UK cyber breach rate holds at 43% as AI widens the threat
TL;DR:
- The government’s Cyber Security Breaches Survey found 43% of UK businesses experienced a breach or attack in the prior 12 months, with phishing reported by 38%.
- An April government open letter warned AI is finding software weaknesses and writing exploit code “at a speed and scale that would have been impossible even a year ago”.
- Only around a quarter of UK organisations using or adopting AI say they have security practices in place for the associated risks — and insurers are starting to price that gap.
The UK’s breach rate is not falling, and the attackers are getting cheaper tools. The Cyber Security Breaches Survey from DSIT and the Home Office put the share of UK businesses hit by a breach or attack at 43% over 12 months, with phishing the dominant vector at 38%. Layered on top is the government’s April open letter to business leaders, warning that AI cyber capabilities are accelerating “even faster than had been previously envisaged”.
The mechanism is not new attack categories but a lower barrier to entry. Automated reconnaissance, targeted phishing and rapid vulnerability exploitation — once the preserve of well-resourced actors — are becoming standard kit for less sophisticated attackers. Aon’s 2026 Global Risk Management Survey ranks cyber-attacks and data breaches as the top enterprise risk, a position it expects to hold into 2028.
The readiness gap has a price tag
The starkest number in the survey is about defence, not attack: only around a quarter of UK organisations using or adopting AI have security practices in place to manage the associated risks. Aon’s UK commercial risk chief Rob Kemp points to fragmented governance and untested AI incident scenarios, with some firms “still viewing AI as a future issue”.
Insurers are converting that gap into premiums and exclusions. Carriers are re-examining access controls, resilience and incident response at renewal, and some are addressing AI-enabled attacks through endorsements or exclusions. Firms that cannot demonstrate robust governance face narrower coverage options at higher prices — turning what was an IT hygiene question into a balance-sheet one.
Looking forward
The recommended baseline is familiar: timely patching, multi-factor authentication, tighter privileged access, and incident response plans updated for AI-enabled scenarios. What has changed is enforcement — with renewal conversations now benchmarking controls against sector peers, the market is doing what exhortation has not.