UK businesses are racing to adopt artificial intelligence faster than they can govern it, with new research from QBE showing that three in four firms are worried about cyber risks linked to vendors and suppliers using AI – yet just 28% have moved to audit those third-party systems.
The business insurer found AI uptake now near-universal across UK firms, with 97% either using the technology or exploring it, up from 95% in 2025. Even so, only 35% of AI-using businesses have a formal AI usage or governance policy in place.
QBE said the widening gap between adoption and oversight could leave companies exposed through their supply chains as cyber threats intensify.
The share of UK businesses that experienced a cyber event in the past 12 months rose to 59% in 2026, from 53% the year before. Of those affected, 59% reported supplier-linked events, up from 56%, with 22% saying most or all the attacks they faced involved a supplier.
David Warr (pictured above), portfolio manager for cyber at QBE Europe, said AI had become commonplace among UK firms, bringing both commercial gains and elevated exposure across supply chains.
"This widening gap is concerning," he said, noting that even firms with strong internal controls could be breached through a third party with weaker defences.
Warr added that auditing the supply chain "is now a key responsibility of cyber risk management" as AI adoption accelerates.
Other carriers have flagged similar pressures further up the value chain. A recent joint report from AXA XL and Thales found cyber risk is becoming harder to price and manage, with the global average cost of a data breach reaching $4.44 million in 2025.
The report also noted more than 12,000 confirmed breaches recorded worldwide that year, as vendor access, cloud misconfiguration and extended supplier networks complicate underwriting assumptions.
Financial fallout from incidents is deepening. Among businesses hit by a cyber event, the share reporting revenue loss climbed to 59% in 2026 from 50% the previous year.
A further 22% of all UK firms suffered a cyber event that caused disruption lasting more than one working day, up from 16% in 2025.
Concern about future threats remains elevated, with 82% of UK businesses worried about the cyber risks they may face over the next 12 months. A newer category of incident is also emerging, with 23% of firms reporting a cyber event they believe leveraged AI.
The most commonly cited methods were phishing at 49%, malware at 46% and business email compromise at 42%.
Spending is rising in response, with 79% of UK businesses expecting their IT cybersecurity budget to grow over the next 12 months, up from 74%, and 32% planning increases beyond the rate of inflation.
Cyber insurance penetration has held broadly steady at 76%, compared with 77% a year earlier, while 82% of firms now have a cyber incident response plan in place, up marginally from 81%.
