Key Points
- A new QBE survey reveals that 75% of UK businesses are concerned about cyber risks arising from vendors and suppliers using artificial intelligence, yet only 28% of AI‑using companies audit or assess their suppliers’ AI systems.
- Among AI‑using UK firms, just 35% have a formal AI usage or governance policy, highlighting a widening gap between AI adoption and risk‑management controls.
- The share of UK businesses reporting a cyber event in the past 12 months has risen from 53% in 2025 to 59% in 2026, with 59% of those affected citing supplier‑related incidents—up from 56% a year earlier.
- Fully 22% of affected businesses say that all or most of the cyber attacks they suffered involved a supplier, underscoring the growing importance of third‑party risk.
- Around 23% of UK businesses say they have experienced a cyber incident that they believe leveraged AI, with phishing (49%), malware (46%) and business email compromise (42%) the most commonly reported methods.
- Overall, 82% of UK firms say they are concerned about the cyber threats they may face over the next 12 months, even as AI use becomes commonplace.
Why are UK businesses worried about suppliers using AI?
According to findings published by business insurer QBE, AI‑driven cyber risks in the supply chain are now a top‑of‑mind issue for three‑quarters of UK companies, even though many firms are doing little to verify how their suppliers deploy AI. As reported by QBE in its 2026 research, 75% of UK businesses are concerned about cyber risks arising from their vendors and suppliers using artificial intelligence, yet only 28% of AI‑using businesses have assessed or audited their third‑party suppliers’ AI systems.
This disconnect suggests that while AI is being adopted quickly across the economy, governance and due‑diligence processes have not kept pace. David Warr, cyber portfolio manager at QBE Europe, is quoted as saying: “AI is now commonplace for UK businesses. While this brings commercial benefits, it also increases cyber risks, especially across supply chains. Our research reveals that three in four businesses recognise this risk, but only a small proportion are checking how their suppliers are using AI. This widening gap is concerning.” Companies that invest heavily in internal cybersecurity may still face exposure through weaker third‑party defences, he adds.
How many firms are actually using or exploring AI?
QBE’s broader control‑risk work shows that AI is no longer a niche technology for UK businesses. Earlier QBE research, cited by Insurance Post and reinsurance news outlets, indicates that around 95% of UK companies are either already using AI or actively exploring its use. This rapid uptake is being driven by the desire to improve efficiency, cut costs, and automate routine tasks.
At the same time, a large majority of firms acknowledge that the threat landscape is evolving. In the same earlier tranche of QBE‑commissioned data, 80% of businesses said they believed cyber threats were increasing, and 53% reported experiencing at least one cyber incident in the previous 12 months—with more than half of those incidents linked to suppliers. This background helps explain why the latest 2026 supplier‑AI findings feel so urgent to risk managers and board‑level executives.
What do the latest cyber incident figures show?
Drawing on a fresh 2026 survey conducted by market‑research firm Opinium on behalf of QBE, Business Insurance Magazine and Insurance Post note that the proportion of UK businesses saying they have experienced a cyber event in the past 12 months has climbed from 53% in 2025 to 59% in 2026. Among those affected, 59% say at least one incident involved a supplier, up from 56% the year before.
Of that group, 22% state that all or most of the cyber attacks they suffered were linked to a supplier, suggesting that third‑party channels are becoming both more frequent and more damaging routes of compromise. This trend is consistent with QBE’s earlier prediction that the number of significant UK cyber incidents would rise by roughly 50% by the end of 2025, as digital services and AI‑driven platforms knit organisations more tightly together.
How worried are UK firms about future cyber threats?
Against this backdrop, concern about the year ahead is running high. QBE’s 2026 research shows that 82% of UK businesses say they are worried about the cyber threats they may face over the next 12 months. This level of anxiety is being driven not only by the sheer volume of attacks but also by the sophistication of attack methods, including those that leverage AI.
As QBE’s portfolio manager for cyber, David Warr, told reporters: “Even with robust internal controls, an organisation could be exposed to attack through a third party with weaker defences. As AI adoption accelerates, businesses need to address this emerging risk. Auditing the supply chain is now a key responsibility of cyber risk management.” News outlet Insurance Post paraphrased this, describing QBE’s position as a warning that companies could be “leaving themselves exposed to supply‑chain cyber‑attacks if they fail to scrutinise how their suppliers use AI‑enabled systems.”
Are AI‑driven attacks already happening?
The QBE data suggests that AI‑leveraged cyber events are not just theoretical. According to the insurer’s 2026 survey, 23% of UK businesses say they have experienced a cyber incident that they believe involved AI, such as AI‑enhanced phishing or malware‑delivery tools.
Among those reporting AI‑linked incidents, the most commonly described methods include phishing (cited by 49%), malware (46%) and business email compromise (42%). These figures, reported by QBE and paraphrased by eCommerce News UK, indicate that threat‑actors are using AI to personalise messages at scale, automate attack sequences, and bypass traditional filters. In interviews with risk‑management outlets, QBE representatives have warned that AI can help attackers craft more convincing emails, discover system vulnerabilities faster, and even mimic human behaviour in customer‑service channels.
How are businesses governing their own AI use?
While external‑supplier risks are under the microscope, QBE’s research also highlights weaknesses in internal governance. According to the 2026 findings, only 35% of AI‑using UK businesses have a formal AI usage or governance policy. This suggests that many firms are integrating AI tools into core workflows—such as customer service, HR, or finance—without clear rules on data handling, model transparency, or security controls.
QBE’s Control Risks Report, summarised by reinsurance and insurance‑news outlets, notes that organisations are being urged to embed security across the entire AI lifecycle, from data ingestion and model training right through to deployment and monitoring. The insurer recommends that firms identify critical data assets, strengthen access controls, and treat third‑party AI providers as part of their extended attack surface.
What are the implications for risk management and corporate training?
The QBE data pack and associated commentary in business‑insurance and e‑commerce publications underline that cyber‑risk in the AI‑enabled supply chain is no longer a niche IT‑team concern but a board‑level governance issue. Given the high incidence of supplier‑linked incidents and low audit rates, organisations are being pushed to formalise their third‑party due‑diligence processes, including contractual clauses on AI security and incident‑response cooperation.
For professionals in Project Management, Risk Management, and Corporate Governance, the QBE figures reinforce the need for structured frameworks that integrate cyber‑risk and third‑party oversight into daily operations. Training in Risk Management and Corporate Governance can help teams design policies that explicitly cover AI‑related exposure, while courses in Project Management can ensure that AI‑driven projects are scoped with security and compliance built‑in from the outset.