Post-Quantum Cryptography Exposes A Cyber Insurance Blind Spot

by

Estimated reading time: 6 minutes

Insurers price the risks they can see. Cryptography is the risk they cannot. Post-quantum cryptography is about to make that blind spot expensive. Most cyber policies rest on a quiet assumption. They assume the encryption protecting a client’s data will hold. That assumption is weakening. Quantum computing threatens the math behind today’s encryption. The threat reaches underwriting, claims, and breach notification. Keyfactor stepped into that gap.

Today, the company launched the Trust Control Plane. It is a single system for managing machine identities and cryptography across an enterprise. The pitch is visibility, automation, and governance over assets that most firms barely track.

Post-quantum cryptography and cyber insurance risk shown as an open padlock split apart to reveal exposed internal circuitry and tangled wiring, with alert text reading encryption key exposed and data breach detected over a dark circuit-board background. Overlay headline: The Breach You Can't See Yet.

Four Forces Hitting The Old Model

Keyfactor names four pressures at once. AI agents are multiplying machine identities. Certificate lifespans keep shrinking. Regulators are tightening their rules. The post-quantum reality is approaching. Each pressure strains the old way of managing trust. Together, they overwhelm it.

The company’s answer is to stop managing these in silos. The Trust Control Plane pulls fragmented tools into one system. It tracks cryptography alongside the certificates, keys, and machine identities it secures. Keyfactor describes a continuous loop. Discovery feeds risk decisions. Automation carries them out. Governance checks each step against policy.

Ted Shorter, Keyfactor’s Chief Technology Officer, says the missing piece was never the identity layer. It was the math underneath.

“There’s been so much focus on identity and the protocols,” Shorter said. “There’s been very little focus on the algorithms and the cryptography that makes all those things work.”

That gap is what the launch targets.

The Attestation Gap

Here is the part underwriters should read twice. Insurance questionnaires already ask about encryption. Compliance frameworks do the same. The answers are usually self-reported. An engineer lists what he believes is running. Nothing checks the claim.

Shorter has worked in security for more than three decades. He compares a cryptographic review to a familiar chore.

See also  Cyber Liability Insurance: Howden Launches Expanded US Cyber Practice

“Doing this is a little bit like looking behind your refrigerator,” Shorter said. “Once you pull it out and look, you’re surprised by what you find.” His point lands in underwriting. He describes how compliance checks often work today.

“Right now, it’s acceptable for an engineer or architect to just list off the top of their head,” Shorter said. “There’s nothing actually checking.”

That is the cyber version of an old problem. Insurers have disputed claims over inaccurate security attestations before. Multi-factor authentication was the first big fight. Cryptography is the next attestation that no one verifies.

Shorter says the industry stopped watching this layer. “Everyone took the math and the algorithms for granted,” he said. “Now that’s no longer true.”

The Decrypt-Later Problem

The sharpest question is about timing. It splits a single crime into two events.

Attackers steal encrypted data today. They cannot read it yet. They store it and wait. Quantum computers may break the encryption later. Security teams call this harvest now, decrypt later.

The theft leaves no obvious mark. Files are not corrupted. No ransom note arrives. The victim may never notice. The breach can sit undisclosed for years.

Now, place that inside a cyber policy. Most cyber cover is written on a claims-made basis. It responds when a claim arrives, not when the act occurred. A retroactive date sets the earliest covered event.

Consider the sequence. Data was stolen in 2026. It is decrypted in 2032. The 2026 policy is long gone. The 2032 policy may exclude the older act. The client switched carriers somewhere in between. The loss can fall through the gap.

Breach notification adds a second trap. Many state laws exempt encrypted data from notice rules. The logic assumes encryption protects the data. Harvest now, decrypt later breaks that logic. Data deemed safe today may surface as a breach years later. General counsel should note the deferred liability.

See also  Executives Underestimate Cyberattack Costs, Willis Warns in 2025 Report

“Policies are paying in 2026 for mistakes made in 2020,” Shorter said. Long-tail payouts already exist. Quantum risk could stretch the tail further.

Why The Timeline Matters Now

Some skeptics call quantum a distant worry. Shorter disagrees on the odds.

“Ten years ago you’d get fifty-fifty; it’s a matter of time or is it ever going to happen,” he said. “Now it’s ninety-nine percent; it’s a matter of time. The only debate is how much time.”

Most credible estimates place the threat in the early 2030s. Data with a long shelf life is exposed today. Health records, financial files, and trade secrets stay valuable for years. The clock on that data is already running.

From Visibility To Action

Seeing the problem is the first step. It is not the last. Gün Akkor is Keyfactor’s Chief Product and Technology Officer. “Security teams have spent years reacting,” Akkor said. “They chase expired certificates and scramble ahead of audits.”

Shorter makes the same case about remediation. “Showing somebody something is useful,” he said. “But it doesn’t get them all the way there.”

For insurers, the message is practical. Cryptographic inventory is becoming a control worth pricing. Crypto-agility may join the list of expected defenses. The questionnaire will likely grow.

The Bigger Picture

This connects to risks CIN readers know. Machine identities drove our recent panel on agentic AI. Software dependencies drove our coverage of open-source supply chain risk. Cryptography sits under all of it. Break the math. Every layer above it fails.

FAQ – Post-Quantum Cryptography

How does quantum computing affect cyber insurance?

It threatens the encryption that many policies assume will protect client data. If that encryption fails, exposures the market priced as low risk could grow. Underwriting, claims, and breach notification are all affected.

What is “harvest now, decrypt later”?

It is an attack strategy. Adversaries steal encrypted data today and store it. They plan to decrypt it once quantum computers become capable. The theft can stay hidden for years.

Could a quantum-related breach fall outside my cyber policy?

It might. Most cyber cover responds when a claim is made, not when the data was first stolen. A theft from years earlier could miss the active policy’s retroactive date. This is a legal and coverage question for your broker and counsel.

What should companies do now?

Start with a cryptographic inventory. You cannot manage what you cannot see. From there, prioritize sensitive long-life data and plan a migration to quantum-safe standards.

Related Cyber Insurance Posts

Martin Hinton
Martin Hinton is the Executive Editor and Publisher of Cyber Insurance News and Information. With over three decades of journalism experience across six continents, his work encompasses investigative reporting, documentaries, and coverage of cultural, political, and business news. To learn more about his career, click on his name to visit his LinkedIn page.

Leave a Comment