Artificial intelligence is becoming a fixture in Australian business operations, but its spread is coinciding with a rise in cyber incidents that organisations believe were carried out using the same technology. New research from QBE Insurance puts the share of affected businesses at one in four, a figure that points to a shifting risk environment for insurers and their clients alike.
The QBE survey of Australian businesses with 100 to 2,000 employees found that 85% are already running AI in some capacity, with another 12% in the process of evaluating its use. The technology is primarily being applied to productivity and efficiency, and 93% of respondents said they anticipate AI will benefit their business over the next two years.What the research also shows is that wider AI use across the economy is giving threat actors new tools. Half of Australian businesses surveyed reported a cyber incident in the past year, and 26% said the incident was believed to involve AI. Respondents described encountering techniques such as AI-assisted identification of system vulnerabilities, AI-generated malware, phishing campaigns, deepfakes, and business email compromise (BEC). Dominic Keller, global head of cyber services at QBE Insurance, said the speed of AI adoption is outpacing risk management in some organisations. “The pace of this change is moving faster than some organisations can adapt their risk frameworks – this is where cyber exposures can start to build,” Keller said.
When cyber incidents do occur, the downstream effects on Australian businesses are substantial. Among those that reported an event in the past year, 60% experienced revenue loss, and 18% faced operational downtime lasting at least one day. These outcomes suggest that cyber incidents, once treated primarily as a technical concern, are now registering as a business continuity and financial issue. QBE’s concurrent global study, which surveyed 6,016 business decision-makers across 15 countries between March 31 and April 21, 2026, recorded a higher overall incidence rate – 58% of businesses globally reported a cyber event – with 57% of those affected experiencing revenue loss.
The research draws attention to the role third-party suppliers play in cyber exposure. Among Australian businesses that experienced an incident, 66% traced it back to a supplier relationship. That figure places the locus of many cyber events outside the direct control of affected organisations, complicating conventional risk mitigation strategies. Concern about how AI is being used – and secured – within supplier networks is also pronounced. Nearly seven in 10 Australian businesses, or 69%, said they are worried about risks stemming from their suppliers’ deployment of AI, a reflection of how little visibility organisations often have beyond their own perimeters. “As businesses become more interconnected, risk is shared across systems, suppliers, and platforms, which means a single point of weakness can have broader consequences,” Keller said.
Australian businesses are directing more resources toward cyber defence. Three in four respondents, or 76%, said cyber threats are among their concerns for the next 12 months, and 77% indicated that their IT security budgets are set to grow. On the insurance side, 79% of businesses said they hold cyber coverage – a higher rate than the 69% global average recorded in QBE’s international study. Still, budget increases and insurance uptake do not on their own address all dimensions of cyber preparedness. Keller pointed to governance structures and rehearsed response plans as equally important. “Strong governance, clear visibility of risk, and well-tested response capabilities are critical to help prepare for and recover from incidents,” he said.
The research frames cyber insurance as serving a function beyond paying out claims. For businesses navigating an environment where threats are evolving faster than defences, access to insurer expertise and coordinated response support is increasingly part of the value proposition. “Cyber insurance is becoming more valuable in this context, not just as financial protection, but as a way to access expertise, strengthen preparedness, and support a coordinated response when incidents occur,” Keller said. The data reinforces that AI-related cyber risk is no longer a theoretical exposure. It is showing up in claims and business interruption events with enough regularity that it warrants treatment as a core underwriting and risk advisory consideration.
