For Rhode Island’s banks, cybersecurity is no longer just a back-office function or a line item on a spreadsheet – it’s core to the business.
Across the state, community and regional institutions are investing heavily to keep pace with increasingly sophisticated threats.
Smaller banks spend between 11% and 15.5% of payroll on regulatory compliance, compared with 6% to 10% at the largest institutions, according to a November 2025 report from the Conference of State Bank Supervisors that analyzed 10 years of community bank survey data from 2015 to 2024.
But executives stress that the shift isn’t simply about cost. It’s about integration.
“I’m not sure I’d call it compliance costs,” said William K. Wray Sr., senior executive vice president and chief risk officer for The Washington Trust Co., a community-focused regional bank based in Westerly. “I might call it infrastructure costs.”
That infrastructure shows up across the balance sheet. Capital investments in cybersecurity flow through operating expenses, Wray said, but are embedded in delivery systems, software upgrades and staff training rather than treated as isolated burdens.
“The art of this is to try not to spend more, but to manage better,” he said.
At Beacon Bank, Chief Systems Officer Ryan Melle described a structured, top-down approach to cybersecurity.
“We start by identifying risks across the organization, then map controls to mitigate those risks,” Melle said.
From there, Melle said Beacon makes strategic decisions on what to invest in and what can be managed differently.
“It’s about balancing risk and cost effectively,” Melle said.
That organized, top-down strategy helps banks stay ahead of complex regulations that govern every corner of their operations, Wray said.
Community and regional banks operate in one of the country’s most heavily regulated industries, subject to oversight from federal and state authorities.
But Wray said the change in recent years is not simply new rules, but rather how deeply expectations are woven into everyday procedures.
“Instead of regulations being something you dealt with on the side, they now have to be ingrained into all of our procedures at a very deep level,” he said.
Both Washington Trust and Beacon take a hybrid approach when it comes to implementation, combining internal teams with outside software partners, particularly for third-party vendor oversight.
“This approach lets us filter noise efficiently and respond quickly to what really matters,” Melle said.
At Centreville Bank, it’s no different.
The West Warwick-based community bank relies on external partners for back-end systems and digital platforms, while similarly maintaining internal oversight, said Greg Germanowski, the bank’s vice president and information security officer.
Germanowski noted this differs from larger banks, which often maintain full teams of analysts.
“It delivers the same capabilities without needing them in-house,” he said. “We’re still protecting data, systems, keeping the bad guys out. What has evolved is how we respond to more-sophisticated attacks.”
Germanowski said that while the threats have grown more complex, the underlying regulatory principles haven’t changed.
“Malware and ransomware were the big concern, then business continuity, then third-party vendor oversight,” he said. “The foundations remain the same – it’s the focus that changes.”
Artificial intelligence, too, has emerged as a challenge and a tool.
“AI in the hands of attackers is multifaceted – spoofing customers, employees, or executives – and we have to respond effectively,” Germanowski said.
At the same time, AI has its benefits.
“Faster detection and automated containment lower the likelihood of events escalating into customer disruption, and that protects both our clients and internal operations,” Melle said.
Wray highlighted how AI tools support human judgment in spotting fraud, with pattern-recognition software flagging suspicious activity.
But delivering that seamless experience requires technological complexity beneath the surface.
“That’s the rest of the iceberg,” Wray said. “They only see the tip in their app. The rest of it, we have to deliver.”
And cybersecurity isn’t just about technology.
“Even without breaches, having very secure information adds credibility and improves trust in the brand,” Germanowski said.
With customers banking anytime, anywhere, cybersecurity has never been more critical.
Wray said that customers don’t distinguish between Washington Trust in a branch or on an app.
“They want the same brand experience that they can count on and trust,” Wray said.
Melle said cybersecurity at Beacon Bank is embedded in everything from everyday operations to enterprise-level risk decisions.
“Everything we do supports safe growth, protects customers and underpins our digital strategy,” he said.
