Countdown to 'Q-Day' for Cyber Insurers

Quantum computers threaten current encryption methods. Cyber insurers must assess clients' post-quantum cryptography readiness before "Q-Day" arrives.

Readiness

The world is only just coming to terms with artificial intelligence (AI). But there's another technology far fewer people are talking about—one that could drive even greater social and economic disruption. Quantum computing will bring with it an extraordinary leap in processing power, but at the same time new data security risks for organizations.

For insurers, whose businesses rest on accurately assessing and pricing risk, this is a concern. And it's one that is growing by the day. Google recently brought forward its timescale for post-quantum cryptography (PQC) migration to 2029.

As a matter of urgency, insurers need to scrutinize clients' PQC road maps, as well as their own.

Quantum for good and bad

Quantum computers are powerful pieces of technology for several reasons. But most impressive are the qubits that power them. Unlike classical bits, which can be only one or zero, qubits can be both at the same time. That means quantum computers are capable of performing calculations thousands or maybe millions of times faster than today's most powerful supercomputers. This has major implications for the insurance industry.

Quantum-powered analytics could theoretically revolutionize how data is analyzed—for example, through powerful new predictive modeling. That could help insurers make better data-driven business decisions, price risk more effectively, and even reduce fraud, among other things.

However, the negative side of the ledger is arguably even greater for issuers of cyber liability insurance. So-called cryptographically relevant quantum computers (CRQCs) will be capable of solving the mathematical problems on which much of the world's encryption is based; in minutes rather than millions of years. That will be a security disaster for all the businesses that rely on asymmetric encryption, which is all of them. Protocols as ubiquitous as SSH (for remote access) and SSL/TLS (secure websites) use this type of encryption.

This is an urgent enough issue to address today—even if the timeline for CRQCs stretches into the early 2030s. But it's more critical than that. As far back as 2024, NIST warned about Harvest Now, Decrypt Later (HNDL) attacks. State-sponsored threat actors, in particular, are suspected of hoovering up large volumes of long-lived but encrypted data today, with a view to descrambling it when CRQCs emerge.

Urgent questions to answer

Insurers therefore need to answer several urgent questions. First are customer-facing issues. How does the risk associated with CRQCs breaking asymmetric encryption affect future payouts? And how should that risk be factored into premium pricing? There is a reckoning coming. Smart carriers will already be looking to gain more insight into the PQC plans of their policyholders and prospects.

Next, insurers need to think about their own businesses. When CRQCs land, their own data will be at risk, unless they migrate to PQC standards and infrastructure. The final piece of the puzzle is the supply chain. Insurers need to ensure their connected ecosystem of resellers, reinsurers and brokers is also taking PQC steps to protect their data. Threat actors are past masters at finding the weakest link in the enterprise security chain. And very often, that is an under-secured partner or supplier.

Planning starts now

As of last year, just 5% of global organizations had deployed quantum-safe encryption, according to one study. Given HNDL attacks are already happening, this needs to change.

Yet moving to PQC is no simple task. Legacy systems are everywhere. Those relying on hardcoded cryptography will be particularly time- and resource-intensive to update. Key management software will need to be redesigned. Certification and compliance processes will need to be reconfigured.

Asymmetric cryptography spans the entire corporate world. It keeps financial transactions secure, websites protected and messaging chats safe from prying eyes. For organizations to truly minimize risk they will need to get PQC assurances across extensive supply chains.

To insulate themselves from future losses, insurers therefore need to start checking how their current and prospective policyholders are planning to address quantum risk. Organizations need a complete understanding of what type of cryptography they're using, where they're using it, and what data it is protecting. Then a risk assessment can be properly run to ensure the most critical data is protected with new PQC algorithms first.

If no such steps are put in place, insurers must assume that the risk of data exposure will continue to increase for enterprise customers as the Q-Day clock counts down.

Looking inward

Insurance companies need to look at their own systems, data and applications with the same rigor. And be prepared to make potentially painful changes to mitigate CRQC and HNDL risks.

The risk does not stop at the front door either. Data in cloud environments, at the broker's office, or transmitted via marketplaces and reinsurers could be compromised by a CRQC. It is imperative to extend PQC plans to all of these environments.

That won't always be easy. PQC keys and signatures are much larger than existing ones, potentially increasing storage requirements. Processing these algorithms may add latency to time-sensitive environments. And legacy hardware like routers may need completely replacing if they can't take the requisite firmware upgrades.

A regulatory imperative

However, standing still is not an option. And with regulators circling, doing nothing may even put insurers in legal jeopardy. Quantum computing promises much. But before we harness its potential, we must first mitigate its accompanying cyber risks. That work should start tomorrow.

Read More