How worried should the insurance industry be?
Photo by Jahan Hussain on Unsplash
I was recently asked a tongue-twister question: “What is the potential impact of the cyber security risks posed by cryptographically relevant quantum computing and the impact on the insurance market?”.
At first I thought it was just a list of keywords. Upon further consideration, I realized that this is a critically important issue. Below is the answer I gave.
The promise of quantum computing to create opportunities across a wide range of industries is exciting. The insurance industry is used to dealing with the impact of innovations and new technologies on its customers. Nowhere is this more true than in the London insurance market, which for centuries has dealt with and insured every new technology the world has invented, beginning with the automobile (originally described by insurers at Lloyd’s of London as “a boat that goes on “classified land”) to crypto wallets and the Metaverse. Therefore, many of the changes brought about by quantum computing will be handled in much the same way that underwriters handled the introduction of mainframe computers, the internet, smartphones and the cloud.
The potential of quantum computing to render much of our current encryption infrastructure obsolete is particularly challenging, as it combines an unknown future date with a potential “cliff edge” effect. Comparisons to the Y2K “Millennium Bug” fall short, as the lack of a known tag 0 means it’s harder to build a sense of urgency. Equally challenging is the fact, as any security professional knows, that you only need a single vulnerability in an end-to-end system; Therefore, companies cannot solve this alone, but must seek an ecosystem approach.
The complexity and sophistication of cyber underwriting has grown exponentially over the past decade, both in terms of understanding risk and engaging clients in risk mitigation activities. Likewise, insurers’ and regulators’ approach to understanding and preparing for systemic risk is constantly improving. Insurers, brokers and cyber experts are increasingly considering the risk of QC-assisted decryption and are starting to attract clients to the topic. Market engagement has been happening since 2021, with events such as a presentation to the CISO community by Lloyd’s Market Association and Quantum London and a public webinar hosted by Lloyd’s Lab and Quantum London with a panel of global experts. The IIL (Insurance Institute of London) is hosting a similar educational webinar in April 2023, combining views from academia, insurance and brokerage. Government initiatives such as the US government signing of the Post-Quantum Cybersecurity Guidelines in December 2022 are being closely monitored and considered by the underwriting community.
Being unprepared for the arrival of cryptographically relevant quantum computers would undoubtedly lead to systemic challenges. The insurance industry worldwide will work with technology and communications companies, governments, security professionals, CISOs of individual organizations and academics to understand the risks and ensure customers are taking the necessary steps to mitigate them. If some risks then become problems and losses arise, insurers will work with their clients to minimize the impact.
