Union Administration (NCUA) Information Security Requirements

How Thales solutions help with NCUA information security compliance

What is the National Credit Union Administration?


Created by the U.S. Congress in 1970, the National Credit Union Administration (NCUA) is an independent federal agency that insures deposits at federally insured credit unions, protects the members who own credit unions, and charters and regulates federal credit unions.

What is the NCUA Examination Program?

The NCUA’s primary function is to identify and assess credit union system risks, threats, and vulnerabilities; determine the magnitude of such risks and mitigate unacceptable levels of risk through its examination, supervision, and enforcement programs. As such, NCUA requires all U.S. federally insured credit unions to establish a security program that addresses the privacy and protection of customer records and information.

The NCUA’s examination program focuses on the areas that pose the highest risk to the credit union system and the Share Insurance Fund. All federally insured credit unions receive an NCUA examination periodically.

What is the NCUA Information Security Booklet for Credit Unions?

To ensure both compliance with applicable laws and regulations, and safety and soundness, a review of the credit union’s information security program is performed at each examination. The “Information Security” booklet is an integral part of the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook) and should be read in, conjunction with the other booklets in the IT Handbook. This booklet provides guidance to examiners and addresses factors necessary to assess security risks to a financial institution’s information systems.

Institutions should maintain effective information security programs commensurate with their operational complexities. Information security programs should have strong board and senior management support, promote integration of security activities and controls throughout the institution’s business processes, and establish clear accountability for carrying out security responsibilities.

Which institutions are supervised by the NCUA?

All credit union entities chartered and supervised by the National Credit Union Administration. Recent 2022 enforcement actions imposed monetary penalties in the $4.5 million to $5million range.

How can Thales help Credit Unions comply with the NCUA information security requirements?

Thales helps credit unions comply with the NCUA information security requirements and pass required examinations by addressing key risk mitigation requirements outlined in the NCUA Information Security Booklet.

NCUA Information Security Booklet Section IIC – Risk Mitigation

Management should develop and implement appropriate controls to mitigate identified risks. Controls include risk assessment, data encryption and key management, access management and security intelligence.

Thales helps organizations by:

  • Identifying and classifying sensitive data
  • Implementing access control
  • Protecting data in transit
  • Securing applications, databases, and implementing encryption
  • Reducing risk of third-party providers

NCUA Risk Mitigation Requirements:

5: “Management should inventory and classify assets, including hardware, software, information, and connections.”

Thales Solutions:

CipherTrust Data Discovery and Classification identifies structured and unstructured sensitive data on-premises and in the cloud. Built-in templates enable rapid identification of regulated data, highlight security risks, and help uncover compliance gaps.

7: “User Security Controls: Establishing and administering a user access program for physical and logical access. Employing segregation of duties...”

Thales OneWelcome identity & access management solutions limit the access of internal and external users based on their roles and context. Backed by strong authentication (MFA), granular access policies and fine-grained authorization policies help ensuring that the right user is granted access to the right resource at the right time; whereby minimizing the risk of unauthorized access.

SafeNet Trusted Access is a cloud-based access management solution that provides commercial, off-the-shelf multi-factor authentication with the broadest range of hardware and software authentication methods and form factors for cybersecurity protection.

CipherTrust Transparent Encryption encrypts sensitive data and enforces granular privileged-user-access management policies that can be applied by user, process, file type, time of day, and other parameters. It provides complete separation of roles where only authorized users and processes can view unencrypted data.

13: “… should determine sensitivity of the information to be transmitted, and types of safeguards available to protect information.”

Thales High Speed Encryptors (HSE) provide network-independent, data in-motion encryption (layers 2, 3, and 4) ensuring data is secure as it moves from site-to-site or from on-premises to the cloud and back. Our network encryption solutions allow customers to better protect data, video, voice, and metadata from eavesdropping, surveillance, and overt and covert interception— without performance compromise.

17: “Application Security: Management should use applications that have been developed following secure development practices and that meet a prudent level of security.”

CipherTrust Platform Community Edition makes it easy for DevSecOps to deploy data protection controls in hybrid and multi-cloud applications. The solution includes licenses for CipherTrust Manager Community Edition, Data Protection Gateway, and CipherTrust Transparent Encryption for Kubernetes.

CipherTrust Secrets Management is a state-of-the-art secrets management solution, which protects and automates access to secrets across DevOps tools and cloud workloads including secrets, credentials, certificates, API keys, and tokens.

Thales Data Protection on Demand (DPoD) is a cloud-based marketplace that offers Luna hardware security modules HSMs and CipherTrust solutions as a service. This enables in-house teams to leverage these proven and certified data security solutions easily and securely in their own offerings.

18: “Database Security: Management should implement effective controls for databases and restrict access appropriately”

CipherTrust Tokenization permits the pseudonymization of sensitive information in databases while maintaining the ability to analyze aggregate information, without exposing sensitive data during the analysis or in reports.

CipherTrust Database Protection provides high performance, column-level database encryption with an architecture that can provide high-availability to ensure that every database write and read happens at almost the speed of an unprotected database.

19: “Encryption: Management should implement the type and level of encryption commensurate with the sensitivity of the information.”

CipherTrust Data Security Platform provides multiple capabilities for protecting data at rest in files, volumes, and databases. Among them:

  • CipherTrust Transparent Encryption delivers data-at-rest encryption with centralized key management and privileged user access control. This protects data wherever it resides, on-premises, across multiple clouds, and within big data and container environments.
  • CipherTrust Enterprise Key Management streamlines and strengthens key management in cloud and enterprise environments over a diverse set of use cases.

Luna Hardware Security Modules (HSMs) protect cryptographic keys and provide a FIPS 140-2 Level 3 hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption, and more. Luna HSMs are available on-premises, in the cloud as-a-service, and across hybrid environments.

20: “… Oversight of Third-Party Service Providers: Verification that information and cybersecurity risks are appropriately identified, measured, mitigated, monitored, and reported...”

CipherTrust Cloud Key Manager can reduce third party risks by maintaining on-premises under the full control of the financial institution the keys that protect sensitive data hosted by third party cloud providers under “bring your own keys” (BYOK) systems.

CipherTrust Transparent Encryption provides complete separation of administrative roles where only authorized users and processes can view unencrypted data. Unless a valid reason to access the data is provided, sensitive data stored in a third-party cloud will not be accessible in cleartext to unauthorized users.

Thales Data Security solutions offer the most comprehensive range of data protection, such as Thales Data Protection on Demand (DPoD) that provides built in high availability and backup to its cloud-based Luna Cloud HSM and CipherTrust Key Management services.

Related Resources

Data Security Compliance with the National Credit Union Administration

Data Security Compliance with the National Credit Union Administration (NCUA) Information Security Requirements - Compliance Brief

Created by the U.S. Congress in 1970, the National Credit Union Administration (NCUA) is an independent federal agency that insures deposits at federally insured credit unions, protects the members who own credit unions, and charters and regulates federal credit unions.

Compliance Requirements for American Financial Services Organizations

Compliance Requirements for American Financial Services Organizations - eBook

This eBook covers some of the most important regulations affecting Financial Services organizations in the United States and how Thales cybersecurity solutions help meet requirements for risk management, data privacy, access management and much more. Included regulations:...


Data Security Solutions for Financial Services

CipherTrust Data Security Platform for Financial Services Accelerate digital transformation while reducing costs & risks, centralizing data discovery.

Other key data protection and security regulations


Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.


Active Now

Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.