Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Third-Party Risk Management Considerations in the NCUA’s 2024 Supervisory Priorities

4 min read
Featured Image

Supervisory priorities from regulators such as the National Credit Union Administration (NCUA), U.S. Securities and Exchange Commission (SEC), and Office of the Comptroller of the Currency (OCC) are generally influenced by the previous year’s events, with considerations for new risks and the current economic environment. The NCUA’s 2024 Supervisory Priorities appear almost identical to last year’s list, with two notable exceptions – the exclusion of fraud prevention and detection and the inclusion of third parties under Information Security (Cybersecurity).

By including third parties into the 2024 Supervisory Priorities and the recently passed Cyber Incident Notification Requirements, the NCUA appears to send a clear message – third-party risk management (TPRM) is an essential practice for credit unions. 

Let’s review some third-party risk management considerations in the 2024 Supervisory Priorities and some best practices that your credit union can implement to satisfy regulators. 

The NCUA’s Guidelines to Manage Third-Party Information Security Risk

The NCUA states that information security (inclusive of cybersecurity) will continue to be a focus area for examiners to protect both credit unions and members. As cybersecurity threats grow and evolve, the NCUA expects credit unions to protect themselves and their members with programs that are effective and adaptable. These cybersecurity programs should also include standards to protect against third-party cyber incidents, like data breaches and ransomware attacks, that can impact credit unions and their members. 

Third-party information security risk is a broad topic that covers many angles, but here are a few key areas where regulators may focus:

  • Response plans – Your credit union’s incident response plans should include processes and procedures on how your organization will respond to third-party cyber incidents. Response plans should include details on what is considered a reportable incident and timeframes for notifying the NCUA. Confirm your third parties’ incident response plans are adequate as well. 
  • Third-party contracts – It’s important to ensure your third party will notify your credit union of a cyber incident in a timely manner. Data breach notification requirements should be included in your third-party contracts, which may contain specific details about timeframes, the description of the incident, if your data was compromised, remediation efforts, and how the third party will prevent future incidents. 

    Pro Tip: In 2023, the NCUA passed requirements for cyber incident reporting. Credit unions are expected to report covered incidents within 72 hours after it was discovered. This should be factored into third-party contracts to ensure compliance. 
  • Incident monitoring and reporting – Your credit union should evaluate the effectiveness of its third parties’ incident monitoring and reporting procedures. For instance, consider the tools that your third party uses to monitor and report incidents and whether these tools are adequately tested. 
  • Incident documentation – Third parties should not only identify and monitor incidents, but formally document them for future response and reporting activities. Your credit union should ensure your third parties are properly documenting incidents and have policies in place to retain that information. 

ncua supervisory priorities third-party risk management considerations

Additional Best Practices to Mitigate Third-Party Information Security Risk and Comply With the NCUA

The NCUA’s guidelines for cyber incident notification requirements are a good starting point for managing third-party information security risk. However, these guidelines are generally focused on how to respond to an incident. It’s also important to consider a few other best practices that focus on incident prevention. 
Third-party cyber incidents are not 100% avoidable, but the following tips can help add an extra layer of protection: 

  • Be thorough in your due diligence reviews. Pre-contract due diligence is an essential process that will inform you of your third party’s security practices. Your credit union should always be thorough in reviewing the third party’s information security documents such as data retention and destruction policies, security awareness training procedures, and planning documents for business continuity and disaster recovery. Remember that due diligence should also be performed periodically after the contract is signed to ensure the third party is continuing to maintain your security standards.
  • Identify fourth-party risk. Your third parties are probably outsourcing certain products and services to other vendors, so it’s possible that these subcontractors also have access to your data. Although your credit union cannot directly manage these fourth parties, it’s important to ensure third parties have proper vendor management practices in place, such as risk assessments, due diligence, and ongoing monitoring
  • Consider the next steps. If due diligence reviews or risk monitoring reveal a third party has poor or insufficient security practices, your credit union should consider how it should proceed with the relationship. Depending on the situation, your credit union may just need to request additional information from the third party or increase the frequency of your ongoing monitoring activities. Significant issues may need to be escalated to senior management or the board, who can decide whether to reconsider the relationship.

The 2024 Supervisory Priorities are another good reminder of the importance of third-party risk management in mitigating information security risk. As cyber incidents grow more prevalent and complex, credit unions can better protect themselves and their members with an effective TPRM program.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo