The smallest financial institutions across the U.S. share a common struggle with the largest ones: how to best protect against hackers. Financial institutions are facing an increasing onslaught of cyberattacks. While smaller banks and firms may be forced to combat threats with fewer resources, that smaller size means they might be easier to protect. “The smaller businesses actually have a solvable problem,” says Pete Petersen, director of technology and chief cybersecurity officer at Causeway Capital Management, an institutional asset manager that focuses on international equities and oversees about $40 billion. “I know what systems need to be patched. I know what systems we’re using. I know everything about this place. You can’t do that at Citibank.” Institutions with small geographic footprints, little complexity in terms of technology and that outsource critical systems have little or minimal inherent cyber risk, according to a guide released Tuesday by the Federal Financial Institutions Examination Council, an interagency group that includes five U.S. banking regulators. “It’s one thing to train 50 people on phishing. It’s another thing to train 50,000,” Petersen says. And a small, community bank may not be as attractive a target. But that’s not to say small financial firms don’t have their own problems. They often rely on third-party vendors for protection, which means they have fewer in-house employees with information security expertise. Companies that outsource security are only as good as their contractors, and may have less control after an intrusion, or when it comes to keeping systems updated with the latest patches for vulnerabilities. “The least technically advanced entities may provide the easiest access for hackers to the payments system,” Eric Rosengren, president of the Federal Reserve Bank of Boston, said in a speech earlier this year. He also said the bank would expand a pilot information-sharing program this year to keep smaller financial institutions in the loop on emerging threats. John Prisco, president and CEO of Triumfant, a Rockville, Md.-based security company that works with several dozen small and medium-sized financial institutions, says these firms deal with very limited budgets. “Many of them have very little more than antivirus protection, which is not very much protection at all,” he says. “They’re making do with the people who are responsible for operations as opposed to having separate security staff.” Money can buy some protection — and staff to handle it — but cannot guarantee it. J.P. Morgan JPM, -0.81% became perhaps the biggest recent example of this last year, when it spent $250 million on cybersecurity and still got breached. And the new federal guidance says financial institutions that use “extremely complex technologies to deliver myriad products and services” face the highest level of risk because they have more connections, systems and data to protect . When it opened in 2007, the Bank of Princeton in Princeton, N.J. decided it would be more cost-efficient and effective to outsource security operations to a large information technology firm. Andrew Chon, the bank’s founder and chairman, says it also hires independent ethical hackers to attempt to hack their systems as another safety check against the criminals. “If you had all the available resources, it would be a little bit easier,” Chon says. “I don’t know if they’re targeting the big [banks] or the small ones. Maybe we’re not as much of a target. I don’t know that. We’re always prepared.”