Two-thirds of U.S. businesses hit by cyber incidents as AI-powered attacks accelerate
Sixty-seven percent of mid-sized U.S. businesses experienced a cyber incident in the past 12 months, with more than half reporting direct revenue losses, according to research from QBE North America. The survey of 400 IT and insurance decision makers at companies with 100 to 2,000 employees reveals a threat environment that has become routine rather than exceptional.
Nearly three in 10 businesses reported at least one cyber incident involving generative AI and LLM technology. AI-assisted phishing messages accounted for 51% of these attacks, while AI-generated malware and malicious code represented 49%.
The financial and operational toll
Among affected organizations, 58% traced at least one attack to a supplier or vendor. One in four experienced an interruption lasting more than a full working day.
The cost extends beyond operational disruption. Fifty-eight percent of businesses that suffered a cyber event reported revenue losses as a direct consequence. Yet despite these documented costs, only 67% of mid-sized businesses carry cyber insurance, while 24% have no coverage at all.
Incident response and planning gaps
Eighty-one percent of businesses report having a formal incident response plan. That leaves 15% without a structured protocol when an attack occurs - a significant vulnerability given the frequency of incidents.
The supplier dimension compounds the risk. Seventy percent of businesses expressed concern about potential risks stemming from their suppliers' use of AI, even as 81% of mid-sized companies are already deploying AI in operations.
Investment rising, but not fast enough
Awareness is translating into spending. Seventy-seven percent of respondents worry about cyber threats in the coming year, and three in four plan to increase their cybersecurity budgets. Twenty-nine percent are expanding spending beyond the rate of inflation.
Among organizations already using AI, 60% are training staff on safe use and 53% are reviewing the quality of data used to train their models. These efforts suggest some organizations recognize the dual nature of AI - as both a business tool and an attack vector - but the pace of risk management may need to accelerate.
For AI for Insurance professionals and risk managers, the data points to immediate priorities: closing cyber insurance coverage gaps, strengthening incident response plans, and establishing protocols for managing AI-related risks across supplier networks.
Your membership also unlocks:
