New RSM Research Explores Cybersecurity Concerns and Vulnerabilities for Middle Market Businesses

CHICAGO – (May 2, 2019) – Middle market leaders increasingly recognize the heightened risk of cyber threats and data breaches that are continuing to capture headlines, but fail to realize they are prime targets for cyber attacks. That’s according to results from the RSM US Middle Market Business Index (MMBI) Cybersecurity Special Report released today from RSM US LLP (“RSM”), in partnership with the U.S. Chamber of Commerce.

The report found that 15 percent of middle market executives indicated that their companies experienced a data breach in the last year, up from 13 percent in 2018 and a significant jump from 5 percent just four years ago. Additionally, more than half (55 percent) of respondents believe that an attempt to illegally access their company’s data or systems is likely in 2019, an increase from 47 percent in 2018. Larger middle market organizations continue to be most at risk for cybercrime, as many have high volumes of valuable data but don’t have the robust security resources of their large-cap peers, making them exceedingly attractive to cybercriminals.

In terms of the types of attacks, ransomware has become the most popular breach method for cyber criminals – evolving from a nuisance to a major threat because of its highly targeted nature. RSM found that over one-third of middle market executives (35 percent) know someone that has suffered a ransomware attack, compared to 31 percent in 2018, while 20 percent have suffered an attack themselves, a two percentage point increase from last year. Social engineering has also become prevalent, with 42 percent of executives reporting social engineering attempts on their organizations from outside parties.

However, while executives are taking notice of looming cyberthreats, and the number of reported breaches has tripled over the last five years, the majority (93 percent) are confident in their organization’s security measures, which is likely due to increased investments in cybersecurity tools and initiatives. This growing confidence of middle market leaders conflicts with rising concerns, and research shows that companies need to remain diligent.

“One of the most apparent trends from the report is the confidence middle market leaders have in the effectiveness of their security controls,” said Daimon Geopfert, principal and national leader of security & privacy services with RSM US LLP. “While the headlines may focus on the breaches experienced by large corporations, the glaring reality is that the often-overlooked middle market is a prime target. The jeopardy to this sector is growing, and firms must ensure that security investments, controls and communication align with rising threats.”

Responding to a Rapidly Evolving Regulatory Environment
A growing number of countries and states are beginning to enact cybersecurity legislation to mitigate risk and strengthen data protection. Many middle market companies are required to comply with the European Union’s General Data Protection Regulation (GDPR), and legislation is already emerging in the U.S., led by the California Consumer Protection Act, which is scheduled to take effect in 2020.

These regulations are expected to impact the middle market, yet companies have been slow to develop GDPR-compliant privacy processes. In fact, only 40 percent of respondents are familiar with the requirements of the GDPR law or other privacy regulations.

It is imperative for middle market companies to start building familiarity with existing regulations now, so these policies can serve as a helpful foundation to prepare for what is certain to be an active future for data privacy.

Cyber Insurance: Future-Proofing Security
To combat the repercussions that cybercrime threats like ransomware can have on organizations’ financials and operations, cyber insurance has become an effective and critical solution.

More than half (57 percent) of middle market executives surveyed carry cyber insurance to mitigate risk, a five percentage point increase from 2018. While the usage of cyber insurance is gaining momentum and popularity, many executives do not have a full understanding of their policies and coverage. In fact, the survey reveals that 41 percent of the companies that carry policies are somewhat familiar or not at all familiar with their coverage levels.

“Executing a cyber insurance policy is important to limit exposure, and it’s encouraging that there has been an uptick in implementation among middle market firms,” said Ken Stasiak, consulting principal with RSM US LLP.  “But companies must also remember to periodically evaluate any existing insurance policies to account for evolving and emerging risks.”

As cyber attacks continue to grow in severity, scope and scale, executives must stay aware of potential vulnerabilities and understand the most effective methods to alleviate the risk. The most effective cybersecurity strategies will protect data, identify and address threats, and scale to encompass emerging technology, business expansion and other challenges.

The survey data that informs the index reading was gathered between January 14 and February 1, 2019. To learn more about the middle market and the MMBI, visit the RSM website.