May 13, 2025 - We polled 1,000 senior leaders of privately held companies spanning industry sectors across the nation to take stock of actions, concerns, and challenges in key areas including technology-based business risks. Our 2025 Private Company Performance Report sheds light on the growth trends and challenges reported by our survey respondents.

Our survey reveals that 70% of respondents acquire and evaluate cloud applications providers’ System and Organization Controls (SOC) reports regularly to protect client data and ensure other security controls are in place. Fifty-three percent report having moderate or weak business vulnerability efforts. Eighty-six percent accept payment cards and go through rigorous compliance processes annually. Fifty-four percent feel that they have strong abilities to respond and recover from a cybersecurity incident. Below we explore how our surveyed business leaders mitigate cyber risks.

Cloud Application Provider System and Organizational Control Checks

Most respondents are ensuring the effectiveness of internal controls for financial reporting, security, and privacy with SOC reports. Beyond compliance, commitments to quality and security can be a competitive advantage. Nearly a third have more work to do in this area.

Robustness of Business Vulnerability Efforts

Half say their vulnerability management efforts are strong. They conduct regular social engineering (i.e., phishing) simulations as well as periodic penetration/vulnerability testing. The other half say the robustness of these efforts are moderate with occasional or informal efforts. This leaves a significant portion of private companies more vulnerable to cyber risk threats than their peers.

Data Security and Payment Cards

The vast majority of respondents go through a rigorous compliance process on an annual basis to meet payment card industry security standards. A small percentage, 12%, say they have not met industry data security standards or are unsure or not familiar with the requirements. This leaves them exposed to risks.

Cybersecurity Incident Readiness

More than half of respondents say their company’s ability to respond and recover from a cybersecurity incident is strong. They have tested recovery/continuity/incident response plans, have backups tested for viability; and have a robust cyber insurance policy. They feel ready for cyber risk. This leaves the other half judging their cyber risk readiness as moderate or weak with room for readiness improvement.

Not having formally documented and evaluated incident response plans, cyber insurance, and backups exposes a business to significant risks during a cyberattack or data breach. Without a clear incident response plan, the organization may struggle to react quickly and efficiently, intensifying the potential impact while extending the costly recovery process. The absence of cyber insurance could lead to devastating financial losses, such as recovery costs, legal fees, forensics, and fines may not be covered. Additionally, lacking reliable backups can result in the permanent loss of critical data, crippling operations and harming the firm’s reputation. Formal documentation and regular evaluations ensure preparedness and mitigate the impacts of a cyber event.

Citrin Cooperman’s Private Company Performance Report

Citrin Cooperman has been serving and advising middle-market, private companies and high net worth individuals for over 40 years and created an annual Private Company Performance Report to discuss what is top of mind for business leaders across the country. Access our report to discover valuable insights into the trends, opportunities, and challenges facing businesses today.

Access the 2025 Private Company Performance Report