One In Three US Businesses Hit By AI-Enabled Cyber Attacks

Estimated reading time: 6 minutes

QBE Survey Of 6,000 Businesses Across 15 Countries Finds The Threat Going Global

The email looked genuine. The language was polished. The urgency was calibrated just so. Behind it was an AI model, crafting the attack with a precision no human phishing crew could match at scale. QBE’s new cyber survey puts a hard number on how common that scenario has become. Nearly one in three U.S. businesses, 29 percent, experienced a cyber incident in the past year where artificial intelligence played a role in the attack. Ian Walsh, QBE North America’s Vice President and U.S. Cyber Product Leader, frames the reality plainly: “Cyber threats are a frequent and costly reality for U.S. businesses.”

The US Picture: Frequent, Costly, And AI-Assisted

QBE surveyed 400 U.S. business leaders from companies with 100 to 2,000 employees between March and April 2026. Sixty-seven percent said they had a cyber incident in the past year, showing that cyber risks are now common. Among those hit by AI-enabled attacks, 51 percent reported AI-crafted phishing messages, while 49 percent faced AI-generated malware or malicious code. These two methods, large-scale social engineering and self-writing code, make up the main tools for AI-driven attacks.

The Supplier Connection

The supply chain dimension compounds the exposure. Among U.S. businesses that suffered a cyber incident, 58 percent reported the attack was caused by or related to a supplier. Seventy percent of U.S. businesses are concerned about risks arising from their vendors using AI. The threat runs in both directions. Attackers reach enterprises through supplier weaknesses. Suppliers adopting AI without adequate controls create new blind spots inside vendor ecosystems. BakerHostetler’s 2026 Data Security Incident Response Report found that 25 percent of the incidents it handled in 2025 involved a vendor, with AI accelerating social engineering and attack speed across those cases.

Business Interruption: The Underwriting Number

One in four U.S. businesses, or 25 percent, had a cyber event that stopped business for more than a day. This number is important for insurance underwriters. Business interruption is still one of the biggest and most debated risks in cyber insurance. A 25 percent rate among mid-sized businesses shows that claims are happening often, not just in theory.

The Coverage Gap

Despite the frequency of incidents, 24 percent of U.S. businesses in the survey carry no cyber insurance. That gap sits uncomfortably alongside the 77 percent who say they are concerned about cyber threats in the coming year. Awareness is high. Coverage does not match it. Walsh states that “developing strong incident response plans and addressing insurance gaps are critical steps.” Eighty-one percent of surveyed businesses report having an incident response plan. Fifteen percent do not. Planning gaps and coverage gaps cluster in the same businesses. Lockton Re and Armilla’s “Ready or Not” report identified a parallel problem at the policy level: AI-related losses frequently fall into coverage gaps because existing policy language predates AI-driven attack methods.

AI Adoption Adds A Second Layer Of Risk

The survey shows that AI is both a risk and a business tool. Eighty-one percent of U.S. businesses already use AI, and another 15 percent are considering it. The main reasons for using AI are to boost productivity (62 percent), improve efficiency (59 percent), and make better decisions (54 percent). However, only 60 percent are training staff on safe AI use, and just 53 percent are checking the quality of data used to train their models. Companies are adopting AI faster than they are putting rules in place to manage it.

The Global Picture: 6,000 Businesses, 15 Countries

QBE also surveyed 6,016 businesses in 15 countries. Fifty-eight percent had a cyber event in the past year, with rates ranging from 71 percent in Germany to 47 percent in Italy. Globally, 21 percent had business interruptions lasting a day or more, but in New Zealand, that number was 44 percent. Among businesses that had incidents, 65 percent reported supply chain attacks, with New Zealand, the UAE, and Hong Kong highest at 73 percent. Sixty-three percent of businesses worldwide worry about their suppliers’ use of AI. Cyber insurance coverage is at 69 percent globally, led by Singapore at 80 percent. The UAE and New Zealand have the biggest gaps, with 32 and 31 percent of businesses not insured. Seventy-two percent of businesses plan to spend more on cybersecurity in the next year.

What The Data Means For Underwriters

The QBE survey shows that mid-sized businesses are often breached, face more attacks through suppliers, and still have significant insurance gaps. AI-driven attacks are now common, with one in three U.S. businesses hit in the past year. Phishing and malware attacks using AI are well-established and growing. For underwriters looking at mid-market cyber insurance, the data suggests they should ask more about AI management, supplier controls, and how incident response plans are tested. Gaps in coverage and preparedness often show up in the same businesses.

FAQ – AI-Enabled Cyber Attacks

Related Cyber Insurance Posts

• Black Kite’s 2026 Supply Chain Vulnerability Report Delivers A Precision Framework For An Imprecise World
• Veeam Survey: Cybersecurity Threats and AI Attacks Push Supplier Liability Into Focus For 2026(Opens in a new browser tab)
• AI, Breakout Speed, And Edge Risk: What CrowdStrike’s Report Means For Cyber Insurance Underwriting(Opens in a new browser tab)
• UK Longitudinal Cyber Survey Flags Cyber Insurance Uptick And Supplier Risk(Opens in a new browser tab)
• Cybersecurity Crisis: WTW 2025 Report Reveals Alarming Supply Chain Threats(Opens in a new browser tab)