Quantum computing is coming, and, when it arrives, it’s going to revolutionize how data is processed and stored. However, quantum technology, in the wrong hands, could create a multitude of digital risks, including advanced cyberattacks. For the insurance industry — which is increasingly relying on data as a key asset to digitize transactions, improve underwriting decisions and speed processes — this poses a significant problem and represents a potential exposure area that could jeopardize all levels of the industry, from the average insured to the large legacy carriers.
What are quantum computing and quantum resilience?
According to IBM, “quantum computing is a rapidly emerging technology that harnesses the laws of quantum mechanics to solve problems too complex for classical computers.” Dr. Michele Mosca at the University of Waterloo predicts that there is a one in seven chance that some fundamental public-key crypto will be broken using a quantum computer by 2026. That chance increases to one in two by 2031.
With quantum computing comes quantum threats, as a quantum computer is capable of undermining the widely deployed public key algorithms used for asymmetric key exchanges and digital signatures — both vital parts of protecting the confidentiality, integrity, and authenticity of data transfers in the current computing environment.
Without effective mitigation, the impact of adversarial use of a quantum computer could be devastating to the insurance industry, especially where information needs to be stored and protected for decades.
Quantum resilience mitigates the effects of these vulnerabilities and ensures that precious data remains safe by breaking the data into smaller, encrypted pieces and anonymously storing them in different places. When an algorithm is quantum-resilient (also known as quantum-resistant or quantum-safe), the cryptographic algorithms are supposedly resistant to cryptanalytics attacks from both traditional and quantum computers.
While quantum computing does seem a bit menacing, Q2K doesn’t need to be another Y2K. By thinking about quantum now, insurance can concentrate on what can be done to prepare for quantum’s arrival and prevent another widespread panic.
What is being done to work toward quantum resilience?
Many organizations, such as the open Quantum Safe project and the National Institute of Standards and Technology (NIST), are aware of the threat quantum computing poses and are working to create quantum resilience. NIST is collaborating with government, academia and industry to develop a new set of encryption standards, positioned to be released in 2024, that work with classical computers while also resisting quantum threat. The standards will include software recommendations as well as hardware updates. Software giants such as Microsoft, Google and Amazon Web Services are also among those developing quantum-safe encryption algorithms.
Some organizations are even investing in dedicated quantum resilience teams as an extension of their cybersecurity group, while others are monitoring the threat closely and getting ready to act when standards are made available.
It might be hard for insurance to justify investing in quantum resilience measures; however, the industry needs to be patient and can’t lose sight of the threat of quantum computing by compromising on safety measures, as insurance could be particularly vulnerable to devastating cyber attacks — especially since insurers often carry not only the data of their customers but also their partners.
What are the risks to insurance with quantum computing?
Just as with other industries that rely on heavy encryption to deal with sensitive data and information, cybersecurity is of the utmost importance in the insurance industry — especially for organizations looking to gain and maintain clients’ trust. With the rise of insurtech and innovations such artificial intelligence, insurance is in a transition where it’s trying out new connections, new relationships, new vendors and new technologies – experimentation that also increases its cyber risk.
Not only that, but many large carriers use older legacy systems for their data. This poses both a challenge and risk, because they may not have the capability to implement all the security measures needed to protect against current and quantum threats. This also means that when implementing new algorithms or upgrading existing applications, different approaches are required to elevate the software while maintaining its integrity and the data.
Insurance carriers need to ask themselves how long they want the legacy systems to continue and whether they believe quantum computers are a threat to their operations. If you’ve adopted a new technology that you want to last, upgrading it to be quantum-resistant is vital as you digitize and modernize.
What can the industry do now to protect itself and its dependents from quantum attacks?
One of the ways the insurance industry can secure its data and mitigate against cyber risk is externalizing its data by using data exchange platforms such as ADEPT (ACORD Data Exchange Platform & Translator). While this does open insurers up to some risk, it can be beneficial in the long run if the right partner is chosen, especially because internal systems are prone to attacks.
For example, insurance carriers can use these data exchange platforms as a backup in case they’re hacked. If an organization is hacked, not only can they lose access to their data, but they can also lose access to certificates of insurance and other vital information and documents that can help them get on the road to recovery. However, by using a data exchange platform, insurers have access to a backup version of the certificate and can quickly work to get back on their feet.
When selecting a data exchange platform, insurers should look for companies that use RSA encryption – currently the most widespread and effective cryptographic key distribution technique. RSA encryption relies on the fact that it is very difficult for computers to factor large numbers. So the prime factors to a large number can act as a "key": The information is encrypted with a big composite number, and the receiver must know the prime factorization to decrypt the information. But these prime factors are kept a secret between the sender and receiver, and an eavesdropper can only see the composite number. With classical supercomputers available today, they would need to wait trillions of years to crack the code and find the prime factors. It has been proposed that a quantum computer, however, could exponentially speed up this process. Shor's algorithm presents a blueprint for a quantum computer to factor an equally large prime number in only eight hours if the quantum computer were large enough. Today, quantum computers are far too unreliable to demonstrate Shor's algorithm – we are a far cry from operating the millions of qubits in concert that would be necessary to break RSA encryption. But if we wait to become quantum-resilient until after Shor's algorithm is truly realized, we risk widespread vulnerability to cyberattacks.
Another way a carrier can protect its data and insureds is by keeping abreast of when quantum standards are published and taking steps to implement hardware and software upgrades. A way to do this is by partnering with organizations that can provide resources and training on quantum computing and resilience while also notifying them when new standards and regulations are released. That way, insurers can update their technology and implement patches as soon as they are available to keep their data secure.
As the industry moves to modernize, it’s vital that carriers adopt technologies and work with partners that are proactive in protecting valuable data and take steps to promote awareness and education of quantum resilience while preventing another Y2K from occurring.