CFOs for middle-market firms commonly report that cybersecurity risks are a threat. The stakes are even greater for firms operating in environments with high uncertainty. Twice as many of these firms report significant concerns about cybersecurity threats than the average (88% versus 42%).
Firms operating with high uncertainty contend with changes outside of their control: fluctuating demand, supply chain disruptions or macroeconomic volatility, to name a few. These conditions have real costs and can press CFOs to prioritize the most immediate concerns rather than invest in the long term.
Financial disruptions from these threats often delay or cancel tech initiatives: 81% of high-uncertainty firms report stalled innovation due to cybersecurity challenges. In other words, high-uncertainty environments likely encourage CFOs to prioritize cybersecurity over innovation, which could have long-term ramifications as less uncertain competitors upgrade technology.
That said, short-term consequences for ignoring cybersecurity risks are also severe. Failure to address cyber threats often leads to direct financial losses more expensive than mitigation costs.
Middle-market CFOs implement strategies such as AI-driven threat detection, enhanced cybersecurity training and stricter operational safeguards to tackle these risks. However, even these steps leave many companies struggling to manage the uncertainty that cyber threats bring. Collectively, the data indicates a pressing need for practical, scalable solutions.
These are just some of the findings in this edition of PYMNTS Intelligence’s Certainty Project Report. Drawing on insights from 60 CFOs surveyed between Nov. 7, 2024, and Nov. 15, 2024, this exclusive report explores how firms respond to cybersecurity challenges in volatile conditions and outlines strategies for balancing resilience and growth.
High-Uncertainty Environments Make Cybersecurity Risks More Urgent
Firms with lower revenues or higher uncertainty find cybersecurity risks a greater challenge.
While most firms express some concerns over cybersecurity risks, high-uncertainty firms are very likely to report the strongest levels of concern. Overall, 42% of middle-market CFOs reported high levels of concern about cybersecurity threats. However, the share more than doubles to 88% for firms facing high uncertainty. These firms are also more likely to create dedicated cybersecurity teams — 46% for the most concerned versus 22% for the least.
Operational uncertainty can pressure firms to reallocate their resources. While these moves to reallocate resources can target cybersecurity issues, the shifts can also disrupt operations. CFOs told us errors, delays and missed opportunities were cybersecurity risks’ most commonly reported impacts. Firms in high-uncertainty environments were much more likely than the average firm to report lost revenue, at 38% and 27%, respectively, and missed opportunities, at 44%, and 30%, respectively.
Additionally, high-uncertainty firms face significant challenges in fulfilling client orders and maintaining profit margins, with 31% and 19%, respectively, citing these as direct impacts of cyber risks. Order fulfillment and maintaining profitability are crucial to the short-term survival of a business. Additionally, such disruptions to cash flow and financial health can hinder strategic growth, limiting firms’ long-term competitiveness.
How middle-market CFOs are fighting back
Firms are implementing a mix of basic and advanced mitigation strategies to combat cybersecurity challenges. Common actions include updating password policies and expanding employee cybersecurity training programs, which at least one-third of firms overall took. While essential, these measures often fall short for high-uncertainty firms facing more complex threats.
High-uncertainty firms are especially likely to have turned to advanced technologies. For example, 44% of the most uncertain firms have invested in technologies like AI-driven threat detection. They also lead in conducting risk assessments (50%) and buying insurance (31%), suggesting that they understand their vulnerabilities too well and are willing to allocate capital to address them.
Firms Lose More Money to Cybersecurity Threats Than They Spend Fighting Them
Costs to curtail cybersecurity threats are most concerning to high-uncertainty firms.
Arguably, cybersecurity threats impose a kind of tax on middle-market firms — one magnified in high-uncertainty environments. Among all respondents, 72% reported concerns over direct financial losses due to cybersecurity incidents. This figure surged to 88% for firms navigating heightened uncertainty. The reality that smaller shares of medium and low uncertainty firms share this concern (67% and 65%, respectively) suggests that volatile conditions amplify the impact of cybersecurity risks.
Mitigation costs remain substantial across all surveyed firms: 72% of respondents overall cite them as a significant burden. For high-uncertainty firms, these costs often occur alongside more significant direct losses, which can intensify budget strains. However, more than three-quarters of firms with lower uncertainty levels struggle with their concerns over the loss of customers.
These rather divergent experiences for middle-market firms highlight how those at different ends of the uncertainty spectrum experience cybersecurity risks in distinct ways. For firms operating in less uncertain settings, investments can more effectively balance immediate short-term needs and longer-view innovation-focused spending. Firms operating with more uncertainty move to put out fires in the short term, which can lead to underinvestment in the long term. This difference emphasizes the need for dynamic risk management frameworks that can adapt to mitigate a firm’s unique sources of uncertainty.
Cybersecurity Risks’ Other Costs: Tech Delays and Innovation Stagnation
Middle-market firms frequently delay or cancel tech initiatives over cybersecurity risks.
Cyber threats can derail tech innovation. Nearly one-third (32%) of firms overall reported frequently delaying or canceling tech initiatives due to these concerns. This disruption intensifies in high-uncertainty environments. Here, 81% of firms cited frequently having to delay or cancel any innovation or technology initiatives due to considerations related to cybersecurity risk in the last 12 months. The consequences of such an impact on innovation can erode competitive position.
They’re hardly alone, though. Larger firms — those generating $400 million to $1 billion in revenue — report facing greater challenges. Among these larger middle-market organizations, 38% report frequent disruptions to tech initiatives. By comparison, smaller firms reported fewer delays (26%), likely due to their relatively smaller attack surfaces.
But the consequences extend beyond delays. Errors and delays cost time, which compounds the operational inefficiencies cited by 27% of all firms. Likewise, lost revenue, cited by 33% of firms, reflects the cascading effects of delayed innovation and weakened competitive positioning. Cybersecurity threats can hinder many of the immediate tech initiatives that inform broader strategic goals.
As firms grapple with these issues, they must weigh the trade-offs between investing in cybersecurity defenses and maintaining the momentum of technological innovation. High-uncertainty firms are most likely to face significant challenges, requiring a delicate balance between risk management and growth objectives.
Middle-Market CFOs Have Optimistic Outlooks on Cybersecurity — Unless Uncertainty is High
Most CFOs expect cybersecurity risk levels to improve in the next 12 months.
CFOs have mixed expectations for cybersecurity improvements over the next 12 months. The data reveals stark contrasts between firms operating in stable and uncertain conditions. While 52% of middle-market firms overall express optimism, the cybersecurity situation remains more pressing for the most uncertain firms.
Just 19% of CFOs in high-uncertainty organizations expect conditions to improve, compared to 74% of firms with low uncertainty. This very large gap highlights how operational uncertainty tempers confidence as high-uncertainty firms grapple with more sophisticated threats and resource constraints.
Conversely, 31% of high-uncertainty firms expect cybersecurity risks to worsen, almost eight times the 4% rate reported by low-uncertainty firms. This pessimism points to how mounting threats and limited resources leave high-uncertainty firms feeling vulnerable. Similarly, low-revenue firms feel more pessimistic going forward than their larger rivals.
Read More
PYMNTS Intelligence is the leading provider of information on the trends driving middle-market strategy. To stay up to date, subscribe to our newsletters and read our in-depth reports.
Methodology
This edition of the 2025 Certainty Project is based on a survey conducted from Nov. 7, 2024, to Nov. 15, 2024. The report examines how cybersecurity risks and operational uncertainty intersect, shaping financial and operational strategies for middle-market firms. Our sample included 60 CFOs from middle-market firms with annual revenues between $100 million and $1 billion, offering insights into their challenges, mitigation strategies, and outlooks for managing evolving cybersecurity threats.