Quantum Risk Series | Quantum Risk: Cyber and D&O Exposure

The professional insurance community has always prided themselves on staying ahead of trends and technology risks, including new malware variants, evolving ransomware tactics, and shifting regulatory expectations. After the progression of privacy regulations, novel cybersecurity controls and the evolution of artificial intelligence, what’s next? Many are saying quantum. Quantum computing represents not an evolution but a disruption, one with the potential to upend the cryptographic foundations that secure today’s digital world.

Quantum risk isn’t just a technology problem. It’s a balance sheet problem, a governance problem, and a liability problem. Cyber insurers and financial lines underwriters have every reason to pay attention now, long before quantum computers reach their full risk potential.

What is Quantum Risk?

Quantum risk refers to the threat that quantum computers will be able to break the encryption algorithms that currently protect global data, network communications, and digital infrastructure.

Today’s encryption (like RSA and ECC) relies on mathematical problems such as the discrete logarithm problem and prime factorization that classical computers can’t solve efficiently. Depending on the algorithm and key length, it could take thousands of years to an estimated billion years to crack using classical computers. Quantum computers, however, use quantum bits (qubits) and quantum algorithms (like Shor’s algorithm) that can theoretically crack these protections in minutes or hours instead of millennia.

This creates two categories of risk:

1. “Harvest Now, Decrypt Later” Attacks – Threat actors are already stealing encrypted data today with the expectation that they’ll decrypt it once quantum capabilities mature. Sensitive data with long-term value (health records, biometrics, trade secrets, government and financial institution communications) is especially vulnerable.
2. Future Systemic Cryptographic Failure – Once quantum computers reach a certain threshold, they could render widely used encryption obsolete. That means the following could all be compromised on a scale:

• • VPN (virtual private network) – software that encrypts internet traffic so eavesdroppers can’t read it. If its encryption is broken by quantum computing, attackers could decrypt intercepted data (even years later), exposing sensitive communications and undermining trust in secure channels.
  • TLS (transport layer security)/SSL (secure sockets layer) – encryption protocol that secures web traffic by authenticating servers and protecting data in transit. If quantum computers break its underlying public-key algorithms, attackers could decrypt recorded HTTPS traffic and impersonate websites, collapsing the trust model of the internet.
  • Digital signatures – cryptographic mechanism that proves a message or document truly came from a specific sender and wasn’t altered. If quantum computers break the signature algorithms used today, attackers could forge identities, sign malicious software, or invalidate the trust behind everything from software updates to financial transactions.
  • Identity and authentication systems – verify who a user is and ensures only authorized people can access sensitive resources. If quantum attacks break the cryptography behind them, attackers could impersonate users, bypass login protections, and undermine the integrity of everything from corporate networks to national scale digital identity systems.
  • Blockchain-based assets (like cryptocurrencies and NFTs) – use cryptographic keys to prove ownership and authorize transactions. If quantum computers can break those signature schemes, attackers could steal funds by forging transactions or hijack wallets, threatening the integrity and permanence that blockchains rely on.

Governments and standards bodies (like NIST) are already racing to finalize and deploy post-quantum cryptography (PQC) because the stakes are so high.

Why Should the Cyber Insurance Community Care?

Cyber insurers are already grappling with aggregation risk, silent cyber exposure, and the unpredictability of systemic events. Quantum risk amplifies all these challenges.

1. Massive Aggregation Potential – If quantum decryption breaks widely used encryption standards, losses won’t be isolated. They’ll be global and simultaneous.
2. Long-Tail Exposure – Because of “harvest now, decrypt later,” claims may arise years after the initial breach. Policies written today could face losses triggered by quantum capabilities tomorrow.
3. Coverage Ambiguity – Many cyber policies don’t explicitly address quantum-related failures. Is quantum decryption a “failure of security”? A “zero-day”? A “war-like” event? A “systemic vulnerability”? Ambiguity equals litigation.
4. Increased Regulatory Scrutiny – Regulators are already signaling that organizations must prepare for quantum threats. Failure to adopt PQC in a timely manner could be viewed as negligence, creating fertile ground for claims.

Why Should the D&O Insurance Community Care?

Quantum risk isn’t just a technical issue; it’s a governance issue. Boards are expected to oversee long-term strategic risks, and quantum disruption is increasingly viewed as one of them.

• Fiduciary Duty and Oversight Failures – If a company fails to prepare for quantum threats, especially after regulators and industry bodies have issued warnings, directors could face claims alleging:

• • Failure to oversee cybersecurity (Financial Institutions are already asking their CISOs about this topic)
  • Mismanagement of emerging risks
  • Inadequate investment in PQC migration
  • Misrepresentation of data security posture
• Disclosure and Reporting Risk – Public companies will eventually need to disclose their quantum readiness. Misstatements or omissions could trigger securities litigation.
• M&A and Transactional Risk – Acquirers may inherit quantum vulnerable systems or data that was previously stolen and encrypted. That creates:

• • Reps & warranties exposure
  • Post-close disputes
  • Shareholder actions
• Competitive and Operational Risk – Companies that delay PQC adoption may face operational disruptions or competitive disadvantages. Boards will be held accountable for strategic missteps.

Why is Now the Time to Act?

Quantum computers capable of breaking encryption may still be years away, but the risk is already active. The transition to post-quantum cryptography will take years and organizations that wait will be exposed long before quantum machines reach full power. The current global threat landscape has heightened concerns now more than ever, with war in the middle east and the advancement of artificial intelligence.

For insurers and boards, the key questions are shifting from “Is quantum real?” to:

• How exposed are our insureds?
• How do we underwrite quantum readiness?
• How do we price long-tail quantum risk?
• How do we protect directors from governance related fallout?

Quantum risk is not science fiction. It’s a slow-moving but inevitable disruption that intersects directly with cyber liability, systemic risk, and corporate governance.

The organizations and insurers that prepare now will be the ones best positioned to weather the quantum storm.

Meet the Authors

Jessica Centeno, CPLP, ExecPLP, RPLU, CLCS

Senior Vice President, Cyber & Data Resilience

Jessica Centeno is Senior Vice President in the Cyber and Data Resilience practice, based in New York.

Jessica leverages more than eight years of experience in brokering cyber, media, technology errors and omissions insurance and professional liability for clients in various industries and the Fortune 1000 to manage Kroll’s relationship with the cyber insurance marketplace, including cyber response counsel, cyber insurers and cyber digital solutions providers. Jessica is responsible for providing cyber resilience advice, consultation, data, incident response services, and tools to partners and clients.

Before joining Kroll, Jessica was Senior Client Manager at Lockton. Prior to that, Jessica served as Account Executive at Gallagher.

Jessica holds a BA in English Language and Literature/Letters from Pace University.

Jessica is Chief Marketing Officer for 501(c)(3) not-for-profit organization, the International Women’s Cyber Alliance, which is dedicated to supporting women through educational and networking resources to be leaders in the cyber and tech industry. She is also the Chair of Career Path Programming for the Professional Liability Underwriting Society.

Brandon Welch

Managing Director, Ankura

Brandon Welch is a Managing Director at Ankura, based in Los Angeles. He has over 7 years of experience working in cyber insurance, cybersecurity, AI, and data privacy.

He is an industry leader in the world of incident management, data privacy, and cybersecurity. As a Managing Director at Ankura, Brandon is responsible for cyber insurance relationships, strategy for incident response offerings, and collaboration with all internal/external stakeholders.

Brandon leads a team of business development professionals intended to drive revenue through deep partnerships with insurance carriers, brokerage firms, privacy counsel, and other organizations by finding the appropriate cyber solution for their issue.