Kimberly Bartok, Enterprise Public Relations Leader, kim.bartok@rsmus.com, 212.372.1239
Andreia DeVries, Enterprise Public Relations Manager, andreia.devries@rsmus.com, 919.645.6821
for media use only
High Contrast
Kimberly Bartok, Enterprise Public Relations Leader, kim.bartok@rsmus.com, 212.372.1239
Andreia DeVries, Enterprise Public Relations Manager, andreia.devries@rsmus.com, 919.645.6821
for media use only
CHICAGO – (May 30, 2024) – Cybersecurity attacks continue to be a significant risk for middle market companies as the increasingly complex threat environment includes emerging technologies such as generative AI, according to the RSM US Middle Market Business Index Special Report: Cybersecurity 2024, presented by RSM US LLP (“RSM”) in partnership with the U.S. Chamber of Commerce. The report also highlights a sense of complacency among many companies amid fatigue after consistently hearing about risks and attacks for several years, but notes that firms must remain vigilant to protect sensitive data and ensure sustainable operations.
The MMBI data shows that 28% of middle market executives reported their company experienced a data breach in the last year, matching a record high set by the 2021 RSM survey results. Reported breaches at smaller middle market firms ($10 million to less than $50 million in revenue) rose to 20% from 12%, and breaches at larger companies ($50 million to $1 billion in revenue) increased to 37% from 28% since last year’s survey. Though breaches were up, 95% of survey respondents indicated they are confident in their current security measures.
“The cybersecurity landscape is complex and cyber threat actors are relentless,” said Tauseef Ghazi, national leader of security and privacy with RSM US LLP. “This year’s survey data is telling us that while middle market firms are taking cybersecurity seriously, they may also be feeling a little complacent. Now is not the time to get complacent. Cybersecurity events can result in significant financial repercussions, reputational harm and operational chaos. Companies must ensure that controls are up to date and protective measures, including an ecosystem of supporting cyber partners, are leveraged to strengthen their cybersecurity strategy.”
The survey research also provides insights into the cybersecurity measures at smaller and larger middle market organizations, and in many cases, large gaps exist between the two groups. The data shows smaller middle market firms lag their larger counterparts in budgets and staffing, as well as confidence in implementing, generating value from and using technology to address threats.
Ransomware Attacks Remain Prominent; Vulnerabilities in Third-Party Risk Strategies
Ransomware remains a widespread concern in the middle market, and 30% of surveyed executives reported having at least one ransomware attack or demand in the last 12 months. Forty-one percent of executives from larger firms disclosed at least one attack or demand in the last year, which is a decline of 13%. In contrast, 21% of executives from smaller middle market companies reported an attack or demand in the last year, representing an increase of 8%.
Of the companies that reported at least one attack in the last year, 28% said existing security measures were unsuccessful, 32% said they were partially successful and 40% said they were completely successful.
The RSM report explains that many ransomware attacks are the result of vulnerabilities within third-party risk strategies, and the survey data reveals opportunities for middle market companies to improve those controls. For example, almost two-thirds of respondents (64%) regularly evaluate cybersecurity controls at third parties and nearly three in five (58%) include service-level agreements and other data and security controls in contractual agreements.
“Amid escalating and evolving cyber threats and risks to businesses, President Biden’s administration has recast the regulatory and governance landscape to focus on rebalancing responsibility for cybersecurity, shifting liability for products and services not secured by design, and realigning incentives to favor long-term investments in security, resilience, and risk management,” said Vincent Voci, vice president, cyber policy and operations at the U.S. Chamber of Commerce. “The U.S. Chamber urges all organizations to invest more fully in cybersecurity, involve their senior business leaders in the cybersecurity conversation, and meaningfully and proactively collaborate with government agencies and law enforcement on cyber threats. Secure and trusted digital technologies are critical to national and economic security.”
Middle Market Prioritizing Cybersecurity; Staffing Concerns Persist
Middle market executives are taking cybersecurity seriously, as indicated by the record-high number of companies who indicated they carry a cyber insurance policy – up to 76% from 68% a year ago. Importantly, executives’ understanding of what these policies cover is increasing too. Seventy-five percent of middle market executives carrying a policy indicated they are familiar with their policy, up from 62% last year.
The MMBI survey data shows that 37% of executives plan to increase the proportion of their organization's revenue devoted to cybersecurity in the upcoming year, but this figure differs greatly by firm size. Forty-eight percent of larger middle market companies plan to increase the amount of revenue dedicated to cybersecurity, compared to only 29% of smaller businesses. Thirty-four percent of companies report having cybersecurity budgets under the chief financial officer, with 32% residing under the chief executive officer.
Cybersecurity staffing remains a challenge in the middle market, and more than 60% of survey respondents report having two or fewer data security and privacy employees. Not surprisingly, larger middle market organizations have more dedicated internal staff; a plurality of those respondents (40%) had four individuals or more. Meanwhile, 27% of smaller middle market companies – the largest response in that subset – cited no internal personnel, but instead leverage external providers for data security. The RSM report also notes firms may have challenges in ensuring they have the right people with the skillsets to match advancing technologies.
Additional Insights and Industry Perspectives in Full Report
The cybersecurity special report delves into firms’ digital identity strategies and other preventive measures, their cloud migration progress, and their preparedness for emerging data privacy regulations. It also explores cybersecurity dynamics in several industries, including technology, telecoms, manufacturing, real estate and construction, professional services, government contracting, retail, financial services and health care. Industry insights can be found in the full report.
The survey data that informs this index reading was gathered from 403 respondents between Jan. 8 and Feb. 16, 2024.
About the RSM US Middle Market Business Index
RSM US LLP and the U.S. Chamber of Commerce have partnered to present the RSM US Middle Market Business Index (MMBI). It is based on research of middle market firms conducted by Harris Poll, which began in the first quarter of 2015. The survey is conducted four times a year, in the first month of each quarter: January, April, July and October. The survey panel consists of approximately 1,500 middle market executives and is designed to accurately reflect conditions in the middle market.
Built in collaboration with Moody’s Analytics, the MMBI is borne out of the subset of questions in the survey that asks respondents to report the change in a variety of indicators. Respondents are asked a total of 20 questions patterned after those in other qualitative business surveys, such as those from the Institute of Supply Management and National Federation of Independent Businesses.
The 20 questions relate to changes in various measures of their business, such as revenues, profits, capital expenditures, hiring, employee compensation, prices paid, prices received and inventories. There are also questions that pertain to the economy and outlook, as well as to credit availability and borrowing. For 10 of the questions, respondents are asked to report the change from the previous quarter; for the other 10 they are asked to state the likely direction of these same indicators six months ahead.
The responses to each question are reported as diffusion indexes. The MMBI is a composite index computed as an equal weighted sum of the diffusion indexes for 10 survey questions plus 100 to keep the MMBI from becoming negative. A reading above 100 for the MMBI indicates that the middle market is generally expanding; below 100 indicates that it is generally contracting. The distance from 100 is indicative of the strength of the expansion or contraction.
About The U.S. Chamber of Commerce
The U.S. Chamber of Commerce is the world’s largest business organization representing companies of all sizes across every sector of the economy. Members range from the small businesses and local chambers of commerce that line the Main Streets of America to leading industry associations and large corporations.
They all share one thing: They count on the U.S. Chamber to be their voice in Washington, across the country, and around the world. For more than 100 years, we have advocated for pro-business policies that help businesses create jobs and grow our economy.
RSM empowers middle market companies worldwide to take charge of change. The clients we serve are the engine of global commerce and economic growth. Our unique middle market perspective makes RSM the natural choice for growth-oriented, internationally active organizations seeking relevant insights and tailored, innovative solutions for a complex and changing world. With a global reach spanning more than 120 countries, we instill confidence in a world of change by bringing the full power of RSM to make a lasting impact on our clients, colleagues and communities. For more information, visit rsmus.com, like us on Facebook, follow us on X and/or connect with us on LinkedIn.