Despite rising cyber insurance adoption, RSM US report reveals that middle-market firms are falling behind on foundational security practices as breaches hit 55% of companies.

More than half of U.S. middle market companies experienced a data breach in the past year, a significant increase from 2023, according to a new special report on cybersecurity from consulting firm RSM US. The findings show that while more firms are adopting cyber insurance, they are struggling to keep up with an increasingly complex threat environment.

Why it matters: The jump in reported breaches, despite a corresponding rise in cyber insurance coverage, suggests that many companies may be treating insurance as a primary defense rather than one component of a broader security strategy. The data points to persistent gaps in areas like employee training and third-party risk management.

By the numbers:

  • 55% of executives reported their company experienced a data breach in the last year, up from 42% in 2023.
  • 76% of respondents now have cyber insurance, an increase from 63% in the prior year.
  • 46% of data breaches originated from a third-party vendor, a notable jump from 33% in 2023.
  • 21% of business leaders cited ransomware as their top security concern.
The big picture: The report indicates a disconnect between perceived preparedness and the reality of the threat landscape. While companies are investing in insurance, foundational security practices appear to be lagging. Only 44% of surveyed executives said their organizations train all employees on cybersecurity awareness, leaving a significant vulnerability open to human error.

Zoom in: The adoption of artificial intelligence is creating new challenges. While 73% of executives report using or considering generative AI, 57% also view it as one of their top five security risks. This shows a tension between the push for technological advancement and the ability to secure these new systems against exploitation.

What they're saying: "Cyber insurance is a valuable risk management tool, but it should not be a company's only line of defense," said Tauseef Ghazi, national leader of security and privacy risk consulting for RSM US, in a statement. "Organizations need to be proactive and build a comprehensive cybersecurity program that aligns with their risk tolerance and business strategy."

What to watch: As threats from third-party vendors and emerging technologies like AI continue to grow, companies will face pressure to shift from a reactive security posture to a more proactive one. This will likely involve increased investment in comprehensive employee training, stricter third-party vendor vetting, and the development of clear governance for the use of AI.

See the full RSM US Cybersecurity Special Report here.

SOURCE: RSM US

NOT FOR REPRINT

© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.