One in three Canadian businesses said they have suffered a cyber incident in the past 12 months that they believe leveraged artificial intelligence, with phishing among the most frequently cited methods, according to new research from QBE.
The findings come from QBE’s 2026 global AI and cyber risk survey, which polled 400 decision-makers responsible for IT, administration or insurance at Canadian firms with 100–2,000 employees.
According to the survey, AI is now close to ubiquitous in the Canadian mid‑market. The share of businesses already using AI has climbed from 71% in 2025 to 83% this year, while another 14% are actively exploring it. In total, 97% of respondents are either using or looking into AI, up from 94% a year earlier.
Operational efficiency and productivity are the most commonly cited reasons for deploying AI, each mentioned by 53% of users, followed by improving decision‑making, growing revenue and driving innovation.
For insurers, the near‑universal adoption rate is notable. AI‑related exposure is no longer confined to a handful of technology‑focused sectors but is embedded across the client base, from manufacturers and logistics operators to service industries. That raises questions about how clearly AI‑driven processes and dependencies are captured in proposal forms, underwriting questions and cyber wordings.
“As new technologies such as AI become embedded in operations, effective risk management remains fundamental to ensuring sustainable and resilient growth,” said Kyle Gray, underwriter team lead at QBE Canada.
The survey indicated that cyber incidents remain widespread.
Over the past 12 months, 57% of Canadian businesses experienced at least one cyber event, up from 53% in the previous survey. Among those affected, 65% said at least one attack involved a supplier, compared with 58% a year earlier, underlining the growing importance of third‑party risk.
More than half of affected firms (58%) report revenue loss as a result of cyber incidents, up from 51%. Across all respondents, 16% of Canadian businesses said they faced a cyber event that caused a business interruption of at least one working day, slightly down from 18% last year but still a significant impact for one in six firms.
Within that broader picture, one in three Canadian businesses (33%) reported experiencing a cyber incident they believe leveraged AI. That aligns with QBE’s global findings and with wider threat intelligence highlighting rapid growth in AI‑assisted social engineering and automated malware campaigns.
Gray warned that AI‑related risk “doesn’t stop at the internal perimeter,” and said organizations need comparable levels of discipline and oversight across their vendor ecosystems because weaknesses in the supply chain can quickly translate into business‑critical risk.
QBE’s figures sit within a wider environment in which both cyber and AI rank highly on corporate risk registers. Canada’s National Cyber Threat Assessment continues to flag ransomware and related threats as key concerns for the country’s critical infrastructure, while international surveys consistently place cyber among the top global business risks.
That backdrop suggests regulators and rating agencies will continue to scrutinize how insurers manage their own cyber and AI exposures, including their use of AI in underwriting, pricing and claims, alongside how they evaluate clients’ controls.
The survey also underlines that AI and cyber risk are converging issues rather than separate topics. Understanding how AI is embedded in business processes, and where it touches sensitive data or operational systems, is increasingly relevant to both cyber and technology E&O discussions.
The QBE survey points to rising investment in security and risk transfer.
Most Canadian firms expect their IT security budgets to increase in the coming year, with roughly a third planning to keep pace with inflation and another third planning to spend ahead of it.
Take‑up of cyber insurance is also increasing. Seventy‑two percent (72%) of respondents said they now have a cyber insurance policy, up from 67% in the previous survey. The proportion of businesses with a cyber incident response plan in place has risen from 79% to 83%.
Those trends support expectations of continued growth in the Canadian cyber insurance market, even as carriers refine coverage in response to evolving loss experience.
At the same time, the rise in AI‑enabled and supply chain‑linked incidents is likely to keep pressure on product design, sublimits and exclusions, particularly around ransomware, data breaches and contingent business interruption.
Rising cyber insurance penetration and incident response planning also present opportunities for insurers and MGAs to differentiate through risk‑engineering support, tabletop exercises and post‑incident services tailored to AI‑enabled threats.
For brokers, the data underline a shift in client expectations. Many Canadian businesses are already investing more in cybersecurity and are aware of AI‑related risk both within their own operations and among suppliers. Intermediaries that can explain how policy terms respond to AI‑driven attacks, and can help clients benchmark their controls and response capabilities against peers, are likely to be better placed to retain and grow accounts.
Taken together, QBE’s survey suggests that AI is now firmly embedded on both sides of the cyber risk equation in Canada. How quickly insurers, reinsurers and brokers adapt their underwriting, wording and advisory approaches to that reality will be a key competitive question over the next renewal cycles.
