Prepared by: CoreRecon Research | June 16, 2026
Companion: /for-credit-unions
EXECUTIVE SUMMARY
- $6.08M — IBM CODB 2025 financial services breach cost. U.S. average: $10.22M. (IBM/Ponemon, 2025)
- 73% of NCUA-reported cyber incidents (Sept 2023–May 2024) involved third-party vendors. A single 2024 core processor incident disrupted 60 CUs simultaneously. (NCUA Annual Cybersecurity Report, 2025)
- 72 hours — NCUA Part 748 mandatory notification window, effective September 1, 2023. You cannot notify in 72 hours if you detect in 241 days (global average breach lifecycle).
- $27M — LoanDepot (Jan 2024) total breach cost; 16.6M individuals’ PII exfiltrated; $86M class action settlement proposed. (SecurityWeek, SEC 8-K)
- $5.56M — MeridianLink (Nov 2023) ALPHV/BlackCat breach via core lending platform serving CUs. (SEC 8-K, NCUA Letters to CUs)
Named anchors: MeridianLink (8-K, Nov 2023), LoanDepot (8-K, Jan 2024, 16.6–17M individuals, $27M cost)
SECTION 1: EXECUTIVE SUMMARY
The credit union system — 139 million members, $86 trillion in annual transaction activity — is under sustained cyber siege. Texas credit unions, the largest single-state concentration in the Cornerstone League footprint (~400+ CUs across TX/OK/AR), face exposure disproportionate to their cybersecurity maturity.
Three numbers that should end every debate:
- $6.08M — IBM Cost of a Data Breach 2025, financial services sector average. U.S. organizations face a record $10.22M average. (IBM/Ponemon, Cost of a Data Breach Report 2025)
- 73% of NCUA-reported cyber incidents (Sept 2023–May 2024) traced to third-party vendor involvement. A single 2024 core processor incident disrupted 60 small credit unions simultaneously. (NCUA Cybersecurity and Credit Union System Resilience Annual Report to Congress, 2025)
- 72 hours — NCUA Part 748 Appendix B mandatory notification window, effective September 1, 2023. You cannot notify in 72 hours if you don’t detect for 241 days (the global average breach lifecycle). You cannot detect in 241 days without a co-managed SOC.
Named anchors proving the threat is real and material:
- MeridianLink (November 2023, 8-K filed): ALPHV/BlackCat ransomware exfiltrated member data from this core lending software provider serving credit unions and banks. The group filed an SEC complaint alleging MeridianLink failed to disclose within the SEC’s 4-business-day window. (NCUA Letters to Credit Unions 2024; SEC 8-K filings)
- LoanDepot (January 2024): ALPHV/BlackCat ransomware encrypted systems, disrupted loan servicing for weeks, and exfiltrated data on 16.6–17 million individuals — names, addresses, SSNs, financial account numbers. Total cost: $27M in remediation, litigation accruals, and class action settlement ($86M proposed settlement). (TechCrunch, SecurityWeek, Maine AGO breach notifications; SEC 8-K, January 2024)
The regulatory math: unreported or late-reported incident = NCUA enforcement action + FTC Safeguards Rule exposure + TX Finance Code Chapter 521 penalties + NCUSIF implications. The financial math is worse — member churn after a publicized breach compounds remediation costs by 30–50% in the first 90 days post-disclosure.
SECTION 2: TEXAS CREDIT UNION THREAT PICTURE
Cornerstone League Footprint
Cornerstone League serves approximately 600 credit unions across Texas, Oklahoma, Arkansas, Kansas, and Missouri — representing over 8.4 million members. Texas alone: an estimated 400+ credit unions, from single-selector CUs under $20M assets to regional CUs exceeding $2B. (cornerstoneleague.coop; LinkedIn; Wikipedia)
Confirmed Incidents and Downstream CU Exposure
- Core processor ransomware incident, 2024: A third-party service provider serving credit unions suffered ransomware that disrupted daily operations for 60 small credit unions simultaneously. The NCUA highlighted this in its 2025 Annual Cybersecurity Report, noting it underscored the agency’s lack of examination authority over vendors. (NCUA, Doeren, 2025)
- Texas Dow Employees Credit Union data breach (2023, disclosed 2024): ~500,000 member records exposed. (American Banker, 2024 biggest breaches list)
- MeridianLink (November 2023): Indirect exposure for any TX CU using MeridianLink’s lending platform.
- NCUA noted that approximately 90% of the industry’s assets are managed by third-party service providers with no NCUA examination authority — a legislative gap the agency has repeatedly flagged to Congress. (NCUA Board Briefing, October 2024)
Attackers Targeting the CU Sector
- ALPHV/BlackCat: Claimed both MeridianLink and LoanDepot. Hit dozens of financial sector targets in 2023–2024, using double-extortion tactics.
- Akira, LockBit 3.0, RansomHub: Top ransomware variants reported to FBI IC3 in 2024 — all active against financial institutions.
- BEC ranked as the #2 source of financial cybercrime loss in 2024, with nearly $8.5 billion lost over three years. (FBI IC3 2024 Report)
TX-Specific Risk Multiplier
Texas ranks #2 nationally (behind California) in both cybercrime complaint volume and total financial losses. FBI IC3 2024 recorded $2.54 billion in losses from 96,265 complaints in California; Texas’s totals are second only to California. (FBI IC3 2024 Annual Report)
SECTION 3: ATTACK KILL CHAIN
STAGE 1: INITIAL ACCESS
Vector A — Credential Stuffing / Password Spraying Verizon DBIR 2025: credential abuse accounts for 22% of all initial access vectors across financial services. Infostealer logs appear on dark web markets within 48 hours of theft. AI-generated phishing emails doubled in volume. (Verizon DBIR 2025)
Vector B — Supply Chain via Core Processors The most dangerous initial access vector for CUs is a compromised core processor or fintech vendor. Key providers: Symitar/Episys (Jack Henry), Corelation Keystone, Fiserv, credit bureau connections. MOVEit/Cl0p (2023) demonstrated how a single file transfer vendor compromised 2,000+ organizations globally within days of zero-day disclosure. (DBIR 2025)
STAGE 2: PERSISTENCE — ACTIVE DIRECTORY ABUSE
After initial access, attackers compromise Active Directory:
- LDAP reconnaissance to map the AD forest
- Golden Ticket / Silver Ticket attacks against Kerberos
- AS-REP Roasting against accounts with pre-auth disabled
- GPO manipulation to maintain code execution
MFA gaps on admin accounts were the #2 NCUA exam finding in 2024–2025. (NCUA ISE; Rivial Security, 2025)
STAGE 3: LATERAL MOVEMENT TO MEMBER DATA
After AD compromise, attackers move laterally to:
- Core banking databases (member PII, account numbers, SSNs)
- Loan origination systems (financial data, credit history)
- Payment processors (card data, ACH routing)
- Email systems (executive impersonation, wire fraud preparation)
STAGE 4: EXFIL + EXTORTION
Double-extortion is now the default playbook:
- Data exfil — 50–500GB of member PII staged to attacker infrastructure
- Ransomware deployment — Encryption of core banking, member portals, loan origination
- Extortion demand — Cryptocurrency payment; threat of data publication on leak sites
Median ransom: $115,000 (DBIR 2025). Total breach cost: $5–27M per major incident. (LoanDepot, SecurityWeek)
The 72-hour notification paradox: If a CU doesn’t detect until Day 90, the notification requirement is legally moot for 87 of those days. Part 748 Appendix B requires notification within 72 hours of reasonable belief — which requires detection.
SECTION 4: REGULATORY STAKES
Federal: NCUA Part 748 — The 72-Hour Rule
Effective September 1, 2023. Every federally insured credit union must notify the NCUA as soon as possible, no later than 72 hours after reasonably believing a reportable cyber incident has occurred. Third-party vendor incidents affecting the CU are reportable — 72 hours runs from when the CU is notified by the vendor. (12 CFR Part 748; NCUA Cyber Incident Notification Requirements Final Rule)
Part 749 — Records Preservation Program
NCUA Part 749 requires CUs to maintain records capable of reconstructing at least 18 months of activity. A ransomware incident that destroys records without adequate backups is simultaneously a data breach and a Part 749 violation.
State: Texas Finance Code Chapter 521
Texas imposes breach notification obligations on entities owning/licensing computerized data with sensitive personal information. Notification “as soon as reasonably practicable.” For breaches affecting 250+ TX residents, notification to TX AG required. Chapter 521 penalties for willful/reckless non-compliance: up to $250,000 per violation.
Federal: GLBA Safeguards Rule Alignment
FTC GLBA Safeguards Rule (12 CFR Part 314) requires financial institutions to maintain an information security program. NCUA Part 748 Appendix A incorporates the same requirements. Key alignment points: annual risk assessments, written security policies, IR plans tested annually, MFA on all accounts accessing customer data systems.
FFIEC CAT Maturity Expectations
NCUA examiners use the FFIEC CAT/ISE framework to evaluate CU cybersecurity maturity. Target for CUs over $100M assets: Level 4 (Managed and Measurable) across most domains. Most small CUs land at Level 2–3. The gap is where examiners focus.
BSA/AML Overlap
A cyber incident resulting in fraud (ACH/wire fraud, account takeover) triggers the CU’s BSA/AML program. SAR filing may be required if fraud exceeds filing thresholds. The CU’s fraud control framework and cybersecurity IR plan must coordinate.
SECTION 5: FIVE CONTROL FAILURES THAT SHOW UP IN NCUA EXAMS
FAILURE 1: Missing/Inadequate Third-Party/CUSO Risk Management (Most Cited)
~73% of reported cyber incidents involved third-party vendors. The NCUA has no examination authority over CUSOs or core processors — the risk sits entirely with the CU. (NCUA, 2025 Cybersecurity Report; Board Briefing October 2024)
Regulatory basis: Part 748 Appendix A, Section III.D; NCUA Letter to Credit Unions 24-CU-02; NCUA 2024 Supervisory Priorities
FAILURE 2: MFA Gaps on Admin and Privileged Accounts
MFA deficiencies on admin accounts were the #2 NCUA exam finding in 2024–2025. (NCUA ISE; Rivial Security NCUA panel notes, 2025)
Regulatory basis: FFIEC CAT (Preventive Controls — Authentication); GLBA Safeguards Rule; ACET
FAILURE 3: Inadequate/Untested Incident Response Plans
Credit unions consistently struggle with BCDR readiness, outdated risk assessments, and underdeveloped IR plans — often due to vendor over-reliance and unclear crisis roles. (NCUA Board Briefing October 2024; Rivial NCUA Panel, 2025)
Regulatory basis: Part 748 Appendix B; NCUA 2024 Supervisory Priorities; FFIEC Business Continuity Planning Handbook
FAILURE 4: Log Retention and Security Monitoring Gaps
Exam findings frequently cite insufficient log collection, retention, and analysis. Without adequate logs, CUs cannot demonstrate detection capability or meet Part 748 reporting obligations. (NCUA ISE Program; 2025 Cybersecurity Report)
Regulatory basis: FFIEC IT Examination Handbook (Management, Monitoring); Part 749; ACET
FAILURE 5: Vulnerability Management Lag on Internet-Facing Systems
NCUA specifically called out CVE-2024-47575 (FortiManager) as critical. Attacks against credit unions frequently exploit unpatched internet-facing systems. (NCUA Cybersecurity Alerts; 2025 Report)
Regulatory basis: FFIEC CAT (Preventive Controls — Infrastructure Management); CISA KEV catalog
SECTION 6: DOWNTIME ECONOMICS
$500M Asset Credit Union
| Cost Component | Estimate |
|---|---|
| Core system outage (24 hours) | $150,000–$400,000 |
| Lost interchange revenue | $50,000–$125,000/day |
| Incident response and forensics | $250,000–$750,000 |
| Regulatory/legal counsel | $100,000–$300,000 |
| Member notification and credit monitoring (17,000+ members) | $150,000–$500,000 |
| Class action litigation reserve | $500,000–$5,000,000 |
| Reputational recovery / member outreach | $75,000–$200,000 |
| Total estimated breach cost | $1.3M–$7.3M |
5% member attrition post-incident = ~$20M deposit outflow for a $500M CU.
$50M Asset Credit Union
| Cost Component | Estimate |
|---|---|
| Core system outage (24 hours) | $25,000–$75,000 |
| Incident response | $25,000–$50,000 |
| Regulatory notification and compliance | $20,000–$60,000 |
| Member notification (3,000–5,000 members) | $15,000–$30,000 |
| NCUA exam fallout / corrective action plan | $30,000–$100,000 |
| Class action / litigation | $250,000–$1,500,000 |
| Total estimated breach cost | $365K–$1.8M |
For a $50M CU, a $1.5M breach is existential. A $1.5M incident represents 20–30% of net worth ($5–8M average net worth).
SECTION 7: CORE RECON FIT
The 30-Minute SLA vs. The 72-Hour Regulatory Clock
NCUA Part 748 requires notification within 72 hours of reasonable belief an incident has occurred. You cannot form that belief without detection. The global average breach lifecycle is 241 days (IBM CODB 2025). CoreRecon’s 30-minute SLA compresses the identification window — same-session detection rather than 241-day dwell time.
CoreRecon Fortress — $129/endpoint/month
- 24/7 co-managed SOC (human analysts)
- EDR + network telemetry correlation
- 30-minute SLA on critical alerts
- NCUA Part 748 incident response support
- FFIEC CAT maturity gap assessment included
- Monthly board-ready reporting for NCUA examiners
CoreRecon Command — CUs over $500M assets
- Everything in Fortress
- Dedicated threat hunting team
- Full incident response retainer
- FFIEC CAT Level 4 maturity path support
- NCUA exam prep: artifact review, IR plan evaluation, examiner-ready documentation
SECTION 8: 30/60/90-DAY ACTION PLAN
Days 1–30: Find Your Gaps
| Action | Deliverable |
|---|---|
| Run CoreRecon endpoint assessment | Current gap report vs. FFIEC CAT baseline |
| Pull all third-party contracts | Vendor notification clauses inventory |
| Audit MFA coverage on admin accounts | MFA coverage map |
| Confirm 72-hour notification contact is defined | Written escalation chain |
CTA: /assessment (free vCISO assessment — 45-minute evaluation covering all five failure areas)
Days 31–60: Close the Critical Gaps
| Action | Deliverable |
|---|---|
| Enforce MFA on all privileged/admin accounts | MFA enforcement verification |
| Update IR plan to address Part 748 72-hour protocol | Board-approved IR plan |
| Update all vendor contracts with notification clauses | Signed contract addenda |
| Activate 24/7 monitoring with 30-min SLA | Active SOC coverage |
| Conduct IR tabletop exercise | Documented test with lessons learned |
CTA: /tools/vciso-roi-calculator (dollar value of closing each gap vs. breach cost exposure)
Days 61–90: Build the Record
| Action | Deliverable |
|---|---|
| Board cybersecurity briefing (documented) | Board minutes + presentation |
| Annual risk assessment (written, board-approved) | Filed with Part 748 documentation |
| Log retention review and SIEM optimization | Audit-ready log coverage report |
| Patch SLA documentation for internet-facing systems | Vendor vulnerability SLA documentation |
| Schedule NCUA exam prep session | Pre-exam gap remediation plan |
SOURCES
- IBM Security, Cost of a Data Breach Report 2025, Ponemon Institute (ibm.com/reports/data-breach)
- Verizon, 2025 Data Breach Investigations Report (DBIR) (verizon.com/business/resources/reports/dbir/)
- NCUA, Cybersecurity and Credit Union System Resilience Report to Congress — 2024 and 2025 (ncua.gov)
- NCUA, Part 748 — Cyber Incident Notification Requirements (12 CFR Part 748, effective Sept. 1, 2023)
- NCUA, Appendix B to Part 748 — Guidance on Response Programs
- NCUA, Letter to Credit Unions 24-CU-02, Board of Director Engagement in Cybersecurity Oversight (October 2024)
- NCUA, 2025 Supervisory Priorities (ncua.gov)
- NCUA Board Briefing, Cybersecurity (October 24, 2024)
- FBI, 2024 Internet Crime Report (IC3 Annual Report) (ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf)
- Cornerstone League — cornerstoneleague.coop
- LoanDepot SEC 8-K (January 8, 2024); Maine AGO breach notification (February 2024)
- MeridianLink SEC 8-K (November 2023)
- SecurityWeek, Ransomware Attack Cost LoanDepot $27 Million (2024)
- Sophos, State of Ransomware in Financial Services 2025
- Doeren Mayhew, NCUA’s 2025 Cybersecurity and System Resilience Report (2025)
- Rivial Security, NCUA Examiner Insights: 2025 Top Priorities
- Venminder, NCUA’s 2024 Supervisory Priorities — Third-Party Risk Considerations
- Federal Register, Cyber Incident Notification Requirements for Federally Insured Credit Unions (March 1, 2023)
- Texas Finance Code Chapter 521 — breach notification requirements
- Rivial Security NCUA Panel: Infosec & Cybersecurity in 2025 (webinar)
- eCFR — 12 CFR Part 748; 12 CFR Part 749; 12 CFR Appendix B to Part 748
- TechCrunch, LoanDepot Data Breach (January 22, February 26, 2024)
- Cybersecurity Dive, LoanDepot Ransomware Attack Exposes Data on Almost 17M Customers (2024)
- ClassAction.org, $86M LoanDepot Settlement in Data Breach Class Action
- American Banker, The Biggest Data Breaches of 2024 in Financial Services
- NCUA RISK Team Panel, Rivial Risk & Compliance Summit 2025
CoreRecon — 24/7 Managed Cybersecurity for Credit Unions | corerecon.com