KEY TAKEAWAYS:
--Due to quantum computers' ability to solve problems like prime number factoring, which is used to protect internet communications, this technology poses a significant threat to the security of traditional cryptographic systems.
--Insurers must not only switch as quickly as possible to encryption algorithms that are impervious to quantum computing but must develop cryptographic agility, which allows them to switch encryption methods and algorithms as needed.
----------
As the world becomes increasingly reliant on connected technology, the threat of cyberattacks and data breaches continues to grow. These breaches can have significant financial and reputational impacts on businesses and organizations, and insurance companies have stepped in to offer protection against these risks.
The impact of security breaches can be severe, not only for the affected company and its customers but also for their insurers, investors and shareholders. The Firewall Times report on data breaches shows several high-profile data breaches at Discord, T-Mobile, Yum Brands and Uber, among others, just in recent months. The T-Mobile breach exposed personal information of 37 million customers. Past historic breaches where hackers gained access to sensitive information such as Social Security numbers, birth dates and addresses of over 100 million Americans had a significant impact on the insurance industry, with insurers facing payouts in the range of half a billion dollars.
These examples highlight the critical role insurance companies play in covering the costs of cyberattacks. The examples also underscore the need for insurance companies to keep up with the ever-changing nature of cyber threats and invest in new technologies to protect their customers. And a new form of computing is causing concern.
Quantum computers are a new breed with the capability to break the current public key encryption we all use. Insurance companies must evaluate this technology and its risks to continue providing effective cybersecurity protection coverage for themselves and their customers.
Quantum computing is a revolutionary technology that promises to solve certain complex problems that are impossible for classical computers. However, due to the ability to solve problems like prime number factoring, which is used to protect internet communications, this technology poses a significant threat to the security of traditional cryptographic systems. As quantum computing continues to advance, businesses and governments must protect against potential security threats.
The National Institute of Standards and Technology (NIST) is leading the charge in protecting against quantum computing threats. NIST is responsible for setting standards and guidelines for cryptographic systems used by the federal government and businesses. In 2016, NIST launched a competition to develop quantum-resistant cryptographic algorithms, known as post-quantum cryptography (PQC). In 2019, NIST announced the finalists for its PQC competition, which included 17 algorithms. These algorithms underwent further testing and analysis to determine their effectiveness and suitability for widespread adoption. In 2022, NIST announced four finalists, with four more being researched. As of December 2022, U.S. federal agencies are now required to shift to post-quantum security, with their private-sector vendors likely following suit.
PQC algorithms are designed to resist attacks by quantum computers. These algorithms use mathematical problems that are believed to be computationally difficult for both classical and quantum computers to solve, providing an extra layer of protection for sensitive data.
A critical component for post-quantum cybersecurity solutions is cryptographic agility, which involves the ability to switch encryption methods and PQC algorithms as needed. By adopting a framework for post-quantum cryptography and cryptographic agility for themselves and their customers, insurance companies can stay ahead of the curve and quickly adopt new encryption methods as they are developed. This approach can help to mitigate the risks of quantum computing and ensure that customer data remains secure.
See also: Quantum Technologies, Cybersecurity and the Change Ahead
Insurance companies have not developed products that provide risk protection against cyber security attacks specifically from quantum computing. With "steal now, decrypt later" (where cyber thieves hack into systems and steal data that they can't decrypt now but will decrypt later once they have a powerful enough classical or quantum computer) businesses might already be vulnerable, and the loss might not be adequately factored into the lifetime revenue of cyber products. However, some insurance companies are taking the lead by getting involved in quantum computing through quantum accelerators and innovative startups. This method has let many industry leaders dip their toe into quantum computing technology and understand the future opportunities and risks of this new technology.
Startups that have graduated from these accelerators have already developed post-quantum crypto-agile products that can be easily integrated into existing systems. One example is QuSecure. Their Post-Quantum agile products are already being evaluated in government agencies. These products provide secure communications and data protection resistant to attacks by quantum computers. By following the direction NIST and U.S. government agencies are taking and bringing these necessary risk management products and technology solutions to their customers, insurance companies can improve their own future bottom line and their customers' reputations by reducing quantum cyberattacks that happen down the road.
Insurance companies have a critical role to play in protecting businesses and organizations against the financial and reputational damage caused by cyberattacks and data breaches. However, as the threat landscape evolves, insurance companies must stay ahead of the curve by adopting new technologies and solutions. They can go a step further by connecting with existing companies providing post-quantum cryptography and cryptographic agility. By embracing these technologies, insurance companies can improve their bottom line by setting security policies and standards for their customers and ensure the security of their customers' data even if it gets in the hands of a nation state-sponsored quantum hacker today.
