AI-powered cyber attacks hit 1 in 3 Canadian businesses (QBE research)

One in three Canadian businesses (33%) experienced cyber incidents in the past 12 months which they believe leveraged Artificial Intelligence, with phishing among the most frequent methods, according to global research* from business insurer QBE. 

Artificial Intelligence is becoming ubiquitous in the Canadian economy, with 97% of businesses using it or looking into it, up from 94% last year.

Efficiency and productivity are among the top motivations for deploying AI, as more than half of businesses rolling out the technology mention these objectives.

”As new technologies such as AI become embedded in operations, effective risk management remains fundamental to ensuring sustainable and resilient growth,” said Kyle Gray, Underwriter Team Lead, QBE Canada. 

Businesses are taking various steps to safely roll out AI into their operations, from training staff on responsible use, to checking data quality or monitoring outputs for bias. However, they worry their vendors might not be taking similar measures. Indeed, 63% of Canadian businesses are concerned about potential risks arising from how their suppliers use AI. 

Kyle Gray said: “AI risk doesn’t stop at the internal perimeter. Organizations need the same level of discipline and oversight across their third-party ecosystem, because weaknesses in the supply chain can quickly become risks to the business itself.”

Supply chain exposure 

Over the past 12 months, 57% of Canadian businesses have experienced one or more cyber events, a proportion slightly higher than last year (53%). Among affected businesses, 65% suffered at least one cyber attack that was related to a supplier (up from 58%) and 58% experienced revenue loss (up from 51%).

The disruption can be significant. Overall, 16% of Canadian businesses have experienced a cyber event in the last 12 months that resulted in a business interruption of one working day or more (down from 18%).

Two in three respondents (65%) are concerned about the cyber threats their business may experience over the next 12 months, a smaller proportion than last year (78%) but still prompting investment. 

Most of them say their IT cybersecurity budget is going to increase over the coming year (31% in line with inflation and 31% beyond inflation). And 72% now have cyber insurance, compared to 67% last year. In addition, 83% have an incident response plan, up from 79%. 

* Methodology: Opinium surveyed 400 decision makers of IT, administration or insurance in businesses with 100-2000 employees in Canada from 31 March to 20 April 2026. Last year, it surveyed a similar sample from 10 to 23 April 2025.
The 2026 Opinium survey about AI and cyber risks for QBE covers 15 countries (Australia, Canada, Denmark, France, Germany, Hong Kong, Italy, Netherlands, New Zealand, Singapore, Spain, Sweden, United Arab Emirates, UK, USA), with a total sample of over 6,000 businesses.
Data tables available upon request.

QBE’s checklist

To tackle cyber threats, businesses should:
o    identify critical assets, threats, and vulnerabilities to gain a clear overview of exposure 
o    Define acceptable risk so leadership can set boundaries 
o    Prioritise mitigation strategies (direct resources towards areas of greatest impact)
o    Test contingency plans and recovery protocols
o    Stress test crisis management 
o    Incorporate third-party expertise to help manage residual and emerging risks
o    Continuously adapt cyber defences to evolving threats, technology and business needs.

To mitigate third-party vulnerabilities, businesses should also: 
o    Implement strong identity and access management (IAM) protocols 
o    Run regular configuration audits 
o    Encrypt sensitive data across all cloud environments 
o    Evaluate the security posture of their third-party providers 
o    Establish clear protocols for managing supply chain exposure.