.png?width=400&name=SBSIWebinarsBundles_WebMenu%20(1).png)
MADISON, S.D., November 4, 2025 — Despite regular risk assessments, the nation’s most vulnerable credit unions — those with assets under $150 million — remain exposed due to a lack of dedicated cybersecurity leadership, according to a 2025 survey by SBS CyberSecurity.
The survey found that while many smaller credit unions conduct quarterly or annual risk reviews and express confidence in their cybersecurity posture, only 23% have a dedicated employee — such as a chief information security officer (CISO), information security officer (ISO), or virtual CISO — responsible for managing the cybersecurity program. Staff training, incident readiness, and coordinated responses can suffer in the absence of dedicated leadership, leaving institutions more exposed to cyber threats.
These gaps in preparedness align with the threats that concern credit unions most. Ransomware, data breaches, and social engineering ranked as the top concerns, with reputational risk close behind. At the same time, credit unions face limited budgets and a shortage of skilled staff, making it difficult to fully mitigate these threats.
"Credit unions are taking important steps to protect members and operations, but regular assessments alone aren't enough," said Chris Hoff, director of professional services at SBS. "Without dedicated leadership and ongoing staff training, institutions experience gaps that attackers are ready to exploit. Investing in skilled teams, practical controls, and actionable insights is critical to building resilience."
The survey highlighted operational patterns that could inform action across the industry:
- Risk assessments don't guarantee visibility: Many credit unions review risk quarterly, but nearly a third still rate their cybersecurity posture as average or weak.
- Leadership gaps persist: Only a minority of credit unions have a dedicated cybersecurity leader, resulting in inconsistent management of strategy and staff training.
- Resource and scale challenges impact operations: Budget shortfalls and staffing limitations make it harder for credit unions to implement effective leadership, employee readiness, and risk controls.
SBS, which provides comprehensive cybersecurity support and risk management tools tailored to both banks and credit unions, emphasizes the importance of pairing regular assessments with structured action.
"Effective cybersecurity isn't just about knowing your risks or reacting to incidents," Hoff added. "It's about proactively creating a culture of resilience and executing on it."
About SBS CyberSecurity
SBS CyberSecurity is focused on empowering your cybersecurity decisions. We provide robust risk management programs, IT audit services, and cybersecurity testing solutions, enabling you to protect your organization. For more information, visit sbscyber.com.