The Overlooked Risks in Cyber Resilience

Midsize American businesses are spending more than ever on digital defenses, yet they remain highly vulnerable. A 2026 cyber risk survey by QBE shows that even with increased protection spending, cyberattacks continue to cause severe and costly damage.

This vulnerability is reflected worldwide. While the study evaluated 400 decision makers of IT, administration or insurance at companies with 100 to 2,000 employees, the broader global survey by QBE tracked more than 6,000 businesses across 15 countries. The international data reveals that cyber threats are a frequent, systemic disruption to daily international commerce.

The findings demonstrate the depth of today’s cyber threat. Two out of three U.S. businesses (67%) experienced a cyberattack in the past 12 months, and the global rate is nearly as high at 58%. These incidents affected respondents’ operations and the bottom line. Among the attacked U.S. businesses, 58% suffered direct revenue losses, while one in four experienced a business interruption that shut down operations for more than a full working day—a disruption that also impacts 21% of companies globally.

“Cyber threats are a frequent and costly reality for U.S. businesses,” said Ian Walsh, Vice President and U.S. Cyber Product Leader at QBE North America. “This research underscores the importance of stronger defenses as companies navigate an evolving risk environment that includes emerging technologies. Leaders cannot treat cybersecurity as just a localized IT issue anymore. It’s a core corporate risk that directly threatens cash flow and operational survival, both here and abroad.”

An unsecured supply chain drives many breaches. In the U.S., 58% of attacked businesses reported that the incident was tied to a supplier; globally, the figure is even higher at 65%. This widespread vulnerability explains why 77% of U.S. business leaders are deeply concerned about threats over the coming year. To protect themselves, three out of four American businesses plan to increase their cybersecurity budgets next year. This spending growth matches global trends, where 72% of international businesses plan to increase their IT security spend (35% in line with inflation and 37% beyond inflation).

Technology spending on software and infrastructure alone is not enough to eliminate security vulnerabilities. A major gap exists in financial protection and corporate readiness. Only 67% of midsize U.S. companies have cyber insurance, while 24% do not. By comparison, 69% of midsize international businesses hold a cyber insurance policy. 
“Businesses are facing emerging cyber threats and tailored insurance solutions are essential to mitigating the risks,” Walsh explained, noting that developing strong incident response plans and addressing insurance gaps are critical steps to protect operations and build resilience.”

The rapid adoption of artificial intelligence further exacerbates these corporate readiness gaps by creating new opportunities for cybercriminals to launch successful attacks. While 81% of U.S. companies and 80% of businesses globally use AI to drive daily operations, hackers are rapidly weaponizing this widespread commercial use. In fact, nearly 30% of U.S. businesses have already suffered a cyber incident where AI was used against them, primarily through highly realistic AI-generated phishing emails and malicious code.

The rapid deployment of AI has simultaneously exposed supply chains, creating deep anxiety regarding connected business networks. While 70% of business leaders worry about the security risks posed by their vendors or suppliers using AI, 63% of business leaders globally share this exact concern. To manage these evolving threats, business leaders must look beyond basic IT defense.

“Businesses need to proactively evaluate vendors and their insurance coverage,” said Walsh. “True corporate resilience requires a combination of strict vendor management, training, and proper insurance coverage.”