Newsletters
Risk Central
Digital EditionMajority of Businesses Faced Cyber Events Last Year as AI-Enabled Attacks Rise
Two in three U.S. businesses suffered a cyber incident in the past year, with more than half of those experiencing revenue loss as a direct result, according to new research from QBE North America.
“Cyber threats are a frequent and costly reality for U.S. businesses,” said Ian Walsh, vice president and U.S. cyber product leader at QBE North America. “This research underscores the importance of stronger defenses as companies navigate an evolving risk environment that includes emerging technologies.”
The survey included 400 decision makers of IT, administration or insurance in businesses with 100 to 2,000 employees in the U.S.
A Threat Landscape That Is Both Broad and Evolving
The survey paints a picture of a threat environment that has become routine rather than exceptional.
Among the 67% of businesses that reported a cyber event in the past 12 months, 58% traced at least one attack back to a supplier or vendor, and an equal share reported revenue losses as a consequence, underscoring that cyber incidents carry tangible financial consequences beyond reputational or technical damage, the report said.
One in four businesses experienced an interruption lasting more than a full working day.
Looking ahead, concern is running high: 77% of respondents said they are worried about the cyber threats they expect to face over the next 12 months. That anxiety is already translating into spending. Three in four businesses plan to increase their cybersecurity budgets in the coming year, with 29% expanding spending beyond the rate of inflation.
Artificial intelligence is reshaping this landscape in two directions simultaneously. Some 81% of businesses are already deploying AI in their operations — primarily to boost productivity, improve operational efficiency and sharpen decision-making, the report said. Nearly all respondents, 92%, expect AI to have a positive impact on their business within two years.
Yet the same technology is emerging as an attack vector: nearly three in 10 businesses reported at least one cyber incident in which AI was believed to have played a role, most commonly through AI-assisted phishing messages (cited by 51% of affected businesses) or AI-generated malware and malicious code (49%).
Where the Gaps Are Widening
Despite rising awareness and investment, meaningful vulnerabilities remain. Only 67% of mid-sized businesses carry cyber insurance, while 24% have no coverage at all — a notable gap given the frequency and cost of incidents the survey documented. Incident response planning tells a similar story: while 81% of businesses report having a formal plan in place, 15% acknowledge they do not, leaving a significant share of companies without a structured roadmap when an attack occurs.
The supplier dimension of cyber risk presents a compounding challenge. The finding that 58% of cyber incidents involved a supplier or third-party actor underscores how quickly risk can travel across interconnected business ecosystems. Vendor-related AI risk is also registering as a concern: 70% of businesses expressed worry about potential risks stemming from their suppliers’ own use of AI.
Turning Awareness Into Action
The survey’s findings suggest that mid-sized businesses are at an inflection point — aware of the risks and beginning to invest, but not yet fully protected. For risk managers and insurance professionals, the data points toward several concrete priorities. Closing the cyber insurance coverage gap is an immediate concern, particularly for businesses that have already experienced revenue-impacting incidents. Strengthening or establishing incident response plans is equally critical, given that nearly one in six businesses currently has no formal protocol in place.
On the AI front, some organizations are taking early steps: among those already using AI, 60% are training staff on its safe use, and 53% are reviewing the quality of data used to train their models. But with AI-assisted attacks already surfacing, the pace of risk management may need to accelerate alongside the pace of adoption.
“Developing strong incident response plans and addressing insurance gaps are critical steps for midsized businesses seeking to protect operations and build resilience in today’s complex threat landscape,” Walsh said.
Obtain the full report here. &
