How much should the insurance industry worry?
Recently I was asked a tongue-twister of a question: “What are potential impacts that will arise from the cyber-security risks posed by cryptographically relevant quantum computers, and the impact on the insurance market”.
At first I thought it was just a list of buzzwords. On further consideration I realised it is a critical important topic. Below is the answer I gave.
The promise of quantum computing to create opportunities in a wide range of industries is an exciting one. The insurance industry is used to grappling with the impact of innovation and new technologies on its clients. Nowhere is that more true than in the London insurance market which, for centuries, has engage with and insured every new technology that the world has invented, from the motorcar (which was initially classified by Lloyd’s of London underwriters as “a boat that travels on land”) to crypto wallets and the metaverse. As such many of the changes from quantum computing will be handled in the same way underwriters have handled the arrival of mainframes computers, the internet, smartphones and the Cloud.
The potential for quantum computers to render much of our current encryption infrastructure obsolete is a specific challenge as it combines an unknown future date with a potential ‘cliff edge’ impact. Comparisons to the Y2K “Millennium Bug” fall short as the lack of a known Day 0 means it is harder to build a sense of urgency. Equally challenging is the fact — as every security expect knows — that you only need a single weakness in an end-to-end system; thus companies cannot resolve this alone but must seek an ecosystem approach.
The sophistication and experience of cyber underwriting has grown exponentially over the past decade, both in terms of understanding risks and engaging clients in risk mitigation activities. Similarly, the approach by insurers and regulators to understanding and preparing for systemic risk is constantly improving. Underwriters, brokers and cyber experts are increasingly considering the risk from QC-enabled decryption and beginning to engage clients on the topic. Market engagement has been ongoing since 2021, with events such as a presentation by the Lloyd’s Market Association and Quantum London to the CISO community, and a public webinar delivered by the Lloyd’s Lab and Quantum London with a panel of global experts. The IIL (Insurance Institute of London) is running a similar educational webinar in April 2023 combining views from academia, underwriting and broking. State-led initiatives such as the US government signing Post-Quantum Cybersecurity Guidelines into law in December 2022 are observed closely and taken into consideration by the underwriting community.
Without doubt, being unprepared for the arrival of cryptographically relevant quantum computers would lead to systemic challenges. The insurance industry globally will be working with technology and communications firms, governments, security experts, individual organisations CISOs, academic to understand the risks and ensure clients take the necessary steps to mitigate them. Where some risks then crystalise into problems, and loses are incurred, insurers will be there to work with their clients to minimise the impact.