Cybersecurity risk strategies in the middle market evolve as new risks emerge

A comprehensive risk management strategy is the most critical element of an effective cybersecurity stance. As the attack surface continues to grow, companies must proactively implement leading strategies to address emerging risks and implement controls that align with overall business goals.

For example, many middle market companies are shifting from point-in-time governance strategies that can fail to address modern risks to a more dynamic continuous monitoring and autonomous risk management approach. These leading organizations are leveraging tool sets to aggregate data from various sources and gain a more holistic and real-time perspective on their cyber hygiene. 

“In the past, companies had several disparate systems—perhaps identity and access management in one system and third-party risk management in another,” says RSM US LLP Director Amy Feldman. “With continuous monitoring, we are now able to leverage the data from those systems in a single location with real-time insights that draw larger conclusions around the broader risk posture instead of monthly or quarterly reports that don’t align insights with risk indicators.”

In the Q1 2026 RSM US Middle Market Business Index survey, the use of a formal risk management framework to assess and manage risks was the leading approach to identifying and managing cybersecurity risks, reported by 40% of respondents compared to 24% last year. Relying on third-party providers or consultants to manage cybersecurity risks ranked second (20%), followed by handling risk management reactively, addressing issues as they arise (18%). 

“What we're seeing is that people in a risk management or cybersecurity role had to start putting more formal frameworks in place to measure success and show progress to boards and audit committees,” says Feldman. “So, I think a lot of the uptick in leveraging frameworks is because of pressures that probably started externally following highly publicized incidents but were subsequently pushed down from senior leadership.”

RSM US Principal Alden Hutchison also highlights the importance of leveraging an established framework to guide cybersecurity decisions. “Organizations are recognizing that you can’t manage cyber risk without a common measurement framework,” he says. “NIST and ISO give leaders a consistent way to assess maturity, prioritize investment and demonstrate progress to boards, regulators and audit committees.”

Cyber insurance remains a popular tool in the middle market to protect data and quickly recover if a cyberattack occurs. However, policies have undergone several changes in recent years to reflect the evolving risk environment.

In the MMBI survey, 75% of respondents reported carrying a cyber insurance policy, a drop from the record high 82% in last year’s survey, but in line with the previous high of 76% two years ago.

“From a third-party risk management perspective, we're seeing a lot of clients really pushing for their vendors to have an acceptable level of coverage within their cyber liability insurance rather than checking the box to indicate they hold coverage,” says Feldman. “I've seen a lot of our customers react to these requests to ensure they can keep the business, but the premiums are getting more expensive and policy coverage is getting less and less expansive.”

Even with policy changes, Hutchison emphasizes the importance of cyber insurance. “The decline in cyber insurance adoption is surprising, because the risk environment hasn’t improved,” he says. “Attacks are increasing, incidents are more expensive, and insurance remains a critical risk‑transfer mechanism. Opting out doesn’t reduce exposure. It concentrates it.”