Part three of Qrypt’s “Understanding Quantum Risk” series of articles.
Hurricane Andrew holds an especially fearful grip on the memories of insurance industry veterans. In one day, losses were so high that at least eight insurers became insolvent, and the property and casualty business was never quite the same afterward. In retrospect, the possibility of such an event should have been foreseen. Nobody could have predicted exactly what year a storm like that would hit. Still, the idea that a category five hurricane could eventually strike South Florida and cause widespread total losses of over $15 billion (about $50 billion in today’s dollars) was something that could have been anticipated through adequate rates and underwriting.
There is another predictable storm ahead for the insurance industry. This time it is likely to hit the cyber liability market rather than property and casualty. Insidiously, occurrences are probably already taking place which will eventually cost the industry dearly.
Quantum computing has advanced tremendously over the past decade. Much of the impetus towards investment in quantum computing R&D came from the publication of Shor’s algorithm in 1994. This was a method proposed by mathematician Peter Shor for factoring, which can only be implemented using a quantum computer, and has implications for breaking RSA encryption. This was the one of the first demonstrations of how a quantum computer could do something that a classical computer could not, and it contributed to accelerating efforts toward building useful quantum computers.
Dozens of companies, universities, and governments now have working quantum computers. New generations of hardware tend to appear every six to 18 months, and one of the basic tests of how powerful they are is whether they can run Shor’s algorithm, getting ever closer to breaking RSA. The point when that happens is sometimes referred to as “Q Day.”
RSA is the encryption standard in which most of the data on the internet is moved around. It’s the math that stands between sensitive data and bad actors who would exploit it either directly or through ransoms. When it gets cracked, the total losses will be massive.
The US federal government has taken this threat very seriously. A combination of legislative acts and executive orders have directed government agencies to quickly develop and adopt new quantum-safe encryption standards by the end of 2024. The government’s urgency in addressing the quantum threat isn’t because they think RSA will be broken by the end of 2024 – it could take years more for quantum computers to advance that much. It’s because data is already being harvested on a massive scale and will be stored until sufficiently powerful quantum computers are available to decrypt it. In other words, all harvested data encrypted in the past, now, and in the coming years will rapidly become exposed once quantum computers hack RSA. That’s a national threat of untold proportions. No wonder this threat has spurred congressional committees to act urgently with unusually bipartisan legislation and policy-making during a time of historically intensive partisanship.
Unfortunately, the insurance industry is failing to take heed of the same threat. Thousands of cyber liability policies that include prior acts coverage have been renewed year after year without accounting for the quantum Hurricane Andrew that will eventually strike.
Intercepting this encrypted data is not especially difficult. The fact that RSA has been so secure in the past has led to minimal protections as it travels through the internet. Unless administrators are particularly sloppy in generating keys (typically due to using poor sources of entropy to source random numbers), there hasn’t been anything harmful that criminals could do with the encrypted data.
Medical records, credit information, social security numbers and industrial secrets are all at risk. When this data gets decrypted, it will be ripe for sale, exploitation, and ransom.
Some of the world’s most powerful quantum computers are available for public use right now on major cloud services. Major quantum computing providers make their newest generations of quantum hardware available online as quickly as possible for a fee. This is, after all, a business. There may also be quantum computers that are less visible, sponsored by, and available to actors supported by nation-states. It’s difficult to know how advanced these systems are.
When the first systems capable of cracking today’s asymmetric encryption like RSA are available, we should expect a storm of losses and claims as criminals rush to cash in on their stored, stolen data. Plus, a steady stream of real-time data losses by organizations that have not completed a post-quantum migration at all.
According to the Harvard Business Review, several insureds already each had a total liability limit of a billion dollars in 2020. Many more have limits in the hundreds of millions of dollars.
“Our research indicates that there are approximately 500 companies buying [limits between $100-$199 million], the HBR wrote, “and they represent another 25% of global insurance premium (maybe even a bit more than that). It would only take a handful of losses to wipe out the $1.44 billion in premium they generate.”
That’s just looking at some of the insureds with the highest limits. There are thousands of smaller to mid-sized businesses like clinics, accounting firms, and retailers with lower individual limits that could start to add up when quantum computers capable of breaking encryption are available through the cloud. The insurance industry cannot predict exactly when this will happen any more than it knew that Hurricane Andrew would hit in 1992. Still, the industry can adopt underwriting practices right now that limit exposure.
When the cryptographically relevant quantum computer arrives, the innumerable occurrences of captured data will begin to be decrypted. Years’ worth of cyber liability claims all piling up potentially within months of each other — a perfect storm of losses which will prove challenging to reserve against.
The data being captured right now, while you are reading this, is already money out the door so long as policies are renewed with prior acts coverage. Exposure could be limited by refusing to provide coverage for prior acts. Still, even the losses against policy terms in force during Q-Day could be large, and sophisticated insurance customers will insist on buying policies that include coverage for prior acts.
The solution lies in underwriting standards. Asking on applications if customers are planning or adopting quantum-safe, or better quantum-secure, encryption can be a factor in deciding rates. For some situations where data has only short-term value, quantum-safe solutions like NIST PQC and incorporating crypto-agility could be sufficient. In other situations where data has longer term value, fully quantum-secure solutions should be required to reduce risk.
Qrypt offers quantum-secure cryptography that completely protects against the threat of quantum computers. Based on Claude Shannon’s work on perfect secrecy, Qrypt Quantum Security makes it impossible for even quantum computers to decrypt your policy holders’ sensitive long-term data. To learn more, sign up for our newsletter on our home page or contact our sales team at info@qrypt.com.
