The 2025 Certainty Project Report

Cybersecurity Risks Cause Middle-Market CFOs to Cancel Innovation Plans

January 2025

Not having certainty in key operations is plenty to challenge middle-market firms, but cybersecurity risks complicate the picture. Companies already grappling with considerable uncertainty are nearly twice as likely as the average firm to express significant cybersecurity concerns. Ripple effects include lost revenue and canceled tech initiatives, but some middle-market CFOs are stepping up to the challenge and foresee a brighter future.

Get Unlimited Access
Complete the form below for free, unlimited access to all our Data Studies, Trackers, and MonitorEdge reports.

Thank you for registering. Please confirm your email to view all our Trackers.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    CFOs for middle-market firms commonly report that cybersecurity risks are a threat. The stakes are even greater for firms operating in environments with high uncertainty. Twice as many of these firms report significant concerns about cybersecurity threats than the average (88% versus 42%).

    Firms operating with high uncertainty contend with changes outside of their control: fluctuating demand, supply chain disruptions or macroeconomic volatility, to name a few. These conditions have real costs and can press CFOs to prioritize the most immediate concerns rather than invest in the long term.

    Financial disruptions from these threats often delay or cancel tech initiatives: 81% of high-uncertainty firms report stalled innovation due to cybersecurity challenges. In other words, high-uncertainty environments likely encourage CFOs to prioritize cybersecurity over innovation, which could have long-term ramifications as less uncertain competitors upgrade technology.

    That said, short-term consequences for ignoring cybersecurity risks are also severe. Failure to address cyber threats often leads to direct financial losses more expensive than mitigation costs.

    Middle-market CFOs implement strategies such as AI-driven threat detection, enhanced cybersecurity training and stricter operational safeguards to tackle these risks. However, even these steps leave many companies struggling to manage the uncertainty that cyber threats bring. Collectively, the data indicates a pressing need for practical, scalable solutions.

    These are just some of the findings in this edition of PYMNTS Intelligence’s Certainty Project Report. Drawing on insights from 60 CFOs surveyed between Nov. 7, 2024, and Nov. 15, 2024, this exclusive report explores how firms respond to cybersecurity challenges in volatile conditions and outlines strategies for balancing resilience and growth.

    High-Uncertainty Environments Make Cybersecurity Risks More Urgent

    Firms with lower revenues or higher uncertainty find cybersecurity risks a greater challenge.

    While most firms express some concerns over cybersecurity risks, high-uncertainty firms are very likely to report the strongest levels of concern. Overall, 42% of middle-market CFOs reported high levels of concern about cybersecurity threats. However, the share more than doubles to 88% for firms facing high uncertainty. These firms are also more likely to create dedicated cybersecurity teams — 46% for the most concerned versus 22% for the least.

    Operational uncertainty can pressure firms to reallocate their resources. While these moves to reallocate resources can target cybersecurity issues, the shifts can also disrupt operations. CFOs told us errors, delays and missed opportunities were cybersecurity risks’ most commonly reported impacts. Firms in high-uncertainty environments were much more likely than the average firm to report lost revenue, at 38% and 27%, respectively, and missed opportunities, at 44%, and 30%, respectively.

    Additionally, high-uncertainty firms face significant challenges in fulfilling client orders and maintaining profit margins, with 31% and 19%, respectively, citing these as direct impacts of cyber risks. Order fulfillment and maintaining profitability are crucial to the short-term survival of a business. Additionally, such disruptions to cash flow and financial health can hinder strategic growth, limiting firms’ long-term competitiveness.

    How middle-market CFOs are fighting back

    Firms are implementing a mix of basic and advanced mitigation strategies to combat cybersecurity challenges. Common actions include updating password policies and expanding employee cybersecurity training programs, which at least one-third of firms overall took. While essential, these measures often fall short for high-uncertainty firms facing more complex threats.

    High-uncertainty firms are especially likely to have turned to advanced technologies. For example, 44% of the most uncertain firms have invested in technologies like AI-driven threat detection. They also lead in conducting risk assessments (50%) and buying insurance (31%), suggesting that they understand their vulnerabilities too well and are willing to allocate capital to address them.

    Firms Lose More Money to Cybersecurity Threats Than They Spend Fighting Them

    Costs to curtail cybersecurity threats are most concerning to high-uncertainty firms.

    Arguably, cybersecurity threats impose a kind of tax on middle-market firms — one magnified in high-uncertainty environments. Among all respondents, 72% reported concerns over direct financial losses due to cybersecurity incidents. This figure surged to 88% for firms navigating heightened uncertainty. The reality that smaller shares of medium and low uncertainty firms share this concern (67% and 65%, respectively) suggests that volatile conditions amplify the impact of cybersecurity risks.

    Mitigation costs remain substantial across all surveyed firms: 72% of respondents overall cite them as a significant burden. For high-uncertainty firms, these costs often occur alongside more significant direct losses, which can intensify budget strains. However, more than three-quarters of firms with lower uncertainty levels struggle with their concerns over the loss of customers.

    These rather divergent experiences for middle-market firms highlight how those at different ends of the uncertainty spectrum experience cybersecurity risks in distinct ways. For firms operating in less uncertain settings, investments can more effectively balance immediate short-term needs and longer-view innovation-focused spending. Firms operating with more uncertainty move to put out fires in the short term, which can lead to underinvestment in the long term. This difference emphasizes the need for dynamic risk management frameworks that can adapt to mitigate a firm’s unique sources of uncertainty.

    Cybersecurity Risks’ Other Costs: Tech Delays and Innovation Stagnation

    Middle-market firms frequently delay or cancel tech initiatives over cybersecurity risks.

    Cyber threats can derail tech innovation. Nearly one-third (32%) of firms overall reported frequently delaying or canceling tech initiatives due to these concerns. This disruption intensifies in high-uncertainty environments. Here, 81% of firms cited frequently having to delay or cancel any innovation or technology initiatives due to considerations related to cybersecurity risk in the last 12 months. The consequences of such an impact on innovation can erode competitive position.

    They’re hardly alone, though. Larger firms — those generating $400 million to $1 billion in revenue — report facing greater challenges. Among these larger middle-market organizations, 38% report frequent disruptions to tech initiatives. By comparison, smaller firms reported fewer delays (26%), likely due to their relatively smaller attack surfaces.

    But the consequences extend beyond delays. Errors and delays cost time, which compounds the operational inefficiencies cited by 27% of all firms. Likewise, lost revenue, cited by 33% of firms, reflects the cascading effects of delayed innovation and weakened competitive positioning. Cybersecurity threats can hinder many of the immediate tech initiatives that inform broader strategic goals.

    As firms grapple with these issues, they must weigh the trade-offs between investing in cybersecurity defenses and maintaining the momentum of technological innovation. High-uncertainty firms are most likely to face significant challenges, requiring a delicate balance between risk management and growth objectives.

    Middle-Market CFOs Have Optimistic Outlooks on Cybersecurity — Unless Uncertainty is High

    Most CFOs expect cybersecurity risk levels to improve in the next 12 months.

    CFOs have mixed expectations for cybersecurity improvements over the next 12 months. The data reveals stark contrasts between firms operating in stable and uncertain conditions. While 52% of middle-market firms overall express optimism, the cybersecurity situation remains more pressing for the most uncertain firms.

    Just 19% of CFOs in high-uncertainty organizations expect conditions to improve, compared to 74% of firms with low uncertainty. This very large gap highlights how operational uncertainty tempers confidence as high-uncertainty firms grapple with more sophisticated threats and resource constraints.

    Conversely, 31% of high-uncertainty firms expect cybersecurity risks to worsen, almost eight times the 4% rate reported by low-uncertainty firms. This pessimism points to how mounting threats and limited resources leave high-uncertainty firms feeling vulnerable. Similarly, low-revenue firms feel more pessimistic going forward than their larger rivals.

    Read More

    PYMNTS Intelligence is the leading provider of information on the trends driving middle-market strategy. To stay up to date, subscribe to our newsletters and read our in-depth reports.

    Methodology

    This edition of the 2025 Certainty Project is based on a survey conducted from Nov. 7, 2024, to Nov. 15, 2024. The report examines how cybersecurity risks and operational uncertainty intersect, shaping financial and operational strategies for middle-market firms. Our sample included 60 CFOs from middle-market firms with annual revenues between $100 million and $1 billion, offering insights into their challenges, mitigation strategies, and outlooks for managing evolving cybersecurity threats.

    About

    PYMNTS INTELLIGENCE

    PYMNTS Intelligence is a leading global data and analytics platform that uses proprietary data and methods to provide actionable insights on what’s now and what’s next in payments, commerce and the digital economy. Its team of data scientists include leading economists, econometricians, survey experts, financial analysts and marketing scientists with deep experience in the application of data to the issues that define the future of the digital transformation of the global economy. This multilingual team has conducted original data collection and analysis in more than three dozen global markets for some of the world’s leading publicly traded and privately held firms.

    The PYMNTS Intelligence team that produced this report:

    Yvonni Markaki, PhD: SVP, Data Products
    Ignacio Marquez: Senior Analyst
    Adam Putz, PhD: Senior Writer
    Matt Vuchichevich: Senior Content Editor, Head of Reports


    We are interested in your feedback on this report. If you have questions or comments, or if you would like to subscribe to this report, please email us at feedback@pymnts.com.

    Disclaimer

    The 2024 Certainty Project may be updated periodically. While reasonable efforts are made to keep the content accurate and up to date, PYMNTS MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, REGARDING THE CORRECTNESS, ACCURACY, COMPLETENESS, ADEQUACY, OR RELIABILITY OF OR THE USE OF OR RESULTS THAT MAY BE GENERATED FROM THE USE OF THE INFORMATION OR THAT THE CONTENT WILL SATISFY YOUR REQUIREMENTS OR EXPECTATIONS. THE CONTENT IS PROVIDED “AS IS” AND ON AN “AS AVAILABLE” BASIS. YOU EXPRESSLY AGREE THAT YOUR USE OF THE CONTENT IS AT YOUR SOLE RISK. PYMNTS SHALL HAVE NO LIABILITY FOR ANY INTERRUPTIONS IN THE CONTENT THAT IS PROVIDED AND DISCLAIMS ALL WARRANTIES WITH REGARD TO THE CONTENT, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT AND TITLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES, AND, IN SUCH CASES, THE STATED EX CLUSIONS DO NOT APPLY. PYMNTS RESERVES THE RIGHT AND SHOULD NOT BE LIABLE SHOULD IT EXERCISE ITS RIGHT TO MODIFY, INTERRUPT, OR DISCONTINUE THE AVAILABILITY OF THE CONTENT OR ANY COMPONENT OF IT WITH OR WITHOUT NOTICE.

    PYMNTS SHALL NOT BE LIABLE FOR ANY DAMAGES WHATSOEVER, AND, IN PARTICULAR, SHALL NOT BE LIABLE FOR ANY SPECIAL, INDIRECT, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, OR DAMAGES FOR LOST PROFITS, LOSS OF REVENUE, OR LOSS OF USE, ARISING OUT OF OR RELATED TO THE CONTENT, WHETHER SUCH DAMAGES ARISE IN CONTRACT, NEGLIGENCE, TORT, UNDER STATUTE, IN EQUITY, AT LAW, OR OTHERWISE, EVEN IF PYMNTS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

    SOME JURISDICTIONS DO NOT ALLOW FOR THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, AND IN SUCH CASES SOME OF THE ABOVE LIMITATIONS DO NOT APPLY. THE ABOVE DISCLAIMERS AND LIMITATIONS ARE PROVIDED BY PYMNTS AND ITS PARENTS, AFFILIATED AND RELATED COMPANIES, CONTRACTORS, AND SPONSORS, AND EACH OF ITS RESPECTIVE DIRECTORS, OFFICERS, MEMBERS, EMPLOYEES, AGENTS, CONTENT COMPONENT PROVIDERS, LICENSORS, AND ADVISERS.

    Components of the content original to and the compilation produced by PYMNTS is the property of PYMNTS and cannot be reproduced without its prior written permission.