IBM took part in a panel discussion on quantum computing at the ABI Annual Conference this month. During the session, Chris Redmond, Director of Operational Resilience and Digital Transformation at IBM, outlined the biggest mistakes insurers could make by waiting too long to engage seriously with quantum and postquantum risks.
This blog builds on that discussion, exploring why early action matters and what insurers should be doing now to prepare.
What is quantum and why do I need to think about this now?
Quantum computing is a new method of computation that solves problems that are intractable on classical computers in new ways.
Quantum computers are now on the cusp of advantage – the pivotal point at which quantum computers can run a computation more accurately, cheaply, or efficiently than any classical method. We expect quantum advantage to merge by the end of 2026.
Don’t expect this to arrive as a single event. It will come in waves, rippling across different industries and use cases, moving the technology forward until it achieves business value.
Strategic decisions need to be made now on quantum by insurers’ senior management and boards. These decisions come in two flavours. The first is quantum as a threat to resilience. The second is quantum as a future source of opportunities and risks.
The threat of quantum to cryptography for insurers
As quantum computers scale, they will also be able to solve certain hard mathematical problems on which today’s public key cryptography relies. A future cryptographically relevant quantum computer (CRQC) might break globally used asymmetric cryptography algorithms that currently help to ensure the confidentiality and integrity of data and the authenticity of systems access.
These future quantum computers will be among the biggest risks to the digital economy and pose a significant cyber risk to businesses.The risks imposed by a CRQC are far-reaching: possible data breaches, digital infrastructure disruptions and even widescale global manipulation. These future quantum computers will be among the biggest risks to the digital economy and pose a significant cyber risk to businesses.
Threat actors are also actively collecting encrypted data with the goal of decrypting this data later when a CRQC is at their disposal, a threat known as “harvest now, decrypt later.” A CRQC can retroactively decrypt the data, giving unauthorised access to highly sensitive information.
Insurers need to assess the value of their data and its lifespan that is at risk from harvesting now. Separately, cyber insurers need to consider the implications of CRQC risks for their clients and how they are managing them to review their cyber risk policies and the associated coverage.
From the perspective of Operational Resilience, these are threats that will limit the ability of insurers and other firms to remain within their Impact Tolerances (ITols) – in other words, vulnerabilities. Regulators expect firms to develop and implement timely, effective remediation plans for identified vulnerabilities.
What do I need to consider?
The international consensus from agencies and regulators is that this risk will become significant in the period 2030-2035. Operational Resilience requires us to work on a severe but plausible basis - emphasising focus on 2030.
Last year, the NCSC published their Guidance on Timelines for Migration to Post-Quantum Cryptography (PQC). Their expectation is that organisations prepare now.
Financial services should have an advantage over other sectors because firms should have already conducted effective resource mapping and established appropriate outsourcing registers under the UK’s Operational Resilience and Outsourcing and Third Party Risk Management requirements.
However, insurers often have a mix of legacy technology in their estates in combination with significant outsourcing dependencies. PQC migration is likely to be more complex and time-consuming for legacy technology, while the criticality and relevance of third party service providers will need to be assessed and their PQC migration efforts will need to be overseen. A good start can be made now by embedding PQC compliance into your procurement and vendor management requirements.
The latest statement from the G7 Cyber Expert Group (CEG) on advancing a coordinated roadmap for the transition to PQC in the Financial Sector reinforces the importance of acting now. The statement contains a visualisation for a non-critical system at a financial entity. 2026 represents a key point intersecting the initial key activities of awareness and preparation, discovery and inventory, and risk assessment and planning.
Source: G7 Cyber Expert Group Statement on Advancing a Coordinated Roadmap for the Transition to Post-Quantum Cryptography in the Financial Sector: January 2026
More aggressive timelines may need to be applied to the most critical areas, e.g. where systems are supporting one or more Important Business Services (IBSs), while applying extended timelines to lower-risk areas.
A proportionate risk-based approach is needed in the context of a complex, dynamic threat environment that means that PQC migration preparation is competing for resource against the likes of ransomware.
Informed, risk-based decisions require appropriate Management Information (MI). This should help you to identify what is critical and what needs to be addressed in which order.
The G7 CEG highlights the importance of integrating your PQC approaches into existing governance and risk management frameworks and technology strategies with sustained executive engagement. This as a proven recipe for success for firms and SMF24s with other digital transformation challenges such as AI adoption.
The NCSC also launched an Assured Cyber Security Consultancy Scheme to help support PQC migration efforts. This scheme gives you access to assured suppliers who can support you with discovery and migration planning, and advice. Consider drawing on this support to help you to accelerate your preparations and MI you need to establish a proportionate approach to migration.
Future Quantum opportunities and risks for insurers
The use cases that quantum will enable are uncertain. This is because quantum is not yet at a scale that can bring significant business value. We will need to learn the new kind of mathematics that it will create for us and then learn how to apply this when we have the scale.
However, we can make some predictions. The first is that we will not see quantum vs. classical computing. It will be complementary. This will be particularly the case with AI. It is highly likely that AI’s capabilities will continue to increase alongside progress to fault tolerant quantum computing. We should expect quantum to amplify each other’s impacts.
In Financial Services, we can foresee potential opportunities such as more sophisticated risk profiling through faster and more precise risk scenario simulations.
Quantum holds the potential to change the real economy. However, insurance is not an island. Quantum holds the potential to change the real economy. For example, the sectors with high potential for realisation of quantum’s opportunities include Chemicals and Materials, Life Sciences, and Manufacturing. This will have ripple effects for insurers. This could result in changes to IBSs or their ITols.
Based on our experience of digital transformation we can also predict that organisational readiness will be just as critical as tech maturity. As the tech changes, adapt your operating models, including the
Based on our experience of digital transformation we can also predict that organisational readiness will be just as critical as tech maturity. As the tech changes, adapt your operating models, including the three lines of defence.
Skills gaps also tend to emerge as new tech is adopted. Understand emerging quantum uses to inform talent development to position your firm to benefit from its opportunities.
Finally, we also know the importance of building governance, risk and compliance into transformations. Embed these capabilities early to adopt quantum in a resilient and compliant way.
What should I do now?
Act in an informed way. In addition to diving into the NCSC guidance and G7 CEG statement, you can benefit from excellent resources like IBM’s free courses on Quantum Business Foundations and a practical introduction to quantum-safe cryptography. Our IBM Consulting security, risk and regulatory experts are also happy to meet and provide advice.