New QBE research shows that half of Australian businesses suffered a cyber incident in the past year, and 26% of those incidents were believed to involve artificial intelligence.
The findings point to a broad shift in cyber risk as AI becomes more common in day-to-day operations. QBE's survey found 85% of organisations already use AI, while another 12% are exploring it.
The research suggests cyber incidents have moved beyond isolated technical problems to become a mainstream operational risk. Among businesses that reported an incident, 60% said it led to lost revenue, while 18% said it caused business interruption lasting at least a day.
Businesses also reported a range of AI-enabled attack methods, including AI-driven vulnerability identification, AI-generated malware, phishing, deepfakes and business email compromise.
Third-party exposure
The survey also highlighted the role of suppliers. Among businesses that had experienced an incident, 66% said it was linked to a third-party supplier.
That adds to concerns about how supply chains are widening exposure to digital threats. QBE found 69% of respondents were worried about risks created by their suppliers' use of AI, underlining the limited visibility many businesses have over how external partners deploy and secure the technology.
The data indicates that cyber risk is becoming harder to isolate within a single organisation. Instead, exposures are spreading across connected systems, outsourced providers and software platforms, making security controls more dependent on outside parties.
Many Australian businesses nevertheless remain positive about AI's broader value. The survey found 93% expect AI to have a positive effect on their organisation over the next two years, with current uses focused on productivity, efficiency, decision-making and customer experience.
Rising spend
Concern about cyber threats remains high. More than three-quarters of surveyed businesses, or 76%, said they were concerned about cyber threats over the next 12 months, while 77% expect their IT security budgets to rise over the coming year.
Cyber insurance uptake was also strong, with 79% of businesses saying they had cover in place. The figures suggest companies are increasing spending on both prevention and financial protection as cyber events become a more regular feature of business risk.
Dominic Keller, Global Head of Cyber Services at QBE, said the speed of AI adoption was putting pressure on existing risk controls.
"One of the most significant shifts we're seeing is not just the rise of AI, but how quickly it is becoming embedded in everyday business processes. The pace of this change is moving faster than some organisations can adapt their risk frameworks - this is where cyber exposures can start to build," Keller said.
He said the findings reflect a broader shift in the structure of cyber risk.
"What makes this environment more complex is that cyber risk is no longer contained within an organisation. As businesses become more interconnected, risk is shared across systems, suppliers and platforms, which means a single point of weakness can have broader consequences," Keller said.
The survey paints a picture of a business community that is alert to the threat but still grappling with gaps in resilience. Increased budgets and broad awareness do not necessarily translate into readiness when incidents disrupt trading, affect customers or expose weaknesses in supplier networks.
QBE's findings suggest preparation now depends not only on technical safeguards, but also on governance, oversight and response planning. That is particularly relevant for companies relying on a growing number of external technology providers and AI tools that may sit outside direct internal control.
Keller said businesses needed a more joined-up approach as threats evolve.
"While awareness and investment are increasing, building resilience requires a more coordinated approach. Strong governance, clear visibility of risk and well-tested response capabilities are critical to help prepare for and recover from incidents," Keller said.
He added that cyber insurance is taking on a broader role for companies dealing with incidents.
"Cyber insurance is becoming more valuable in this context, not just as financial protection, but as a way to access expertise, strengthen preparedness and support a coordinated response when incidents occur," Keller said.