10th Annual Cybersecurity Special Report by RSM US Details Sophisticated Threat Environment, Highlighting Progress and Risk Mitigation Opportunities

CHICAGO –​ (April 17, 2025) – The 10th annual RSM US Middle Market Business Index Special Report: Cybersecurity 2025 found that nearly one in five (18%) middle market organizations experienced a data breach in the last year, though almost all (97%) surveyed executives reported feeling confident in their current security measures. The special report, presented by RSM US LLP (“RSM”) in partnership with the U.S. Chamber of Commerce, notes that while reported breaches fell significantly after reaching a record-high of 28% in the 2024 survey, companies must remain diligent in their cybersecurity efforts amid an environment of constantly emerging and evolving threats. 

The RSM report provides insights into cybersecurity trends, strategies and concerns shaping the marketplace for midsize businesses, noting differences between smaller ($10 million to less than $50 million in revenue) and larger ($50 million to $1 billion in revenue) middle market organizations. For instance, larger companies were twice as likely than smaller companies to suffer a breach in the past year, with 24% of respondents in this segment reporting a breach compared to 12% of respondents from smaller firms. The data also shows that smaller middle market firms appear to lag their larger counterparts in cybersecurity budgets and staffing, as well as in identity and access management, and implementing advanced AI governance protocols.

“While this year’s survey results are encouraging, the drop in reported breaches may be attributed to normalization following a spike in 2024 due to the sanctions and disruption in the financial network related to the Russia-Ukraine conflict,” said Tauseef Ghazi, national leader of security and privacy with RSM US LLP. “With the increasing complexity of attacks, it’s also possible that some companies may not have identified the presence of an attacker in their systems. This means continued vigilance is necessary, especially with the augmentation of AI to support malicious activities.”

Firms Continue Investing in Business Continuity and Resiliency Strategies

The survey of 402 middle market executives in the U.S. shows that firms are prioritizing cybersecurity, as underscored by the 91% of respondents who said they expect their organization’s cybersecurity budget to increase in the year ahead. The RSM report recommends that firms ensure their cybersecurity investment strategies are effective by not overlooking consultative resources that could help drive automation with better engineering to solve problems at a lower cost.

The number of firms that reported carrying a cyber insurance policy also reached a record-high in the history of the report – up to 82% from 76% a year ago. Despite that increase, familiarity with their policy coverages dropped to 69% from 75% in the 2024 data. This decline is most pronounced among smaller firms, as positive responses for this segment decreased to 51% from 66% last year.

In addition to cyber insurance, companies are implementing strategies to limit business disruptions. Fifty-two percent of respondents said they are developing communications plans for crises or disruptions, 51% said they are developing and maintaining a business continuity plan, and half (50%) are implementing disaster recovery plans for critical systems. When segmented by firm size, the top continuity strategy for larger firms is leveraging technology to hunt for threats and respond to cyber events (47%). Of note, only 46% of larger and 37% of smaller middle market companies reported collaborating with external partners such as suppliers and regulators for coordinated resilience planning.

“As the cyber landscape continues to evolve, it’s more important than ever for businesses to understand and incorporate advanced technologies to bolster their cyber posture,” said Christopher D. Roberti, Senior Vice President for Cyber, Space and National Security Policy at the U.S. Chamber of Commerce. “As we enter this new era of risk and uncertainty, the U.S. Chamber is advocating for a collaborative approach to cybersecurity, emphasizing the importance of public-private partnerships and industry-led standards to enhance our collective security and resilience.”

Ransomware, Staffing and AI Governance Challenge the Middle Market

Ransomware continues to be a significant threat to the middle market, and 25% of surveyed executives reported experiencing at least one ransomware attack or demand in the previous 12 months. The data indicates that larger middle market companies are more at risk, with 35% of respondents in this segment reporting at least one attack or request, compared to 15% of smaller middle market organizations.

Among companies that experienced at least one ransomware attack in the past year, 31% said existing security measures were unsuccessful, 28% said they were partially successful and 41% said they were completely successful. The survey data showed minimal differences in the effectiveness of ransomware defenses between smaller and larger middle market companies.

Staffing represents another significant challenge that is projected to persist as qualified cybersecurity talent is difficult to attract and expensive to retain. Thirty-three percent of respondents indicated they have five or fewer data security and privacy employees. While most respondents from smaller companies cited having 0-5 internal personnel focused on data security and privacy, 36% of larger organizations reported having 6-10 employees and another 36% said they have 11-15 employees.

To help fill the gap, some middle market organizations are outsourcing cybersecurity functions, with 51% stating they outsourced cybersecurity risk and compliance management. Other leading functions outsourced by respondents include cyber incident response and forensics (46%), the security operations center (46%), security awareness training (44%) and vulnerability management (44%).

The survey data also implies that AI governance could be a weak spot for middle market firms, especially smaller organizations. Notably, 34% of smaller middle market companies noted that AI governance steps are not yet in place, indicating they are either not yet using AI or that their data is likely at an elevated risk if they are using AI.

Few Differences Reported by Canadian Middle Market Firms

This year’s special report also includes segmented findings from 101 Canadian middle market executives who completed the MMBI survey. While many findings were similar to those in the U.S., a few notable differences were identified. Canadian firms are less likely to have cyber insurance coverage than U.S. companies (68% versus 82%). A smaller share of Canadian firms indicate they don’t have AI governance in place compared to U.S. respondents (5% versus 20%), likely due to Canada’s efforts to regulate AI at the federal level. On average, Canadian respondents have larger cybersecurity teams, with 39% saying they have 16 or more employees, compared to 11% in the U.S.

Additional Insights and Industry Perspectives in Full Report

The cybersecurity special report delves into firms’ digital identity strategies and other preventive measures, and their cloud migration progress. It also explores cybersecurity dynamics in several industries, including consumer products, energy, financial services, health care, life sciences, manufacturing, private equity, real estate, retail, technology and telecom. Industry insights can be found in the full report.

The survey data that informs this index reading was gathered between Jan. 6 and Jan. 27, 2025 in the U.S. and between Jan. 17 and Jan. 29 in Canada.

---

About the RSM US Middle Market Business Index

RSM US LLP and the U.S. Chamber of Commerce have partnered to present the RSM US Middle Market Business Index (MMBI). It is based on research of middle market firms conducted by Harris Poll, which began in the first quarter of 2015. The survey is conducted four times a year, in the first month of each quarter: January, April, July and October. The survey panel consists of approximately 1,600 middle market executives and is designed to accurately reflect conditions in the middle market. 

Built in collaboration with Moody’s Analytics, the MMBI is borne out of the subset of questions in the survey that asks respondents to report the change in a variety of indicators. Respondents are asked a total of 20 questions patterned after those in other qualitative business surveys, such as those from the Institute of Supply Management and National Federation of Independent Businesses. 

The 20 questions relate to changes in various measures of their business, such as revenues, profits, capital expenditures, hiring, employee compensation, prices paid, prices received and inventories. There are also questions that pertain to the economy and outlook, as well as to credit availability and borrowing. For 10 of the questions, respondents are asked to report the change from the previous quarter; for the other 10 they are asked to state the likely direction of these same indicators six months ahead. 

The responses to each question are reported as diffusion indexes. The MMBI is a composite index computed as an equal weighted sum of the diffusion indexes for 10 survey questions plus 100 to keep the MMBI from becoming negative. A reading above 100 for the MMBI indicates that the middle market is generally expanding; below 100 indicates that it is generally contracting. The distance from 100 is indicative of the strength of the expansion or contraction. 

About The U.S. Chamber of Commerce  

The U.S. Chamber of Commerce is the world’s largest business organization representing companies of all sizes across every sector of the economy. Members range from the small businesses and local chambers of commerce that line the Main Streets of America to leading industry associations and large corporations.

They all share one thing:  They count on the U.S. Chamber to be their voice in Washington, across the country, and around the world. For more than 100 years, we have advocated for pro-business policies that help businesses create jobs and grow our economy.  

About RSM US LLP

RSM empowers middle market companies worldwide to take charge of change. The clients we serve are the engine of global commerce and economic growth. Our unique middle market perspective makes RSM the natural choice for growth-oriented, internationally active organizations seeking relevant insights and tailored, innovative solutions for a complex and changing world. With a global reach spanning more than 120 countries, we instill confidence in a world of change by bringing the full power of RSM to make a lasting impact on our clients, colleagues and communities. For more information, visit rsmus.com, like us on Facebook, follow us on X and/or connect with us on LinkedIn.