Middle-market firms have increasingly become a target of cyber threats, with more hackers realizing the vulnerabilities in security measures. These attacks harm companies' operations, assets and reputations. Often, recovery from such incidents is exceedingly challenging.

There is a common misconception that large enterprises are most susceptible to cyberattacks. However, these threats impact businesses of all sizes, including middle-market firms. One in 3 small and medium-sized businesses have experienced a cyberattack such as ransomware, phishing or data breaches, according to a 2024 study by Microsoft and Bredin. The average cost of a cyberattack is $250,000.

Midsize companies are often targets due to having lower budgets for cybersecurity than their larger counterparts. Additionally, fewer resources usually translate into fewer information technology (IT) specialists to ensure robust security measures. This, coupled with outdated IT security software and a higher risk of stolen data, makes the likelihood of successful cyber intrusion, ransomware attacks, phishing schemes and denial-of-service attacks (DoS) possible.

Cyberattacks most frequently impact financial institutions. The global financial sector has endured $12 billion in direct losses since 2004, with $2.5 billion in direct losses since 2020, according to a 2024 International Monetary Fund report. These numbers do not include the forensics, legal and public relations expenses accrued during incident responses.

If a cyberattack occurs, companies must notify customers of breaches, which may undermine their confidence in the business. Likewise, firms must settle any fines, business disruptions and damage to public perception by regaining consumer trust and loyalty. Some approaches could comprise responding to negative media coverage and revamping the brand image.

Mid-market firms must develop a comprehensive cyber risk assessment to determine whether their existing cybersecurity measures and infrastructure can withstand today's advanced threats. An evaluation should examine data security practices, access controls, encryption techniques and storage to protect sensitive information. Likewise, assessing third-party risks from cloud providers and vendors is equally important.

Companies might hire an expert to consider cyber risks and help prioritize the most appropriate cybersecurity protections. For example, a Cybersecurity Maturity Model Certification Third-Party Assessor Organization (C3PAO) is an option for defense industrial base contractors and subcontractors. Businesses must decide the level of security required for handling classified government information. This will enable them to select an appropriate C3PAO with authorization to access and view such data.

Likewise, an organization that works with U.S. intelligence should select a C2PAO with knowledge of those practices.

Independent insurance agents should stress the importance of cyber liability for their midsize commercial clients to defend against data breaches, attacks on vendor-held information and network breaches.

There are two types of coverages clients should consider:

1) First-party coverage. This protects company, employee and consumer data and assists with costs related to legal aid, data recovery, customer notification, lost income, public relations, cyber extortion and other fines.

2) Third-party coverage. This protects businesses from liability when a third party brings a claim against them, such as consumer payments, defamation loss, copyright infringement, claims and litigation costs, and accounting fees.

The average cost of a data breach increased 10% in 2024, according to IBM, underscoring the importance of cybersecurity measures for midsized businesses. To take steps to protect themselves, agents should encourage companies to:

• Develop a comprehensive cybersecurity framework.
• Create a solid cybersecurity incident response plan.
• Utilize strong password protection and multifactor authentication.
• Ensure all security software and systems are updated.
• Integrate data encryption and access controls.
• Implement cybersecurity training for all employees.