Cyberattacks Pose Greatest Threat to Middle-Market Businesses
Cyberattacks are among the risks worrying midsize business leaders, in addition to regulation, supply chain disruption and other threats.
By the close of 2020, nearly 350,000 people in the U.S. had died of COVID-19, but a vaccine looked promising as the middle market, like the rest of the country, braced for another uncertain year.
At the time, many businesses worried about reputational issues and a pending recession in 2020. But now after more than a year, are those same concerns still pressing, or are there other issues that have arisen that now worry businesses more? In other words, how has the pandemic affected the middle market from last year to this one?
In 2020, Boston-based market research firm HawkPartners surveyed more than 300 middle-market executives about how the pandemic has changed their perception of risk.
Sponsored by the Association for Corporate Growth (ACG) and QBE North America, HawkPartners created the second annual Mid-Sized Company Risk Report.
The [cyber] attackers are smart and capable, and there’s a need for organizations to be mindful of this.
Managing Partner, Crosspoint Capital
In 2020, the report showed that businesses were most concerned about the possibility of a recession as the pandemic battered companies, causing many to close and others to manage with Paycheck Protection Program loans.
The new 2021 report highlights the most significant business risks for middle-market companies in various industries, including construction, electronics, financial, banking, and food and beverage. With annual revenues between $200 million and $3 billion, the surveyed companies revealed that in 2021, cyberattacks and security, changing regulations and business interruptions were among the most pressing risks.
In 2020, business executives were worried about cybersecurity, but that risk is even more pronounced today, according to the report.
Middle-market executives cited cybercrimes as a growing concern. According to the FBI 2020 Internet Crime Report, the agency received a significant increase in complaints in 2020 related to internet crimes. The more than 790,000 complaints that year jumped by 300,000 compared to 2019. Losses in 2020 due to internet crime were more than $4.2 billion.
The top cybercrimes reported in 2020 were phishing scams, non-payment/ nondelivery scams and extortion. Also, in 2020, COVID-19 fueled pandemic- related cyberscams, resulting in more than 28,000 complaints that targeted individuals and businesses.
The most costly type of complaint revolved around business email compromise schemes. More than 19,000 complaints accounted for about $1.8 billion in losses.
Ian Loring, managing partner of California-based private equity firm Crosspoint Capital, says that a combination of factors, including the effects of the pandemic, has caused the middle market to be increasingly worried about cyberattacks. Over the last few years, middle-market companies have been targets more often. Previously, larger firms seemed to be attacked more frequently.
“I do think this is an inexorable trend, and it’s not going away,” says Loring. “The attackers are smart and capable, and there’s a need for organizations to be mindful of this. It’s only going to accelerate as things democratize in the middle market.”
Surveyed business executives said that digital risk was the second most concerning macro risk. In 2021, 60% ranked digital risk among their top five macro risks, an increase from 55% in 2020.
Within digital risk, cyberattacks/ breaches were named by executives as the most pressing micro risk. Forty-five percent of respondents said it was concerning to their business in 2021, while 37% felt that way in 2020. Additionally, 49% said cyberattacks/ breaches was their top digital risk, up from 41% in 2020.
Another concerning risk for middle-market companies was remote work. Before the pandemic, IT departments could be relatively sure that company data would be secure as employees used company computers in their offices or at their workstation, but remote work has opened up a new avenue for cybercriminals to access data through unsecured systems and internet access.
Because so many employees are working from home, HawkPartners added a new dimension to the survey. It asked executives about cybersecurity risks specifically related to remote/hybrid work. Thirty-three percent said cybersecurity related to remote/hybrid work was concerning, while 24% cited it as a top risk.
Loring says the combination of more people working from home, greater awareness about cybercrimes in the middle market and more sophisticated cybercriminals likely elevated cybersecurity as a more pressing issue in the 2021 survey.
“The pandemic accelerated the lack of boundaries because people are working from home,” Loring says. “When the pandemic happened, people were no longer working at the office and that created a lack of boundaries, and then add ransomware on top of that.”
Regulations and Legislation
Regulatory/legislative macro risk was also cited as one of executives’ most pressing concerns in 2021. In fact, this macro risk jumped two spots on the macro-risk ranking, moving from eighth to sixth in the survey. For instance, in 2021, 39% of respondents ranked regulatory/ legislative risk among their top five macro risks, while 37% said the same in 2020.
Likely the uptick in middle-market executives’ concerns here is due to a change in administration and new and proposed regulatory changes, says Brian Williams, partner at New York-based Carl Marks Advisors, a middle-market investment banking firm.
The general political climate toward business is different now than it was a year ago and that creates uncertainty.
Partner, Carl Marks Advisors
“Just the general political climate toward business is different now than it was a year ago and that creates uncertainty,” Williams says. “The federal administration—it’s more people viewing it as a less business-friendly climate. If you really asked people what specifically changed, what can’t you do today that you could do two years ago, people would have a hard time pointing to anything specific, but it’s a feeling of the energy and attitude of what things are.”
Within regulatory/legislative issues, changes to regulations and tax compliance appeared to be of greater concern in 2021 compared to 2020.
For instance, 40% of respondents said changes to regulations that impact business was a top risk compared to 28% in 2020. In 2021, 20% said tax compliance was a top risk compared to 10% in 2020.
While regulatory changes and tax compliance were more concerning in 2021, legal compliance was cited slightly less often as a top concern. Twenty-one percent said sufficient compliance with regulatory laws was a top risk in 2021 compared to 26% in 2020.
For many in the middle market, disruptions in the supply chain can be potentially disastrous. For example, earlier this year, New Jersey-based National Tree Company, a middle-market provider of artificial trees, wreaths and other holiday décor had to make a decision about its supply chain, says Chris Butler, the company’s CEO.
Since its business is seasonal and revolves around the Christmas holidays, not getting supplies from China could obliterate National Tree Company’s profits for 2021. So, instead of waiting, the company decided to pay higher container rates early on to ensure it would receive its products. Had the company waited, it would be in far worse shape, according to Butler.
“For us, we had a crisis. We dealt with it very quickly,” he says. “We decided to pay the higher container rates, but a lot of people waited to see what was going to happen. We got in early and paid it.”
Like Butler, many survey respondents were concerned about supply chain disruption. Business interruption risk ranked in third place among the top concerns cited in 2021, rising from fourth place in 2020.
Within business interruption, the micro risk—fragile supply chain risk— increased significantly between 2021 and 2020. Thirty percent of respondents said it was concerning to their business in 2021 while 22% said that in 2020. Also, 14% said it was their top risk, up from 8% in 2020.
Butler says that the middle market might be better able to weather the supply chain storm, compared with smaller businesses or those without private equity funding. Since National Tree Company is backed by Florida-based private equity firm Sun Capital Partners, it has support that other companies don’t.
“Smaller companies that don’t have backing will be in big trouble,” Butler says. “Their liquidity will be tough. A lot of mom-and-pop businesses will have been massively impacted by this, and it’s an unfortunate problem.”
Improvements Over 2020
While the middle market appears more concerned about cybersecurity, business interruptions and regulatory issues, executives said that some of their worries have lessened in the last year.
Pandemic macro risk declined in the minds of middle-market executives as an overall concern. In 2020, it was the third-highest macro risk, but in 2021, it’s fourth, according to the survey.
For every pandemic micro risk in 2020—employee safety, pandemic impact on supply chain, lack of demand, ability to interact with colleagues, customer safety, cash flow, inability to meet demand and travel restrictions—business executives were equally or less concerned in 2021.
As businesses feel less affected by the pandemic, 2021 was more like a transitional year. 2022 will likely give a clearer picture of exactly where business is heading.
“I almost look at 2022 as the first real look at what the new normal will be for people,” says Williams. “A lot of government programs are gone, and in 2022, we are going to be dealing with—OK, here’s how much it costs to make my product with labor, here’s what my parts are costing, here’s my logistics costs and what does that mean for what my business model looks like.”
Also, reputational risk dropped two spots from 2021 to 2020 in the macro-risk ranking from sixth to eighth place. Within reputational risk, actions of errant employees was cited as the biggest risk factor.
During 2020, as social media platforms continued to grow and become more video-centric, some employees were caught on camera taking actions that embarrassed employers.
As tempers flared during the racial-justice marches in the summer of 2020, businesses cited this as a top concern. But in 2021, 13% cited actions of an errant employee as a top risk, down from 25% in 2020.
Another issue that dominated the fears of some middle-market businesses was the worry about a pending recession.
The survey showed that the macroeconomic risk category dropped two spots to 11th place as a top macro concern. Among the biggest drop within this macro risk category, the micro risk posed by a recession/economic downturn was less concerning in 2021 compared to 2020.
That decline is to be expected. In 2020, the specter of the 2009 crash loomed large in business leaders’ minds as some companies made preemptive layoffs in anticipation of a major downturn as businesses closed. But a recession did not materialize, and now it appears the pandemic is more under control.
In 2021, 16% of respondents said that a possible recession was concerning to their businesses compared to 23% in 2020. Twenty-seven percent said it was a top risk in 2021, compared to 35% in 2020.
“I don’t anticipate a recession, but we avoided a recession by pumping so much money into the system that the rising tide raises all the boats. The question is what the cost is, and now we have these big infrastructure bills that are on the table, which will increase the national debt. Is that OK? Opinions vary,” says Howard Brownstein, a turnaround and crisis management professional and president and CEO of Pennsylvania-based The Brownstein Corporation. “The danger of a recession isn’t any likelier as we come out of the pandemic. The risk goes down because businesses can do business normally again, but it’s too soon to declare victory over the pandemic.”
HawkPartners surveyed 302 US midmarket decision-makers at companies with revenue ranging from $200 million to $3 billion. QBE Insurance Group Limited, Australia’s second largest global insurer, sponsored the survey.