New data cautions that though cyber breaches have fallen significantly, after reaching a record-high of 28 percent in 2024, middle market companies must remain diligent in their cybersecurity efforts.

The 10th annual RSM US “Middle Market Business Index Special Report: Cybersecurity 2025” found that nearly one in five (18 percent) middle market organizations experienced a data breach in the last year, though almost all (97 percent) surveyed executives reported feeling confident in their current security measures.

The special report, presented by RSM in partnership with the U.S. Chamber of Commerce, reviews cybersecurity trends, strategies and concerns shaping the marketplace for midsize businesses, noting differences between smaller ($10 million to less than $50 million in revenue) and larger ($50 million to $1 billion in revenue) middle market organizations.

Larger companies were twice as likely than smaller companies to suffer a breach in the past year, with 24 percent of respondents reporting a breach compared to 12 percent of respondents from smaller firms.

Data also shows that smaller middle market firms appear to lag their larger counterparts in cybersecurity budgets and staffing, as well as in identity and access management, and implementing advanced AI governance protocols.

“While this year’s survey results are encouraging, the drop in reported breaches may be attributed to normalization following a spike in 2024 due to the sanctions and disruption in the financial network related to the Russia-Ukraine conflict,” said Tauseef Ghazi, national leader of security and privacy with RSM US LLP. “With the increasing complexity of attacks, it’s also possible that some companies may not have identified the presence of an attacker in their systems. This means continued vigilance is necessary, especially with the augmentation of AI to support malicious activities.”

Firms are prioritizing cybersecurity, according to the survey of 402 middle market executives in the U.S., with 91 percent of respondents indicating they expect their organization’s cybersecurity budget to increase in the year ahead.

RSM recommends firms ensure their cybersecurity investment strategies are effective by not overlooking consultative resources that could help drive automation with better engineering to solve problems at a lower cost.

The number of firms that reported carrying a cyber insurance policy also reached a record-high in the history of the report – up to 82 percent from 76 percent a year ago.

But familiarity with their policies dropped to 69 percent from 75 percent in the 2024 data. The decline is most pronounced among smaller firms, with positive responses for this segment declining to 51 percent from 66 percent last year.

Strategies to limit business disruptions are increasing.

Fifty-two percent of respondents said they are developing communications plans for crises or disruptions, 51 percent said they are developing and maintaining a business continuity plan, and half (50 percent) are implementing disaster recovery plans for critical systems.

When segmented by firm size, the top continuity strategy for larger firms is leveraging technology to hunt for threats and respond to cyber events (47 percent).

Only 46 percent of larger and 37 percent of smaller middle market companies reported collaborating with external partners such as suppliers and regulators for coordinated resilience planning.

“As the cyber landscape continues to evolve, it’s more important than ever for businesses to understand and incorporate advanced technologies to bolster their cyber posture,” said Christopher D. Roberti, senior vice President for Cyber, Space and National Security Policy at the U.S. Chamber of Commerce. “As we enter this new era of risk and uncertainty, the U.S. Chamber is advocating for a collaborative approach to cybersecurity, emphasizing the importance of public-private partnerships and industry-led standards to enhance our collective security and resilience.”

Ransomware continues to be a significant threat to the middle market, with 25 percent of surveyed executives reporting at least one ransomware attack or demand in the previous 12 months.

Data indicates that larger middle market companies are more at risk, with 35 percent of respondents in this segment reporting at least one attack or request, compared to 15 percent of smaller middle market organizations.

Among companies that experienced at least one ransomware attack in the past year, 31 percent said existing security measures were unsuccessful, 28 percent said they were partially successful and 41 percent said they were completely successful.

Data showed minimal differences in the effectiveness of ransomware defenses between smaller and larger middle market companies.

Staffing represents another significant challenge that is projected to persist as qualified cybersecurity talent is difficult to attract and expensive to retain.

Thirty-three percent of respondents indicated they have five or fewer data security and privacy employees.

While most respondents from smaller companies cited having 0-5 internal personnel focused on data security and privacy, 36 percent of larger organizations reported having 6-10 employees and another 36 percent said they have 11-15 employees.

To help fill the gap, some middle market organizations are outsourcing cybersecurity functions, with 51 percent stating they outsourced cybersecurity risk and compliance management.

Other leading functions outsourced by respondents include cyber incident response and forensics (46 percent), the security operations center (46 percent), security awareness training (44 percent) and vulnerability management (44 percent).

The survey indicates AI governance could be a weak spot for middle market firms, especially smaller organizations, with 34 percent of smaller middle market companies indicating that AI governance steps are not yet in place, indicating they are either not yet using AI or that their data is likely at an elevated risk if they are using AI.

This year’s special report also includes segmented findings from 101 Canadian middle market executives who completed the MMBI survey.

Canadian firms are less likely to have cyber insurance coverage than U.S. companies (68 percent versus 82 percent).

A smaller share of Canadian firms indicate they don’t have AI governance in place compared to U.S. respondents (5 percent versus 20 percent), likely due to Canada’s efforts to regulate AI at the federal level.

On average, Canadian respondents have larger cybersecurity teams, with 39 percent saying they have 16 or more employees, compared to 11 percent in the U.S.