Month-to-month billing means you can start with Sentinel and upgrade as your FFIEC CAT maturity requirements grow.
Yes. Some Texas credit unions provide financial services to law enforcement agencies and their employees, which may bring CJIS requirements into scope — particularly for credit unions that access or process data in systems where law enforcement employees conduct CJIS-covered operations. CoreRecon is familiar with CJIS Security Policy v6.0 requirements through our work with Texas municipalities and law enforcement agencies. If CJIS applies to your credit union's operations, the free assessment will identify the scope and requirements. See the CJIS v6.0 Compliance Guide for an overview of requirements.
The MeridianLink wave proved credit unions are targets. NCUA examiners have made cybersecurity a standard examination element. The question isn't whether your credit union will face regulatory scrutiny — it's whether you'll have documentation when it arrives. No credit card. No commitment. Delivered in 14 days.
Request your free $2,500 assessment →Delivered within 14 days • No credit card • SDVOSB-certified team
See a sample report — redacted 12-page PDF, real findings.