- 23% of UK businesses have experienced AI-enabled cyber attacks
- Share of cyber events involving suppliers is on the rise
Three in four UK businesses (75%) are concerned about the cyber risks arising from their vendors and suppliers using Artificial Intelligence (AI), yet only 28% of AI-using businesses have taken steps to assess or audit their third-party suppliers’ AI systems, new research* from business insurer QBE reveals.
Using AI is now standard practice for UK businesses, with 97% already using it or looking into it, up from 95% last year. Despite this, only 35% of AI-using businesses have a formal AI usage or governance policy.
QBE warns the growing gap between AI adoption and risk management means businesses could be exposed through their supply chains at a time where cyber threats are accelerating.
Both the number of UK businesses experiencing cyber events, and the number linking those to supply chain, are increasing. The share of UK businesses that experienced a cyber event in the last 12 months rose from 53% in 2025 to 59% in 2026. Among those affected, 59% reported supplier-related events (up from 56%), with 22% saying that all or most of the attacks they suffered involved a supplier.
David Warr, Portfolio Manager – Cyber, QBE Europe, says: "AI is now commonplace for UK businesses. While this brings commercial benefits, it also increases cyber risks, especially across supply chains. Our research reveals that three in four businesses recognise this risk, but only a small proportion are checking how their suppliers are using AI. This widening gap is concerning. Even with robust internal controls, an organisation could be exposed to attack through a third party with weaker defences. As AI adoption accelerates, businesses need to address this emerging risk. Auditing the supply chain is now a key responsibility of cyber risk management.”
|
UK businesses |
2025 |
2026 |
|
Using AI or looking into it |
95% |
97% |
|
Already using AI in their operations |
71% |
79% |
|
Concerned about cyber risks arising from suppliers using AI |
- |
75% |
|
With AI usage or governance policy (of those using AI) |
- |
35% |
|
Assessing suppliers’ AI systems (of those using AI) |
- |
28% |
The financial consequences and business interruption are also worsening year-on-year. Among businesses that experienced a cyber event, the proportion suffering revenue loss rose from 50% in 2025 to 59% in 2026. Of all UK businesses, 22% experienced a cyber event that caused a disruption of more than one working day, up from 16% in 2025.
|
UK businesses that experienced a cyber event |
2025 |
2026 |
|
At least one cyber event involved a supplier |
56% |
59% |
|
Most or all cyber events involved a supplier |
14% |
22% |
|
Cyber event(s) resulted in revenue loss |
50% |
59% |
Concern about cyber threats remains high, with 82% of UK businesses saying they are concerned about the threats they may face over the next 12 months. A new type of risk seems to be emerging, with 23% of UK businesses experiencing a cyber incident which they believe leveraged AI. The most commonly reported methods included phishing (49%), malware (46%) and Business Email Compromise (42%).
UK businesses are responding to the changing cyber risk landscape with increased investment. Indeed, 79% expect their IT cybersecurity budget to increase over the next 12 months (up from 74% in 2025), with 32% planning increases beyond the rate of inflation.
|
UK businesses |
2025 |
2026 |
|
Experienced a cyber event in the past 12 months |
53% |
59% |
|
Experienced business interruption from cyber event |
16% |
22% |
|
Experienced cyber event that leveraged AI |
- |
23% |
|
Will increase IT cybersecurity budget beyond inflation |
27% |
32% |
|
Have cyber insurance |
77% |
76% |
|
Have a cyber incident response plan |
81% |
82% |
* Methodology: On behalf of QBE, Opinium surveyed 400 decision makers of IT, administration or insurance in businesses with 100-2000 employees in the UK from 31 March to 17 April 2026. Last year, it surveyed a similar sample from 10 to 29 April 2025.
The 2026 Opinium survey on AI and cyber risks for QBE covers 15 countries (Australia, Canada, Denmark, France, Germany, Hong Kong, Italy, Netherlands, New Zealand, Singapore, Spain, Sweden, United Arab Emirates, UK, USA), with a total sample of over 6,000 businesses.
Data tables are available upon request.
QBE’s checklist
To tackle cyber threats, businesses should:
• Identify critical assets, threats, and vulnerabilities to gain a clear overview of exposure
• Define acceptable risk so leadership can set boundaries
• Prioritise mitigation strategies (direct resources towards areas of greatest impact)
• Test contingency plans and recovery protocols
• Stress test crisis management
• Incorporate third-party expertise to help manage residual and emerging risks
• Continuously adapt cyber defences to evolving threats, technology and business needs.
To mitigate third-party vulnerabilities, businesses should also:
• Assess and audit third-party and supplier AI systems as part of their standard vendor due diligence
• Implement strong identity and access management (IAM) protocols
• Run regular configuration audits
• Encrypt sensitive data across all cloud environments
• Evaluate the security posture of their third-party providers
• Establish clear protocols for managing supply chain exposure.