Attackers don’t care about business hours. That fact is no longer a warning buried in a security framework, it’s a documented pattern playing out across the credit union industry. Ransomware groups, credential thieves, and nation-state actors have learned exactly when to strike. They target the moments when your defenses are thinnest: Friday evenings, Saturday mornings, and federal holidays. That’s when staffing drops, response times slow, and attackers have the most room to move undetected.
For credit unions operating with lean IT teams, this reality creates a structural problem. Your members expect uninterrupted access to their accounts every hour of every day. Your regulators expect documented, timely response when something goes wrong, as required under NCUA’s 72-hour incident notification rule in 12 CFR Part 748. But around-the-clock threat monitoring, alert correlation, and incident response simply can’t be staffed by a two or three-person IT department, no matter how capable that team is.
The Patelco Attack: What Happens When the Lights Go Out
On Saturday, June 29, 2024, Patelco Credit Union, a California-based institution serving more than 400,000 members, detected a ransomware attack that involved unauthorized access to some of its databases. The attack forced the credit union to shut down day-to-day banking systems over the holiday weekend. Electronic transactions including transfers, direct deposit, balance inquiries, and payments were all unavailable, and debit and credit card transactions were limited.
The timing wasn’t accidental. The attack surfaced on a Saturday at the start of a holiday weekend, when response capacity at most organizations is at its lowest.
What makes this case particularly instructive is the dwell time. The investigation confirmed that an unauthorized party had accessed Patelco’s databases beginning May 23, 2024, more than five weeks before the attack was detected on June 29. That five-week window represents exactly the kind of sustained, low-visibility intrusion that continuous monitoring is designed to catch. An attacker with that kind of undetected access has time to map the environment, escalate privileges, identify backup systems, and position for maximum damage before pulling the trigger.
The broader context makes this even more concerning. As of 2025, a ransomware attack occurs somewhere in the world approximately every 19 seconds. According to Sophos, the median dwell time for ransomware cases in 2025 is down to just four days, a dramatic shift from previous years. Attackers are moving faster precisely because defenders have improved detection capabilities, which means the window to catch an intrusion before damage is done is narrower than ever.
This Isn’t an Isolated Incident
Patelco is one of many. Ransomware affected 65% of financial organizations worldwide in 2024, up from 64% in 2023 and just 34% in 2021. The average cost of a breach in the financial sector now runs $5.90 million.
On November 26, 2023, the day after Thanksgiving, attackers deployed ransomware against Trellance, a cloud services provider that dozens of credit unions rely on for core technology. Approximately 60 credit unions experienced some level of outage. The holiday timing wasn’t coincidental. Skeleton staffing, slower response times, and no continuous monitoring meant the intrusion spread across institutions before anyone could stop it.
Credit unions tend to rely more heavily on third-party vendors for IT and other services, and a vendor breach can serve as an entry point for an attack on the credit union. That dependency extends the attack surface well beyond what an internal IT team can monitor with the tools and staffing most credit unions have today. The NCUA has confirmed this pattern directly: approximately 73 percent of all reported cyber incidents involved the use or involvement of a third party.
The Gap Is Structural, Not a Staffing Failure
Most credit union IT teams are doing exactly what they were hired to do: keeping systems running, supporting staff, managing vendors, and handling the day-to-day operational load that never stops. What they weren’t hired to do, and shouldn’t be expected to do, is run a security operations center, maintain a SIEM, correlate threat intelligence feeds at 2 a.m., and generate NCUA-ready incident documentation when an alert fires on a Sunday.
That’s not a failure of your team, it’s a structural mismatch between what modern threat actors demand and what a small IT department can realistically provide. The question is how to close it without building a full in-house SOC, which for most credit unions isn’t financially realistic or operationally necessary.
A fully loaded senior security hire runs $90,000 to $120,000 per year, with no after-hours coverage, no SIEM, and no incident response capability beyond that one person’s availability. And that’s before accounting for the tooling, licensing, and ongoing training required to actually run a security operations function. For most credit unions, the math never works.
What NCUA Expects and What Examiners Are Looking For
The regulatory pressure isn’t easing. NCUA’s 2026 Supervisory Priorities make clear that examiners will continue to assess whether credit unions have effective governance, risk assessments, vendor management, and security frameworks in place to protect member data and ensure resilience against cyber threats. The 72-hour incident notification requirement remains in force, and cybersecurity continues to be named a top supervisory priority as attacks against credit unions and the vendors they use become more frequent and sophisticated.
Examiners aren’t just checking whether controls exist on paper. They’re reviewing whether your information security program includes continuous monitoring, documented incident response procedures, and evidence that those controls are actually working.
A five-week dwell time like the one in the Patelco incident doesn’t meet that standard. Neither does detecting a breach on a Saturday and scrambling to respond without a documented playbook, a trained response team, or pre-built notification documentation.
A Practical Path to 24/7 Coverage
The good news is that continuous monitoring doesn’t require building an in-house SOC. Co-managed IT makes 24/7 security operations accessible to credit unions of any size by layering professional security coverage on top of your existing IT function, at a cost structure that’s built to work within a credit union’s budget rather than against it.
This is the model TorchLight has delivered to credit unions for nearly two decades. As a Pacific Northwest-based managed IT and cybersecurity provider, TorchLight built its co-managed offering specifically for regulated financial institutions that need enterprise-grade security coverage without enterprise-grade overhead. The team holds CISSP, CISA, and CISM certifications and is led by a former NCUA IS&T examiner, which means the documentation your examiners expect is built into the workflow from day one.
In practical terms, co-managed IT plays out in two ways depending on your team’s current capacity. For credit unions with capable internal IT staff, TorchLight adds the monitoring depth, security tooling, and after-hours coverage your team can’t maintain on their own. When something’s detected, your team receives a prioritized, actionable alert with remediation guidance rather than a raw log dump.
For credit unions with limited IT capacity, TorchLight runs full NOC and SOC operations while your staff focuses on member-facing support. Senior engineering escalations, compliance documentation, and board-ready reporting are all handled without adding to your headcount.
In both scenarios, 72-hour notification documentation is auto-generated as part of the incident response workflow, so the evidence your examiner expects is produced before they ask for it. And because TorchLight’s model is designed to offset costs through vendor consolidation, insurance premium reduction, and eliminated operational leakage, the coverage tends to cost significantly less than most credit unions expect.
The Window Isn’t Getting Larger
Attackers aren’t waiting for your budget cycle. The Patelco attack and the Trellance incident both demonstrate the same thing: credit unions without continuous monitoring are operating with a blind spot that ransomware groups know how to exploit. Ransomware attacks increased 34% globally during the first three quarters of 2025 compared to the same period in 2024. The threat is accelerating, not leveling off.
If your credit union has unanswered questions about what your current monitoring actually covers and what it misses after hours, TorchLight’s free cybersecurity assessment is the right starting point. No minimum asset size, no commitment. Just a clear picture of where you stand.