Community banks are facing growing cyberthreats and strained information technology budgets as they boost online services in response to the pandemic and compete with financial technology companies.

Cyberattacks at U.S. financial institutions surged 51.5% in the first 10 months of the year versus 2019, according to government data, as hackers attempted to exploit security flaws in order to pinch financial assets or valuable customer data. The online crooks have increasingly targeted smaller banks in recent years, partly because of a perception that the lenders cannot afford to build robust defenses.

"They're poking around the small commercial banks because they see easy pickings," said Paul Ferrillo, a partner at Seyfarth Shaw LLP who is focused on cybersecurity and privacy. "Typically, the smaller banks are just not going to have the time, the money, nor the people resources to respond to an attack."

Smaller lenders have dived into the shark-infested online world to boost revenue amid rock-bottom interest rates and to help fend off internet-based rivals as the pandemic fuels a boom in remote banking. The push has squeezed already tight IT spending due to the risk of cyber breaches leading to compensation costs or fines, as well as reputational damage that may drive customers away and force the bank into riskier credits.

The price of protection

Cybersecurity is "not as costly as if you have cyber breach and you have to explain to every single one of your customers that their account has been compromised,” said Megan Prendergast Millard, senior managing director of financial and regulatory compliance services for Guidepost Solutions. "How do you put a price on that?"

Online threats mean that U.S. financial organizations with less than $500 million in annual revenue spend about 11.2% of their information technology budget on cybersecurity as of 2020, according to a survey from Deloitte & Touche LLP and the Financial Services Information Sharing and Analysis Center. That compares with an overall banking sector average of 9.4%.

U.S. lenders with under $1 billion in assets also accounted for nearly half of cybercrimes against banks from 2012 through 2017, according to a study by Nationwide, an insurance company. The average asset size of targeted banks declined 28% during the study period.

Initial costs for implementing cybersecurity can be comparatively high for community banks because a lack of in-house skills will force them to use third-party services, according to Prendergast Millard. Deployment steps include conducting risk assessments, establishing policies, creating testing procedures and training employees, she said.

The bank will then face ongoing costs for maintaining systems, such as using asset and vulnerability management tools, cybersecurity insurance and endpoint security software, said Chad Quarles, chief information security officer and security advisor at Hartman Executive Advisors, an information technology management consulting company. These will, at least, be cheaper and more predictable than the initial setup, Quarles said.

The costs of getting cybersecurity wrong were clearly shown at National Bank of Blacksburg, as cyberattackers stole $2.4 million from the lender in 2016 and 2017, according to a lawsuit. The Virginia-based community bank did not reply to multiple interview requests.

Successful cyberattacks also have a wider-reaching impact beyond the lost assets. Community banks suffer depressed branch deposit growth rates after a breach as customers desert to larger rivals, according to a 2021 paper from researchers at Durham University and the University of Leeds. The hacked lender then has to lower credit standards in order to defend its market share.

The pandemic has further heightened the need for cyber defenses as lockdowns and concerns about the transmission of the coronavirus have prompted more customers to bank online instead of going to branches. U.S. banks have shuttered a record number of branches throughout 2020 and 2021 and reinvested those resources into digital and technology due to the rapid acceleration of digital banking and growing competition from neobanks.

Community banks "are going to be feeling a lot of pressure to keep up with the larger financial institutions and fintech organizations, which have a lot of online capabilities," Quarles said. "They're going to have to balance that with their information security concerns."

The rise of online banking has also pushed up financial crime compliance costs, particularly at smaller lenders. Average annual expenses related to financial crime compliance surged 147% from 2019 to 2021 for U.S. banks with less than $10 billion in total assets, according to LexisNexis Risk Solutions. That compares with a 94% jump for banks with more than $10 billion in assets. Much of the industrywide increase was due to financial crimes involving digital payments and cryptocurrency, LexisNexis said.

READ MORE: Stay informed on how technology is reshaping the future of your sector. Get the Next newsletter delivered to your inbox every Tuesday. Sign up here.

The benefits of scale

One factor that can help banks with security costs is bulking up, including through acquisitions. OceanFirst Financial Corp., for instance, has found it easier to hire specialized staff after a growth boom, Chairman and CEO Christopher Maher said in an interview. The lender, which has made eight whole-bank deal announcements since 2015, is also now able to invest in artificial intelligence to monitor cyberthreats instead of doing the work manually. Technology and cybersecurity account for about 20% of the Red Bank, N.J.-based bank's total noninterest expenses, Maher said.

Customers Bancorp Inc. has similarly improved cyber defenses alongside company growth, according to Chief Information Security Officer Endré Walls. The biggest challenge has been staff training and creating a security culture to avoid employees inadvertently undermining technological systems.

"We definitely have been tested more in the last three years than at any other point in time in the organization's history," Walls said. At the same time, "by getting better at deploying technology and improving that security culture for our organization, we've gotten safer," he said.

The West Reading, Pa.-based lender's total assets have almost doubled in the past three years to $19.11 billion.

Under attack

Regulators have responded to the increasing threat of bank cyberattacks by tightening standards and requiring a more proactive response from lenders. In November, for instance, the Federal Deposit Insurance Corp., Office of the Comptroller of the Currency and Federal Reserve issued a final rule requiring banks to report major cyberattacks within 36 hours if the incident is likely to disrupt their business.

Financial institutions and their customers experienced more than 21,000 cyberattacks through October, based on suspicious activity reports, or SARs, filed with the Treasury Department's Financial Crimes Enforcement Network, or FinCEN. That is up from about 20,000 attacks in the whole of 2020 and about 14,000 attacks in 2019.

Banks and credit unions also have experienced more cyberattacks than any other financial-related industry since March, FinCEN data shows.

The growing threat of cyberattacks — and the possible costs from a successful breach — underscores why banks have to invest in cybersecurity systems. That is true even for hard-pressed smaller banks that may find the technology an unwelcome extra cost.

"Cybersecurity is a lot like insurance," said Customers Bancorp's Walls. "And, insurance is never cheap."