Latest News

Firms fear AI risk in supply chain but many fail to audit for it

By Staff reporter

Three-quarters of UK businesses are concerned about the cyber risks arising from their vendors and suppliers using AI, yet only 28% of AI-using businesses have taken steps to assess or audit their third-party suppliers’ AI systems, according to research from insurer QBE.

Using AI is now standard practice for UK businesses, with 97% already using it or looking into it, up from 95% last year. Despite this, only 35% of AI-using businesses have a formal AI usage or governance policy. QBE warns the growing gap between AI adoption and risk management means businesses could be exposed through their supply chains at a time where cyber threats are accelerating.

Both the number of UK businesses experiencing cyber events, and the number linking those to supply chain, are increasing. The share of UK businesses that experienced a cyber event in the last 12 months rose from 53% in 2025 to 59% in 2026. Among those affected, 59% reported supplier-related events (up from 56%), with 22% saying that all or most of the attacks they suffered involved a supplier.

David Warr, portfolio manager, cyber, QBE Europe, said: "AI is now commonplace for UK businesses. While this brings commercial benefits, it also increases cyber risks, especially across supply chains. Our research reveals that three in four businesses recognise this risk, but only a small proportion are checking how their suppliers are using AI. This widening gap is concerning.

“Even with robust internal controls, an organisation could be exposed to attack through a third party with weaker defences. As AI adoption accelerates, businesses need to address this emerging risk. Auditing the supply chain is now a key responsibility of cyber risk management.”

The research suggests that financial consequences and business interruption are also worsening year-on-year. Among businesses that experienced a cyber event, the proportion suffering revenue loss rose from 50% in 2025 to 59% in 2026. Of all UK businesses, 22% experienced a cyber event that caused a disruption of more than one working day, up from 16% in 2025.


Share Story:

YOU MIGHT ALSO LIKE

War becomes top political violence risk for businesses

Firms fear AI risk in supply chain but many fail to audit for it

Canopius offers cyber-triggered spoilage cover


BANNER

Resilience Rooted in Reality
In this podcast, CIR speaks to CLDigital’s Tejas Katwala about why organisations must move beyond checklist compliance to build living, data driven resilience. He explains how rethinking governance, risk and compliance, breaking down silos and focusing on value streams can create sustainable, real time resilience that is rooted in the way businesses actually operate today.

Building cyber resilience in a complex threat landscape
Cyber threats are evolving faster than ever. This episode explores how organisations can strengthen defences, embed resilience, and navigate regulatory and human challenges in an increasingly complex digital environment.

© 2019 Perspective Publishing     Privacy & Cookies