Article

Middle market tech companies must remain focused on cybersecurity during growth

Cybersecurity MMBI industry snapshot

May 30, 2024
#
Technology industry Cybersecurity consulting

The technology industry faces a host of challenges to protect its complex systems, data and users amid pervasive cyberthreats.

For midsize technology companies, in particular, the basics are often a good place to start, says Kurt Shenk, an RSM partner and and technology senior analyst. These predominantly private businesses, which often grow quickly due to organic growth, infusions of private capital, or acquisitions, are focused on scaling up, so they can have a blind spot for their cyber vulnerabilities, he says.

“Some of the things that might be second nature at a large firm are not necessarily in place at midmarket tech companies,” says Shenk, noting a lack of incidence response protocols, education around threats such as email phishing or a clear understanding of cybersecurity insurance coverage. “What’s the procedure, who is getting involved and how do you respond when something takes place?”

Even the best preparation cannot always thwart sophisticated attacks, says Shenk, who notes that several of his technology clients now find it necessary to keep bitcoin on their books in the event they fall victim to a ransomware attack and must pay bad actors to release their information.

Some of the things that might be second nature at a large firm are not necessarily in place at midmarket tech companies. What’s the procedure, who is getting involved and how do you respond when something takes place?
Kurt Shenk, RSM Technology Senior Analyst

Well-known technology corporations have been among the most widely reported breaches in recent years. As of late 2023, the SEC began requiring public companies to report “material” cybersecurity incidents within four business days and to disclose annually how they manage cybersecurity—both measures designed to protect investors.

Meanwhile, the use of AI presents technology firms with great opportunity for innovation but also brings additional cyber risk, Shenk says. The European Union in March gave final approval to a set of protections around AI use intended to take effect in about two years, including prohibiting AI-powered social scoring systems and biometric tools that attempt to surmise an individual’s race, politics or sexuality. The United States, by contrast, has yet to put forth similar restrictions.

But Shenk believes the recent SEC requirements may portend a period of heightened regulation that could govern private companies as well.

“The beginning of regulation is there, and it seems like something that will continue,” he says. “Companies are focused on it.”

Related insights

RSM US MMBI

Cybersecurity 2024 special report

Our annual insights into cybersecurity trends, strategies and concerns shaping the marketplace for midsize businesses in an increasingly complex risk environment.