RSM US Middle Market Business Index Special Report: Cybersecurity 2025

51% of middle market organisations stated they outsourced cybersecurity risk and compliance management. Other leading functions outsourced include cyber incident response and forensics (46%), the security operations center (46%), security awareness training (44%), and vulnerability management (44%).

Canadian middle market firms are less likely to have cyber insurance coverage than U.S. companies (68% versus 82%).

A smaller share of Canadian middle market firms indicate they don't have AI governance in place compared to U.S. respondents (5% versus 20%).

15% of smaller middle market organisations reported at least one ransomware attack or request.

12% of respondents from smaller middle market firms (with revenue between $10 million to less than $50 million) reported a breach.

Positive responses regarding familiarity with cyber insurance policy coverages among smaller middle market firms decreased to 51% from 66% last year.

Only 46% of larger and 37% of smaller middle market companies reported collaborating with external partners for coordinated resilience planning.

24% of respondents in larger middle market organisations (with revenue between $50 million to $1 billion) reported a breach.

18% of middle market organisations experienced a data breach in the last year.

On average, Canadian respondents at middle market organisations have larger cybersecurity teams, with 39% saying they have 16 or more employees, compared to 11% in the U.S..

34% of smaller middle market companies noted that AI governance steps are not yet in place.

33% of respondents at middle market organisations indicated they have five or fewer data security and privacy employees.

Among middle market companies that experienced at least one ransomware attack, 31% said existing security measures were unsuccessful.

Familiarity with policy coverages dropped to 69% from 75% in the 2024 data at middle market organisations.

35% of respondents in larger middle market companies reported at least one ransomware attack or request.

41% of respondents at middle market organisations said their existing security measures were completely successful against ransomware attacks.

52% of respondents at middle market organisations said they are developing communications plans for crises or disruptions.

97% of surveyed executives at middle market organisations reported feeling confident in their current security measures.

Reported middle market breaches fell significantly after reaching a record-high of 28% in the 2024 survey.

Larger middle market companies were twice as likely than smaller middle market companies to suffer a breach in the past year.

91% of respondents said they expect their middle market's organisation's cybersecurity budget to increase in the year ahead.

The number of middle market firms that reported carrying a cyber insurance policy reached a record-high of 82%, up from 76% a year ago.

51% of respondents at middle market organisations said they are developing and maintaining a business continuity plan.

50% of respondents at middle market organisations are implementing disaster recovery plans for critical systems.

25% of surveyed executives at middle market organisations reported experiencing at least one ransomware attack or demand in the previous 12 months.

47% of larger middle market firms reported that their top continuity strategy is leveraging technology to hunt for threats and respond to cyber events.

While most respondents from smaller middle market companies cited having 0-5 internal personnel focused on data security and privacy, 36% of larger middle market organisations reported having 6-10 employees and another 36% said they have 11-15 employees in this area.

28% of respondents at middle market organisations said their existing security measures were partially successful against ransomware attacks.