Insight

Are you “quantum-ready”? How to prepare for the coming of quantum computing

May 30, 2024

By David Drogin, Head of Americas, Cyber

Few threats could be more destabilizing to our interconnected way of life than hackers able to crack the code of encryption models protecting our most sensitive data. Quantum computing will make this prospect real, possibly inside a decade, meaning anyone responsible for cybersecurity should be preparing now. The repercussions are immense for confidential communications, private information, financial transactions, government, and military operations—and for insurers underwriting cyber risks.

Encryption is a critical part of the world’s cybersecurity infrastructure. It protects data in storage and in transit, scrambling it to render it indecipherable to anyone but those with the keys to access it. The mathematical problem at the heart of most forms of cryptography involves prime factoring, or working out which prime numbers need to be multiplied together to give a particular very large number. How large? Try 617-digits-long, as in the case of one of today’s most widely used cryptographical models, RSA 2048).

A classical computer would take trillions of years to crack this cryptography, but a quantum computer, albeit one many times more powerful than any in existence today, could theoretically complete the task in a matter of hours. Put simply, the dawn of powerful quantum computing will render today’s standard encryption obsolete as an effective data protection tool. Quantum’s exponentially greater computing power comes from the difference in the basic data units it uses. Classical computers use bits, which can represent either 0s or 1s in a binary code. Qubits, the bit’s equivalent in a quantum system, can speed-reckon 0 or 1 at the same time. Its “superposition” characteristic allows multiple calculations to be performed simultaneously, unlocking the potential to solve previously intractable problems.

Besides the threat to encryption, quantum’s vast processing power will also enable bigger and more damaging cyberattacks. Bad actors will be able to mount disruptive malware attacks on a wider scale, process stolen data more rapidly in the event of a breach, and more effectively undermine existing cybersecurity tools.

The threat of systemic events would also increase. For example, a successful quantum attack targeting the Fedwire Funds Service, the real-time gross settlement (RTGS) system, which facilitates trillions of dollars in interbank payments every day, would have devastating consequences throughout the world economy.Analysis by the Hudson Institute estimated indirect economic losses of $2 trillion to $3.3 trillion from such an attack, eclipsing the economic damage caused by the 2008 Global Financial Crisis, or the Great Depression.

The good news is, experts believe we have a few years to prepare for this paradigm shift, although the timeline is uncertain. Tech giants including Google, Amazon, Microsoft and IBM are already developing and implementing “post-quantum cryptology,” designed to be resistant to quantum-computing attacks. The US National Security Agency (NSA) has ordered all government organizations involved in maintaining national security systems to fully implement quantum-resistant algorithms by 2033. And it’s also important to remember good actors will harness quantum computing and artificial intelligence (AI) capabilities to analyze data quicker and design stronger cyber defenses, in the continuous race to stay one step ahead of the hackers.

One of the greatest challenges for insurers is keeping up with the constantly changing nature of cyber risk. Take the shifting trends in ransomware: just a few years on from early “hit-and-run” attacks with ransoms averaging less than $100,000, today we are typically seeing opening demands in seven figures. What we learn from this type of loss-event experience is a key input into the risk models we use to guide us as we set pricing, limits, terms and conditions of cyber-insurance policies.

With many more traditional types of insurance, such as property, for which insurers benefit from data going back decades, the past can be a strong indicator of future experience. Cyber, as a relatively new and fast-changing risk, is different. At Mosaic our approach to cyber insurance combines risk transfer with risk mitigation. Insureds must meet the required standard of cybersecurity to be eligible for coverage. We partner with Safe Security, a company specializing in cybersecurity risk-quantification and management, to help insureds evaluate their resilience, plug holes, improve controls and make insurable events less likely.

In this way, Mosaic and others in the insurance industry are, like quasi-regulators, effectively raising the bar in cybersecurity and requiring organizations to implement best practice. Through this mitigation-focused relationship with our brokers and customers, insurers are playing a key role in preparing businesses for future threats.

While quantum-computer cyberattacks are not an immediate concern, they could come sooner than we expect. Several companies, like Microsoft, IBM, and Google, already offer cloud-based quantum-computing services today, indicating a spread in the availability of the nascent technology. As more powerful computers are developed, the first bad actors to acquire them are likely to be those with substantial resources, such as states or organized cybercriminal groups in Eastern Europe. Proliferation could occur through the trickledown of malware and ransomware for hire on the dark web.

We would urge organizations to start preparing to become “quantum-ready” without delay. A good start would be to:

  • Look into acquiring quantum-resistant cryptography
  • Segment the network, to help isolate data or systems in the event of a breach or attack
  • Leverage 5G private networks to provide more control over network infrastructure and reduce exposure topublic internet threats
  • Use zero-trust architecture to improve resilience against any attack
  • Train staff at all levels to instill strong awareness of cybersecurity threats throughout the organization: people can often be the weak link in perimeter defenses
  • Deploy agile security practices not bogged down by a legacy system, so as to adjust and improve, as technology changes

We know powerful quantum computers are coming, we just don’t know when. In the meantime, taking measures like those above will help improve resilience against any type of cyberattack, as well as meet insurers’ cybersecurity standards.

It will be worth the effort. As the saying goes, the bad actor only needs to be right once—the company needs to be right 100 percent of the time.