Did you know that crows are highly intelligent and adaptable? As an example, they have been seen bending twigs into hooks, creating a tool that they can use to extract food from difficult-to-reach places. In a similar way, community financial institutions (CFIs) may need to approach risk management with ingenuity and adaptability, particularly as they navigate the fast-evolving and increasingly tech-enabled and interconnected risk landscape. To better understand today’s risk environment, we examine the key findings from the 2026 Bank Director Risk Survey, compare them with last year’s results, and explore what they might mean for CFIs. The 2026 survey, conducted in January and published in March, reflects the views of 257 executives from US banks with less than $100B in assets.
Top Risk Concerns for 2026
CFIs entered 2026 with similar priorities as in previous years, although facing new pressures. Survey respondents identify cybersecurity (92%), fraud (79%), and credit risk (60%) as their top concerns for the year ahead.
In addition to these priorities, respondents recognize that the expanding role of artificial intelligence (AI) in critical financial service functions — alongside its use by bad actors in more sophisticated fraud schemes — is fundamentally reshaping the risk landscape. This requires a stronger focus on governance structures and operational resilience.
Cybersecurity Remains Front of Mind, But Gaps Remain
Cybersecurity remains the top concern for CFIs, consistent with last year’s survey, and continues to be a key strategic risk. This reflects the critical role of digital infrastructure in financial services. While many CFIs are investing in monitoring and defense tools, the survey reveals some potential gaps in terms of cybersecurity governance and coordination.
Board oversight appears strong: 79% of chairs and independent directors say their board reviews and approves the institution’s cybersecurity strategy, and most believe that fraud and suspicious activity metrics are reported in a clear and timely manner. However, a gap may exist between oversight and expertise. Fewer than half (47%) of boards engaged external cybersecurity experts in the past year, which could leave their institutions exposed if internal expertise and capabilities are limited.
Encouragingly, 89% of CEOs and technology executives conducted a tabletop exercise of their cyber incident response plan in the past 12 months (up from 83% last year), suggesting improved focus on preparedness. The main issues identified through this exercise were over-reliance on key individuals or functions and a weakness in internal communications.
Even well-developed cyber programs can fail without sufficient expertise, diverse perspectives, and effective coordination and communication during a crisis. Alongside investing in infrastructure and the right expertise, organizations need to build awareness and a strong cybersecurity culture at all levels.
The Persistent and Evolving Threat of Fraud
Financial fraud continues to expand its reach and sophistication. Although new technologies are reshaping the landscape, traditional fraud also remains highly prevalent. Results from the survey show that nearly all institutions (99%, up from 94% last year) experienced check fraud in the past 18 months. What’s more, financial exploitation of elderly or vulnerable customers has also increased, affecting 84% of institutions, compared to 70% previously.
Technology continues to drive new fraud risks. Digital payments fraud was reported by 73% of respondents, highlighting the growing risks associated with online transactions. Meanwhile, 68% reported experiencing wire fraud. AI-enabled fraud is also emerging as a credible threat, with one in five institutions reporting incidents involving AI or deepfakes.
Increasingly, CFIs are recognizing that when it comes to maintaining customer trust, managing the aftermath of fraud is as important as prevention.
Credit Risk Concerns Back in Focus
Credit risk has re-emerged as a top issue, overtaking both interest rate and regulatory risk concerns, which ranked higher in last year’s results. Within credit risk, commercial real estate (CRE) is the main area of concern both in terms of CRE credit quality (27%) and CRE portfolio concentration risk (38%).
Encouragingly, stress testing appears to be well embedded in most institutions. Three-quarters of respondents say they conduct annual stress testing. Many are using the results to inform decisions — particularly in relation to adjusting their exposure in CRE portfolios, updating their asset/liability strategies, reviewing loan renewals, and revising capital planning assumptions.
In the current uncertain economic and geopolitical landscape, credit risk management and stress-testing approaches continue to be key to building resilience.
The Growing AI Risk Challenge for CFIs
The rise of AI presents a dual risk for CFIs. Externally, AI is enabling sophisticated threats such as deepfakes, synthetic identities, and advanced social engineering attacks. Internally, while it is being adopted for positive use across a wide range of use cases, there are obvious knowledge gaps, and governance frameworks are not always keeping up with the rapid evolution of the technology.
Respondents are most concerned about AI-related risks associated with AI-driven fraud and scams targeting customers (84%), followed by risks to their own organizations and employees (77%). In contrast, they are less concerned about competition from other financial institutions using AI (38%), data security risks arising from their own use of AI (37%), and risks associated with third- or fourth-party AI providers (34%).The survey results also show that the knowledge gap in AI is wide. Only single-digit percentages of those surveyed expressed expertise in various AI-related applications. Meanwhile, the majority of those surveyed reported only a baseline level of knowledge in each AI-related topic.
AI presents both an external security challenge and an internal governance challenge. Addressing these risks requires CFIs to maintain robust adoption controls and ensure strong board-level understanding and oversight.
CFIs continue to operate within a complex, interconnected risk landscape, compounded by an uncertain geopolitical and economic environment. To remain resilient and competitive, institutions must maintain a proactive and strategic focus on managing risk, strengthening governance, and improving operational resilience to support sustained growth and uphold customer trust.