Persistent risks emphasize business continuity and incident response importance

With the level of risk in the middle market, the likelihood of a cyberthreat actor finding a way into a company’s environment is very high. Conducting effective business continuity and incident response planning, testing those plans, and developing decision governance will increase resilience and minimize risks.

Breaches happen, and when they do, an effective response is paramount. An incident response plan lays the groundwork for how an organization will detect, react to and recover from a cybersecurity event. It must detail roles and responsibilities, outline key procedures and establish decision rights—e.g., who can authorize a ransom payment, approve external communications, speak to regulators, etc. But for a plan to be effective, it must be regularly tested.

In the Q1 2026 RSM US Middle Market Business Index survey, quarterly testing of incident response plans was the most common practice (37%), followed by semiannual testing (29%). A bigger percentage of larger middle market companies opted for quarterly testing (45%) compared to their smaller counterparts (32%).

“The larger companies have more at stake if they suffer a loss, so preparation matters more,” says Rich Servillas, a director at RSM US LLP. “A lot of this is being driven by cyber insurance, as carriers are increasingly requiring more as a condition of coverage, and that's pushing testing discipline across the middle market.”

AI technology is also now playing a critical role in incident response, making teams more proactive and anticipatory through faster detection, earlier warning of likely attack paths and automated containment of routine threats. It allows detection and response teams to move from a defensive position to more of an offensive mentality, becoming proactive against risk and giving companies a valuable upper hand on threat actors.

“AI is enhancing incident response capabilities, but also enabling predictions,” says RSM US Principal Daniel Gabriel. “In some cases, companies are now better at predicting the likelihood of threats and where they're most likely to happen due to the support of AI.”

In addition to implementing and testing an incident response plan, middle market companies can take advantage of several key processes to limit business disruptions when cybersecurity events occur. In this year’s MMBI survey, the leading processes respondents reported were implementing disaster recovery plans for critical systems (56%); developing communication plans for crises or disruptions (51%); collaborating with external partners for coordinated resilience planning (50%); and leveraging technology to hunt for threats and respond to cyber events (48%). 

Before a cybercriminal can strike, companies need to have a complete understanding of what information they have, implement effective data hygiene and establish thorough data retention policies. Companies also need to understand where their crown jewels reside—what data is most important to the company, and how is it being safeguarded?

“A good understanding of these elements will save companies a significant amount of time if they become a cybercrime victim,” says Servillas. “Knowing what data you have and where it resides is a big part of how to mitigate some of that risk.”

In addition, as a best practice, organizations should consider having retainers or prenegotiated relationships with outside counsel, incident response firms or forensics providers before an incident occurs.

“In our case work, the organizations that recover fastest are the ones with those relationships already in place,” says Servillas. “The ones calling around for a digital forensics and incident response firm during an active incident can lose 24 to 48 hours of response time.”