One in four Australian businesses hit by AI enabled cyber attacks
Artificial intelligence (AI) is shifting from an emerging capability to a core part of how Australian businesses operate, but new research from QBE shows this shift is also rapidly reshaping cyber risk, turning what was once seen primarily as a productivity and efficiency enabler into a current and increasingly complex operational challenge.
QBE’s survey of Australian businesses* found that cyber incidents are widespread, with 50% reporting a cyber event in the past 12 months and 26% saying the incident was believed to involve AI. This comes as AI adoption is now firmly embedded in business operations, with 85% of organisations already using AI and a further 12% actively exploring its use.
AI is also changing how cyber attacks are carried out. Businesses reported encountering AI enabled techniques, with the most frequently mentioned including AI driven vulnerability identification, AI generated malware, phishing, deepfakes and business email compromise.
AI adoption is accelerating and reshaping the risk environment
Australian businesses are reportedly highly optimistic about the potential of AI, with 93% expecting it to have a positive impact on their business over the next two years. Many are already using it to drive productivity, improve efficiency, support decision-making and enhance customer experience, reflecting how quickly it has become part of core business activity.
Cyber incidents are now a routine and material risk
Cyber incidents are no longer limited to isolated technical issues. They can disrupt operations, impact customers and affect financial performance. Half of Australian businesses surveyed experienced a cyber incident in the past year, and among those affected, 60% resulted in a loss of revenue and 18% reported business interruption of one day or more.
Supplier ecosystems are becoming a critical vulnerability
One of the most significant findings highlighted in the research is the cyber exposure risks increasingly linked to third-parties.Among businesses that experienced a cyber incident, 66% said it was related to a third-party supplier. This dynamic makes cyber risk more difficult to control, as it depends not only on internal safeguards but also on the practices and resilience of external partners.
This challenge is intensified by the use of AI across supply chains. Of those surveyed, 69% said they are concerned about the risks arising from their suppliers’ use of AI, reflecting limited visibility over how these technologies are deployed and secured beyond organisational boundaries.
Awareness and investment are rising but resilience gaps remain
Australian businesses are responding to the evolving cyber threat landscape with increased focus and investment. 76% are concerned about cyber threats over the next 12 months, and 77% expect their IT security budgets to increase in the coming year. Cyber insurance uptake is also strong, with 79% of businesses reporting they have cover in place.
As cyber threats become more dynamic and interconnected, resilience will depend on how well organisations prepare for and respond to disruption. This requires a coordinated approach that combines technology, governance and response capability, supported by cyber insurance to help businesses recover from incidents and better prepare for emerging risks.
Through its cyber offering, QBE supports customers with the insights, preparedness and response capabilities needed to reduce disruption and strengthen resilience. For more information about QBE's cyber insurance, visit www.qbe.com/cyber
For a global perspective on how AI is shaping cyber risk, read QBE’s latest international research here.
Quotes attributable to Dominic Keller, Global Head of Cyber Services, QBE Insurance
“One of the most significant shifts we’re seeing is not just the rise of AI, but how quickly it is becoming embedded in everyday business processes. The pace of this change is moving faster than some organisations can adapt their risk frameworks – this is where cyber exposures can start to build.”
“What makes this environment more complex is that cyber risk is no longer contained within an organisation. As businesses become more interconnected, risk is shared across systems, suppliers and platforms, which means a single point of weakness can have broader consequences.”
“While awareness and investment are increasing, building resilience requires a more coordinated approach. Strong governance, clear visibility of risk and well-tested response capabilities are critical to help prepare for and recover from incidents.”
“Cyber insurance is becoming more valuable in this context, not just as financial protection, but as a way to access expertise, strengthen preparedness and support a coordinated response when incidents occur.”