Three-quarters of UK firms worry about AI in supply chains, but few audit vendors
A gap between concern and action is leaving UK cyber insurance portfolios exposed to rising aggregation and systemic losses, according to research from QBE.
Seventy-five percent of UK businesses are worried about cyber risks from suppliers' and vendors' use of artificial intelligence. Yet only 28% of firms already using AI have assessed or audited how their third-party partners deploy the technology.
The disconnect matters because supply chain incidents are becoming the primary driver of cyber losses. The share of UK businesses experiencing at least one cyber event in the past 12 months rose from 53% in 2025 to 59% in 2026. Among those hit by incidents, 59% said at least one involved a supplier, up from 56% a year earlier.
More telling: 22% of affected businesses reported that all or most attacks involved a supplier, compared with 14% in 2025. Supply chain exposure is no longer a peripheral risk.
Rising incident severity
The financial toll is worsening. Among businesses that experienced a cyber event, 59% suffered revenue loss in 2026, up from 50% in 2025. A quarter of all surveyed businesses experienced an incident causing more than one day of disruption, up from 16% a year prior.
These figures point to two underwriting implications: the need to monitor aggregation risk where multiple insureds depend on the same cloud, software or data providers, and the importance of clear wording around business interruption and contingent business interruption when third-party failures are involved.
AI-enabled attacks are refining old methods
Nearly a quarter of UK businesses say they have experienced a cyber incident leveraging AI. The most common attack types were phishing (49%), malware (46%) and business email compromise (42%).
These are established threats. AI tools make them faster, more targeted and more convincing. The question for insurers is whether traditional controls-user awareness training, email filtering, multifactor authentication-can adapt quickly enough, and whether policy wordings account for how AI enhances known attack vectors.
Governance gaps create openings
AI adoption is nearly universal: 97% of UK businesses use AI or are exploring it, up from 95% last year. Yet just 35% of AI-using businesses have a formal AI usage or governance policy.
This governance gap creates an opening for insurers and brokers. Risk engineering and advisory services that help clients classify critical suppliers, set contractual security requirements and monitor compliance over time-especially where vendors deploy AI in core services-add tangible value.
Eighty-two percent of UK businesses remain concerned about cyber threats over the next 12 months. Seventy-nine percent expect their IT cybersecurity budgets to increase, with almost a third planning increases that outpace inflation.
Insurance take-up stable, but cover needs tightening
Cyber insurance penetration in this segment remains flat at 76%, down slightly from 77% in 2025. Eighty-two percent of firms have a cyber incident response plan, up from 81%.
Insurers have scope to deepen cover and link pricing more explicitly to demonstrable controls: vendor due diligence, AI governance frameworks and tested response plans. As incident frequency and severity rise, and as controls lag behind adoption in many organisations, underwriting discipline and clear expectations around third-party and AI-related controls will remain central to the UK cyber market.
Learn more about AI for Insurance and how cybersecurity professionals can address AI-enabled threats.
Your membership also unlocks:
