Cybersecurity attacks continue to be a significant risk for middle market companies as the increasingly complex threat environment includes emerging technologies such as generative AI, according to the RSM US Middle Market Business Index Special Report: Cybersecurity 2024, presented by RSM US LLP (“RSM”) in partnership with the U.S. Chamber of Commerce. The report also highlights a sense of complacency among many companies amid fatigue after consistently hearing about risks and attacks for several years, but notes that firms must remain vigilant to protect sensitive data and ensure sustainable operations.

The MMBI data shows that 28% of middle market executives reported their company experienced a data breach in the last year, matching a record high set by the 2021 RSM survey results. Reported breaches at smaller middle market firms ($10 million to less than $50 million in revenue) rose to 20% from 12%, and breaches at larger companies ($50 million to $1 billion in revenue) increased to 37% from 28% since last year’s survey. Though breaches were up, 95% of survey respondents indicated they are confident in their current security measures.

The survey research also provides insights into the cybersecurity measures at smaller and larger middle market organizations, and in many cases, large gaps exist between the two groups. The data shows smaller middle market firms lag their larger counterparts in budgets and staffing, as well as confidence in implementing, generating value from and using technology to address threats.

Thanks for reading CPA Practice Advisor!

Join for free to get personalized access to all of our daily content, newsletters, continuing education, podcasts, whitepapers and more...

Already registered? Login

Need more information? Read the FAQ's

Ransomware Attacks Remain Prominent; Vulnerabilities in Third-Party Risk Strategies

Ransomware remains a widespread concern in the middle market, and 30% of surveyed executives reported having at least one ransomware attack or demand in the last 12 months. Forty-one percent of executives from larger firms disclosed at least one attack or demand in the last year, which is a decline of 13%. In contrast, 21% of executives from smaller middle market companies reported an attack or demand in the last year, representing an increase of 8%.

Of the companies that reported at least one attack in the last year, 28% said existing security measures were unsuccessful, 32% said they were partially successful and 40% said they were completely successful.

The RSM report explains that many ransomware attacks are the result of vulnerabilities within third-party risk strategies, and the survey data reveals opportunities for middle market companies to improve those controls. For example, almost two-thirds of respondents (64%) regularly evaluate cybersecurity controls at third parties and nearly three in five (58%) include service-level agreements and other data and security controls in contractual agreements.

“Amid escalating and evolving cyber threats and risks to businesses, President Biden’s administration has recast the regulatory and governance landscape to focus on rebalancing responsibility for cybersecurity, shifting liability for products and services not secured by design, and realigning incentives to favor long-term investments in security, resilience, and risk management,” said Vincent Voci, vice president, cyber policy and operations at the U.S. Chamber of Commerce. “The U.S. Chamber urges all organizations to invest more fully in cybersecurity, involve their senior business leaders in the cybersecurity conversation, and meaningfully and proactively collaborate with government agencies and law enforcement on cyber threats. Secure and trusted digital technologies are critical to national and economic security.”

Middle Market Prioritizing Cybersecurity; Staffing Concerns Persist

Middle market executives are taking cybersecurity seriously, as indicated by the record-high number of companies who indicated they carry a cyber insurance policy – up to 76% from 68% a year ago. Importantly, executives’ understanding of what these policies cover is increasing too. Seventy-five percent of middle market executives carrying a policy indicated they are familiar with their policy, up from 62% last year.

The MMBI survey data shows that 37% of executives plan to increase the proportion of their organization’s revenue devoted to cybersecurity in the upcoming year, but this figure differs greatly by firm size. Forty-eight percent of larger middle market companies plan to increase the amount of revenue dedicated to cybersecurity, compared to only 29% of smaller businesses. Thirty-four percent of companies report having cybersecurity budgets under the chief financial officer, with 32% residing under the chief executive officer.

Cybersecurity staffing remains a challenge in the middle market, and more than 60% of survey respondents report having two or fewer data security and privacy employees. Not surprisingly, larger middle market organizations have more dedicated internal staff; a plurality of those respondents (40%) had four individuals or more. Meanwhile, 27% of smaller middle market companies – the largest response in that subset – cited no internal personnel, but instead leverage external providers for data security. The RSM report also notes firms may have challenges in ensuring they have the right people with the skillsets to match advancing technologies.

Additional Insights and Industry Perspectives in Full Report

The cybersecurity special report delves into firms’ digital identity strategies and other preventive measures, their cloud migration progress, and their preparedness for emerging data privacy regulations. It also explores cybersecurity dynamics in several industries, including technology, telecoms, manufacturing, real estate and construction, professional services, government contracting, retail, financial services and health care. Industry insights can be found in the full report.

The survey data that informs this index reading was gathered from 403 respondents between Jan. 8 and Feb. 16, 2024.

Technology