75% of UK businesses fear AI risk in supply chain but only 28% audit for it
Three in four UK businesses (75%) are concerned about the cyber risks arising from their vendors and suppliers using Artificial Intelligence (AI), yet only 28% of AI-using businesses have taken steps to assess or audit their third-party suppliers’ AI systems, new research* from business insurer QBE reveals.
Using AI is now standard practice for UK businesses, with 97% already using it or looking into it, up from 95% last year. Despite this, only 35% of AI-using businesses have a formal AI usage or governance policy.
QBE warns the growing gap between AI adoption and risk management means businesses could be exposed through their supply chains at a time where cyber threats are accelerating.
Both the number of UK businesses experiencing cyber events, and the number linking those to supply chain, are increasing. The share of UK businesses that experienced a cyber event in the last 12 months rose from 53% in 2025 to 59% in 2026. Among those affected, 59% reported supplier-related events (up from 56%), with 22% saying that all or most of the attacks they suffered involved a supplier.
David Warr, portfolio manager – Cyber, QBE Europe, says: “AI is now commonplace for UK businesses. While this brings commercial benefits, it also increases cyber risks, especially across supply chains. Our research reveals that three in four businesses recognise this risk, but only a small proportion are checking how their suppliers are using AI. This widening gap is concerning. Even with robust internal controls, an organisation could be exposed to attack through a third party with weaker defences. As AI adoption accelerates, businesses need to address this emerging risk. Auditing the supply chain is now a key responsibility of cyber risk management.”
UK businesses 2025 2026
- Using AI or looking into it 95% 97%
- Already using AI in their operations 71% 79%
- Concerned about cyber risks arising from suppliers using AI – 75%
- With AI usage or governance policy (of those using AI) – 35%
- Assessing suppliers’ AI systems (of those using AI) – 28%
- Source: Opinium surveys for QBE, 2025 and 2026: AI and cyber
The financial consequences and business interruption are also worsening year-on-year. Among businesses that experienced a cyber event, the proportion suffering revenue loss rose from 50% in 2025 to 59% in 2026. Of all UK businesses, 22% experienced a cyber event that caused a disruption of more than one working day, up from 16% in 2025.
UK businesses that experienced a cyber event 2025 2026
- At least one cyber event involved a supplier 56% 59%
- Most or all cyber events involved a supplier 14% 22%
- Cyber event(s) resulted in revenue loss 50% 59%
Source: Opinium surveys for QBE, 2025 and 2026: AI and cyber
Concern about cyber threats remains high, with 82% of UK businesses saying they are concerned about the threats they may face over the next 12 months. A new type of risk seems to be emerging, with 23% of UK businesses experiencing a cyber incident which they believe leveraged AI. The most commonly reported methods included phishing (49%), malware (46%) and Business Email Compromise (42%).
UK businesses are responding to the changing cyber risk landscape with increased investment. Indeed, 79% expect their IT cybersecurity budget to increase over the next 12 months (up from 74% in 2025), with 32% planning increases beyond the rate of inflation.
UK businesses 2025 2026
- Experienced a cyber event in the past 12 months 53% 59%
- Experienced business interruption from cyber event 16% 22%
- Experienced cyber event that leveraged AI – 23%
- Will increase IT cybersecurity budget beyond inflation 27% 32%
- Have cyber insurance 77% 76%
- Have a cyber incident response plan 81% 82%
Source: Opinium surveys for QBE, 2025 and 2026: AI and cyber
* Methodology: On behalf of QBE, Opinium surveyed 400 decision makers of IT, administration or insurance in businesses with 100-2000 employees in the UK from 31 March to 17 April 2026. Last year, it surveyed a similar sample from 10 to 29 April 2025.
The 2026 Opinium survey on AI and cyber risks for QBE covers 15 countries (Australia, Canada, Denmark, France, Germany, Hong Kong, Italy, Netherlands, New Zealand, Singapore, Spain, Sweden, United Arab Emirates, UK, USA), with a total sample of over 6,000 businesses.
Data tables are available upon request.
QBE’s checklist
To tackle cyber threats, businesses should:
- · Identify critical assets, threats, and vulnerabilities to gain a clear overview of exposure
- · Define acceptable risk so leadership can set boundaries
- · Prioritise mitigation strategies (direct resources towards areas of greatest impact)
- · Test contingency plans and recovery protocols
- · Stress test crisis management
- · Incorporate third-party expertise to help manage residual and emerging risks
- · Continuously adapt cyber defences to evolving threats, technology and business needs.
To mitigate third-party vulnerabilities, businesses should also:
- · Assess and audit third-party and supplier AI systems as part of their standard vendor due diligence
- · Implement strong identity and access management (IAM) protocols
- · Run regular configuration audits
- · Encrypt sensitive data across all cloud environments
- · Evaluate the security posture of their third-party providers
- · Establish clear protocols for managing supply chain exposure.