Three in four UK businesses are worried about cyber risks stemming from vendors’ and suppliers’ use of artificial intelligence (AI), but fewer than a third are checking how those partners deploy the technology, new research from QBE showed.
The company's latest survey found that 75% of employees are concerned about cyber risks arising from suppliers' use of AI. Yet among businesses already using AI, only 28% have taken steps to assess or audit their third-party suppliers' AI systems.
AI adoption is now close to universal. Some 97% of UK businesses are already using AI or looking into it, up from 95% last year, and 79% say they have already integrated AI into their operations, compared with 71% in 2025. Despite this, just 35% of AI‑using businesses report having a formal AI usage or governance policy.
Both the number of UK businesses experiencing cyber events, and the proportion linking those incidents to the supply chain, are on the rise. The share of firms that experienced at least one cyber event in the past 12 months increased from 53% in 2025 to 59% in 2026.
Among those affected, 59% said at least one incident involved a supplier, up from 56% a year earlier. Notably, 22% reported that all or most of the attacks they suffered involved a supplier, compared with 14% in 2025. That shift points to supply chain exposure becoming a more prominent driver of loss, rather than a peripheral issue.
The financial and operational impact is worsening too. Among businesses that experienced a cyber event, the proportion suffering revenue loss rose from 50% in 2025 to 59% in 2026. Across all UK businesses surveyed, 22% experienced a cyber event that caused disruption of more than one working day, up from 16% in 2025.
The data strengthens the case for closer monitoring of aggregation and systemic risk, particularly where multiple insureds depend on the same cloud, software or data providers. It also underlines the importance of clear wording around business interruption and contingent business interruption where third-party failures are involved.
Concern about cyber threats remains elevated, with 82% of UK businesses saying they are worried about the threats they may face over the next 12 months.
A distinct AI element is emerging within that threat landscape. Almost a quarter (23%) of UK businesses say they have experienced a cyber incident which they believe leveraged AI. The most commonly reported methods were phishing (49%), malware (46%) and business email compromise (42%).
These attack types are well known, but AI tools can make them faster, more targeted and more convincing. For the insurance market, this raises questions about how quickly traditional controls – such as user awareness training, email filtering and multifactor authentication – can adapt, and whether policy wordings keep pace with the way AI is being used to enhance established attack vectors.
Meanwhile, UK businesses are responding to the changing risk environment with higher spend. QBE’s survey showed that 79% expect their IT cybersecurity budget to increase over the next 12 months, up from 74% in 2025, and almost a third (32%) plan increases that outpace inflation.
Despite rising incident rates and growing concern, cyber insurance take-up in this segment remains broadly stable. Some 76% of respondents said they have cyber insurance, compared with 77% in 2025. The proportion of firms with a cyber incident response plan has edged up from 81% to 82%.
There remains scope to deepen cover and ensure that limits, sub-limits and incident response services reflect clients’ exposure to supplier‑related and AI‑driven risks. Insurers, meanwhile, may look to link coverage and pricing more explicitly to demonstrable controls such as vendor due diligence, AI governance frameworks and tested response plans.
David Warr, Portfolio Manager – Cyber, QBE Europe, said that while AI brings commercial benefits, it also increases cyber risks.
Our research reveals that three in four businesses recognise this risk, but only a small proportion are checking how their suppliers are using AI. This widening gap is concerning," he said. "Even with robust internal controls, an organisation could be exposed to attack through a third party with weaker defences. As AI adoption accelerates, businesses need to address this emerging risk. Auditing the supply chain is now a key responsibility of cyber risk management.”
The findings align with a broader market shift towards more detailed questioning on third‑party risk. Insurers and brokers are increasingly interested in how insureds classify critical suppliers, what contractual security requirements they impose and how they monitor compliance over time, particularly where vendors are deploying AI in core services.
QBE’s research points to AI‑related supply chain exposure becoming a central component of cyber risk rather than a niche concern. That may influence attachment points, aggregate management and wording around business interruption, contingent business interruption and data compromise when third parties are involved.
The governance gap – with most AI‑using firms lacking formal policies and supplier assessments – also creates an opening for insurers and intermediaries to add value through risk engineering and advisory services.
As AI usage matures and regulatory scrutiny of algorithmic tools and data protection increases, insurers will need to track how those developments interact with cyber cover.
With incident frequency and severity rising, and controls lagging behind adoption in many organisations, underwriting discipline and clear expectations around third‑party and AI‑related controls are likely to remain central themes for the UK cyber market over the coming renewal cycles.
