TechTalk: Is the cyber insurance world prepared for quantum computing?

Quantum computing certainly sounds like it belongs in the world of science fiction to the layperson, but as this technology advances from theoretical promise to practical reality, it will create a seismic shift in the cyber security landscape – and require the attention of the cyber insurance market.

The ins and outs of the technology are astronomically complex – and mostly unnecessary to lay out here – but, essentially, quantum computing represents an exponential leap forward in compute power.

Unlike in traditional binary computing, where all information is represented as ones and zeros, quantum computers utilise the principles of quantum mechanics to run on qubits, which can be both one and zero at the same time. 

This allows quantum computers to perform computations in parallel, meaning complex problems can be solved faster.

Companies such as International Business Machines Corporation (IBM), Google and Microsoft are exploring the applications of quantum computing in fields such as drug design and financial modelling, but another more concerning use case lies in quantum computing’s ability to easily break widely used encryption models, like RSA and ECC, which protect much of the world’s sensitive digital infrastructure. 

Alex Jomaa, chief underwriting officer at cyber insurance provider Onda, told Insurance Times: ”Quantum computing means that the modern encryption that we rely on to do everything – including sending protected emails, bank transfers and accessing websites without people snooping – gets completely eliminated. 

”The concern is that the computing power is at such an advanced level that it could break encryption and render all security infrastructure null and void.

”It’s a bit like defending a castle’s walls when the people operating the siege have developed cannons – it worked for a long time, but it won’t now.” 

Scalable technology 

While fully functional quantum computers are not yet available, especially to the public, the technology is quickly becoming more and more viable. 

In the middle of 2024, IBM released its first commercially available quantum computer and said it would build the world’s largest by linking smaller machines together in 2025.

And, on 14 January 2025, Microsoft’s chief operating officer for strategic missions and technology, Mitra Azizirad, wrote that the firm had recently “successfully created and entangled 24 logical qubits”.

She added: ”Looking towards the next 12 months, the pace of quantum research and development is only going to accelerate, making this a critical and catalysing time for business leaders to act.” 

It is currently incredibly difficult to gain access to a quantum computer and thus, at least for now, the risks to cyber security posed by the technology are low. 

But as quantum computing proliferates, cyber insurers must be aware of the risks posed.

CFC Underwriting’s global head of cyber, James Burns, told Insurance Times: ”This is an incredibly complex area and the industry is going to have to spend a lot of time and energy to properly understand the risk factor that quantum may pose to business operations and security – and thus, the impact on cyber insurance.” 

Jomaa explained that both Onda and the wider security industry’s cyber threat monitoring had not turned up any cyber attacks that showed evidence of quantum computing being used to break encryption.

That is not to say, however, that cyber criminals are not betting big money on this technology becoming a viable weapon in their arsenals soon. 

Freddy Knight, former co-founder and innovation director at Optimum Specialty Risks and cyber and technology consultant for the insurance market at Knightworks Strategies, explained: ”I’ve seen from claims data that there have already been over 100 of what I would call quantum ready attacks where groups are harvesting huge amounts of encrypted data. 

“There is no reason, with today’s technology, for threat groups to be harvesting that much encrypted data that they can’t do anything with, so why are they spending millions of dollars attacking large organisations to steal nothing but that?

“It leads me to believe that they’re harvesting that data now to unlock it once they’ve got access to a quantum system to break encryption.” 

Industry response

So, with quantum computing rapidly advancing, should cyber insurers be worried? Standard policies protect against interruption of business from cyber attacks and most underwriters will insist on varying levels of risk mitigation from their insureds. 

But, when this level of security eventually becomes obsolete, how can insurers respond? 

David Basson, tech expert and former business advisor to UK insurers for Japanese telecommunications giant NTT Data, explained: “What happens with every cyber arms race is that, when the attacks get better, so do the defences. 

“What will happen here is, once there have been quantum hacking attacks, companies will buy quantum defences and encryption – and the walls with get higher. 

“However, most firms want just enough security, so it will probably take one or two major quantum attacks for companies to think about security in these terms.” 

This is where insurers can help to create a quantum secure economy and commercial environment, through proper preparation and support for insureds.

Jomaa noted: ”For every security measure, there is always an offensive counter measure – it’s the standard arms race.

”With quantum computing being able to break traditional encryption, the response is to use quantum encryption standards, which would bring the level of protection back up to what we’re used to. 

”Cyber insurers wouldn’t be able to develop those counter measures themselves, but threat intelligence can be woven into underwriting to ask insureds how they would defend against this type of attack, which then develops knowledge of effective counter measures [for the insurance market].”

Knight added: ”It’s important that we don’t underestimate the ability of reinsurers, carriers and insurers to adapt to emerging threats because, realistically, none of them are going to be caught off guard by quantum. From an underwriter’s perspective, I’m not sure that we’re going to run into too many hurdles.

“Where we’re going to run into problems is maybe around explaining the concept of quantum to policyholders, because actually understanding the technology requires you to have an understanding of the universe [that is] completely different to what you’ve always been taught. 

“However, the fundamental point is that policyholders don’t need to understand the technology. Basically no one in the cyber insurance market knows how to code malicious software, but they don’t need to understand the technology that drives the risk – they just need to insure against it.

“It’s the same with quantum. Insurers can hire experts and develop teams, but all policyholders really need to be sure of is that, if the shit hits the fan, they can still pay their staff at the end of the month.”

The insurance market has traditionally innovated new covers and adapted to the changing world – tackling developing risks is pretty much what the market does. 

Quantum computing may well represent a fundamental shift in computing power and technology, but barring an apocalyptic sci-fi horror, the market is well placed to respond. 

Jomaa said: ”We’re all alive to this risk and are constantly monitoring for it. But while quantum computing is groundbreaking, it’s not here yet.”