QBE: 75% of UK firms fear supplier AI risk but only 28% audit suppliers
TL;DR:
- Insurer QBE’s latest UK cyber research finds 75% of UK businesses worry about cyber risks from suppliers’ AI use, but only 28% of AI-using firms audit those suppliers.
- UK AI adoption is now near-universal: 97% of UK businesses are using or exploring AI (up from 95% last year), with 79% saying AI is integrated into operations — yet just 35% have a formal AI governance policy.
- 23% of UK businesses say they have experienced a cyber incident they believe leveraged AI, with phishing (49%), malware (46%) and business email compromise (42%) the most common methods.
QBE Europe’s latest survey paints a familiar pattern in UK cyber risk: adoption running ahead of governance, with supply-chain exposure widening faster than internal controls. The proportion of UK firms experiencing at least one cyber event in the past 12 months rose from 53% in 2025 to 59% in 2026; among those, 59% said at least one incident involved a supplier (up from 56%), and 22% said all or most attacks involved a supplier — up from 14% a year earlier.
The governance gap
The headline number — 75% concerned, 28% acting — is the clearest statement yet of where UK cyber risk is concentrating. UK firms expecting their cybersecurity budgets to rise rose from 74% to 79%, with almost a third (32%) planning increases that outpace inflation. But cyber insurance take-up is broadly flat (76%, down from 77% last year) and only 82% have a documented incident response plan (up from 81%). Among AI-using firms, 65% still lack a formal AI governance policy.
This QBE finding lands alongside the Verizon Data Breach Investigations Report published this week, which found that software-vulnerability exploitation overtook stolen credentials as the leading initial-access vector and that AI is shrinking the defender’s response window from months to hours. The two reports together name the operational reality: AI-augmented attackers are moving faster, supply chains are wider and less audited, and most UK firms are spending more on cyber while leaving the third-party leg of the perimeter inspected by a minority.
Looking forward
For UK SMEs, the practical implication is that supplier-AI audit is now part of the basic cyber hygiene posture insurers expect — not a future regulatory concern. David Warr, QBE Europe’s cyber portfolio manager, warned that “even with robust internal controls, an organisation could be exposed to attack through a third party with weaker defences”, and noted that the gap between concern and action is what is widening fastest. Expect cyber policy wordings, particularly around contingent business interruption and aggregate exposures, to tighten through 2026 renewals. For UK firms still without an AI governance policy, the question of whether to write one is no longer about getting ahead — it is about catching up with where underwriters now expect them to be.