UK firms fear supplier AI cyber risks, QBE finds

QBE has found that 75% of UK businesses are concerned about cyber risks linked to suppliers' use of artificial intelligence, yet only 28% of AI-using businesses assess or audit their suppliers' AI systems.

The findings highlight a gap between rapid AI adoption and oversight of third-party risk in UK supply chains.

Research commissioned by the insurer showed that 97% of UK businesses either already use AI or are exploring it, up from 95% a year earlier. Among those already using AI, 35% have a formal AI usage or governance policy.

At the same time, cyber incidents are becoming more common. The share of UK businesses reporting a cyber event in the past 12 months rose to 59%, from 53% a year earlier.

Supplier links are also appearing more often in those incidents. Among businesses that experienced a cyber event, 59% said at least one attack involved a supplier, up from 56% a year earlier. A further 22% said all or most of the attacks they suffered involved a supplier.

Rising exposure

The financial impact has also worsened. Among businesses that experienced a cyber event, 59% said it resulted in revenue loss, up from 50% a year earlier.

Business interruption has increased as well. Across all UK businesses surveyed, 22% said they had experienced a cyber event that caused disruption lasting more than one working day, compared with 16% in the previous survey.

The study also identified a growing number of incidents that businesses believe involved AI. Some 23% of UK businesses said they had experienced a cyber incident they believed leveraged AI.

The most commonly reported attack methods in those cases were phishing, cited by 49%, malware at 46%, and business email compromise at 42%.

Concern about the broader threat environment remains high, with 82% of UK businesses worried about the cyber threats they may face over the next 12 months.

Governance gap

The figures suggest AI use in business operations is advancing faster than formal controls. While 79% of businesses said they already use AI in their operations, a much smaller share said they had written policies governing that use.

Oversight of third parties appears weaker still. Just over a quarter of AI-using businesses reported assessing suppliers' AI systems, despite the prominence of supplier-related cyber events in the survey.

David Warr, Portfolio Manager - Cyber, QBE Europe, said the findings were concerning.

"AI is now commonplace for UK businesses. While this brings commercial benefits, it also increases cyber risks, especially across supply chains. Our research reveals that three in four businesses recognise this risk, but only a small proportion are checking how their suppliers are using AI. This widening gap is concerning. Even with robust internal controls, an organisation could be exposed to attack through a third party with weaker defences. As AI adoption accelerates, businesses need to address this emerging risk. Auditing the supply chain is now a key responsibility of cyber risk management," he said.

Spending response

Many businesses expect to respond by increasing cybersecurity spending. The survey found that 79% expect their IT cybersecurity budget to rise over the next 12 months, up from 74% a year earlier.

Within that group, 32% said they planned increases above the rate of inflation, compared with 27% in the prior survey.

Other defensive measures were more widely established. Some 76% of businesses said they have cyber insurance, while 82% said they have a cyber incident response plan.

The polling covered 400 decision-makers in IT, administration or insurance roles at UK businesses with 100 to 2,000 employees. It forms part of a wider international survey spanning 15 countries and more than 6,000 businesses.