Cyberattack and Firm Size: The Vulnerability of Mid-Size Firms

Views expressed are those of the authors and do not necessarily represent official positions or policy of the Office of Financial Research or the U.S. Department of the Treasury.

Cyber risk has evolved from a niche IT concern into a systemic vulnerability within the financial ecosystem. The number of known high impact cyberattacks has surged from the single digits in the mid-2000s to well over 200 incidents annually since 2020, according to the Center for Strategic and International Studies.¹ In fact, the actual incidence of attacks is substantially greater: the IMF estimates that in 2020 alone, roughly 12,000 attacks at a total cost exceeding $1 trillion were reported.²

Despite the magnitude of this threat, the data available to businesses and policymakers for assessing cyber risk and evaluating the need for investment remains sparse. Reporting attacks can be costly for a firm’s reputation and may reveal information that encourages further attacks.³ Also, cyber risks are difficult to quantify.

One emerging tool to assess vulnerabilities is cybersecurity ratings. Although these ratings are derived from models rather than direct observation, they are widely used in cyber insurance pricing and offer insights into firms’ actual exposure and preparedness. Institutions use them to gauge their own vulnerability.

We present data from CyberCube, a security ratings organization that generates model-based scores for thousands of companies based on each company’s exposure to cyberattacks and security preparedness. Consider a firms’ average exposure to attacks against firm size by sector (see Figure 1).

Across all sectors, larger firms tend to face greater exposure, which is not surprising given that attackers pursue higher-value targets. Financial institutions (highlighted in purple) stand out, exhibiting significantly higher exposure than most other sectors. This underscores the reality that financial firms are prime targets for cyber threats as these institutions store vast troves of data, making cyberattacks against them particularly tempting.

We also examine a composite cybersecurity score that reflects both a firm’s preparedness and its susceptibility to cyberattacks (see Figure 2). The data reveal a striking U-shaped relationship between firm size and security scores. Very small enterprises tend to have relatively high scores, which dip among mid-size firms with revenue between $1 million and $10 million before rising sharply for the largest institutions.

This pattern is especially pronounced in the financial sector. While large financial firms are investing heavily in cybersecurity, mid-size firms may lag behind relative to their risk exposure.

A closer look points to structural drivers of this discrepancy. Core IT components, such as the robustness of recovery and hosting technologies, as well as the sophistication of security information and event management systems, do not scale with firm size. Despite being attractive targets because of their size, mid-size firms appear less likely to adopt technological defenses commensurate with their risk.

To a degree, the shape of the security curve reflects how attackers weigh payoff against effort and how firms’ defenses scale with size. Small companies are less frequently targeted mostly because the modest data they hold offer limited ransom potential, making their defensive posture appear relatively strong. Large enterprises remain tempting, but they counterbalance their appeal with significant IT budgets and dedicated security-operations centers. Caught in the middle are mid-size firms that are rich enough to lure attackers yet often lack the resources to mount robust defenses.

Understanding these dynamics is critical. As cyber threats become more sophisticated, tailored support for mid-size institutions may be key to enhancing financial system resilience.

---