Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Compliance With the NCUA Cyber Incident Notification Requirement: Vendor Contract Considerations

4 min read
Featured Image

Experiencing a cyber incident within your credit union can be stressful, whether it originates from your own system or a third-party vendor. Regardless of who is responsible, or when it occurred, the National Credit Union Administration (NCUA) now expects your credit union to report the incident within 72 hours after it was discovered. The details of this rule are laid out in 23-CU-07, which went into effect on September 1, 2023.

To follow the NCUA’s recommendations for credit unions to comply with the new regulation, credit unions should look at their vendor contracts. Here’s an overview of determining a reportable incident and maintaining compliance through your vendor contracts.

Reportable Cyber Incidents to the NCUA and the CIA Triad

Before you start implementing this rule into your vendor contracts, it’s important to understand what the NCUA considers a reportable cyber incident. For example, a phishing attack that successfully installed malware or the discovery of zero-day malware is substantial enough to be reported, but a phishing email that was filtered out of your inbox or the successful removal of malware by antivirus software wouldn’t generally be considered a reportable cyber incident.

When thinking about cybersecurity incidents that occur internally or with your third-party vendors, it helps to be familiar with the concepts of the CIA triad – confidentiality, integrity, and availability. The NCUA expects that a credit union will report an incident if one of these concepts is jeopardized in an information system.

Here are two foundational questions you can ask to help determine if an incident is reportable:

  1. Did the incident cause a significant loss of the confidentiality, integrity, or availability of our network or information system?
  2. Did the incident disrupt our business operations or our member services?

If you answer “yes” to either of these questions, this may indicate that the incident is worth reporting.  

compliance ncua cyber incident notification requirement vendor contract considerations

Vendor Contract Considerations to Implement NCUA 23-CU-07

Contract Consideration 1: Incident Notification Requirement

Once you’ve defined a reportable incident, you can begin implementing relevant language into your vendor contracts. An incident notification requirement can help keep your credit union compliant with the NCUA regulation while also ensuring that you have the information you need to notify your members.

As you negotiate or renegotiate your vendor contracts, consider details such as:

  • Definition of an incident – Make sure your contract is clear on what’s considered a cyber incident. The NCUA’s guidance is a good starting point. However, you may still want to collaborate with your legal team and other qualified subject matter experts (SMEs), like information security, for additional clarification.   
  • Timing of notification – Since the NCUA gives you a deadline of 72 hours to report an incident once it’s discovered, you’ll want to factor this into your own vendor contract language. You may want to suggest a similar timeframe of 24-72 hours with your vendor to ensure you are in compliance with the NCUA’s data breach notification requirement. 
  • Investigation and remediation – Your contract should require that the vendor provides a basic description of the incident, such as the functions that were responsible and whether any sensitive information was compromised. This will help in your own reporting requirements to the NCUA. And although remediation details aren’t required by the NCUA, it’s important to be aware of how your vendor is handling the incident. 
  • Prevention – After an incident is discovered, your vendor should also provide documented actions that state how they will prevent future breaches. Depending on the incident, this might include additional training or more frequent vulnerability and penetration testing.
  • Penalties – Your credit union should also decide on penalties for the vendor after an incident. This might involve financial penalties or suspending or terminating the contract.

Contract Consideration 2: Right to Audit Clause

The NCUA regulation is primarily focused on identifying and reporting cyber incidents, with the intention of improving a credit union’s response capabilities, but it’s also important to proactively mitigate risks that can lead to these cyber incidents. One mitigation tactic is to include a right to audit clause in your vendor contract, which obligates the vendor to provide certain information whenever you ask.

Consider the following questions as you draft the clause:

  • Which documents will we need to request from the vendor? Be specific about the documentation, such as the vendor’s policies and procedures, business continuity testing, and third-party audit results. 
  • How quickly should the vendor provide those documents? Timelines are important to ensure that you’re reviewing the most current information available. For example, you might state that the vendor should provide a certain policy within 10 days after you request it. 
  • What is the penalty if the vendor doesn’t provide documentation on time? The clause should also state any penalties for not supplying documentation on time, whether that’s contract termination or suspension.

Implementing the NCUA reporting requirement may take some effort, but it should ultimately strengthen your cybersecurity program. With some careful planning and vendor contract considerations, you’ll be prepared to prevent and address cyber incidents that put your credit union and members at risk.  

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo