Don’t Worry, It’s Encrypted

A quantum change that should have insurers on high alert Nirmal Kumar J

Today, with increased connectivity and the online presence of businesses and individuals, cryptography as the underlying technology has virtually guaranteed the protection and privacy of data or transactions. It has emerged as the last line of defense in cybersecurity for organizations. Even in a data breach, people can take refuge in the fact that hackers cannot use encrypted data. This is about to change in the not-too-distant future, courtesy of advancements in quantum computing.

Encryption mechanisms considered safe today in classical computing can be decrypted using quantum technology.1 For example, cryptography is used in automobile ignition inhibitors as a deterrent against theft, helping insurers offer a lower premium. However, this may be at risk of decryption in the quantum era. This has given rise to post-quantum cryptography (PQC), a data encryption mechanism considered safe from decryption by quantum computing.2 I believe it’s time insurers fully embrace this fact and ensure readiness by taking the necessary steps to mitigate risk.

Imminent Threat to Classical Encryption due to Quantum Computing

Encryption remains the key cybersecurity strategy to protect sensitive data at rest, in use or in transit. With applications and services using cloud computing, encrypted communication is the norm. Public key cryptography is the de facto standard for online transactions, secure email traffic, digital signatures, HTTPS sites and electronic payment systems, to name a few.3 But quantum computing can break traditional cryptography protocols used in today’s communication channels, which can have dire consequences.

It is important to note that the possibility of data breaches is not restricted to the post-quantum era. One also should be aware that encrypted data may be stolen today but preserved for decryption in the future using quantum computing. This gives rise to data harvesting by hackers. Since the transaction data may comprise nonpublic data—such as IP address, trade secrets, financials, personally identifiable information (PII), personal health information (PHI) or payment information—it can still have an adverse impact retroactively. As a result, an attack classified as no impact today may turn out to be a liability tomorrow.

Late last year IBM unveiled Osprey, the largest quantum computer yet with 433 quantum bits (quibits)—triple the previous record of 127 qubits set in 2021.4 It may not be long before quantum computing overcomes the limits of classical computing. For example, a 5,000-qubit computer is considered capable of breaking RSA-2048 (a public-key cryptosystem) encryption used in most virtual private networks (VPNs). In fact, most of the encrypted web connections today use RSA, and I believe it’s just a matter of time before such strong encryptions succumb to quantum computing.

Fallout of the Post-Quantum Era on Insurers

Insurers face a two-pronged threat due to the vulnerability of encryption algorithms in the post-quantum era:

  1. The compromise of the encryption used to secure the customer data they hold
  2. Their customers’ vulnerability to a data breach due to lack of sufficient security measures

It is therefore critical for insurers to understand the exposure areas and associated risks in a post-quantum era.

Insurers as High-Yield Targets

Insurers have a trove of customer data—from contact details, Social Security numbers and banking details of individual policyholders to businesses’ operational and financial data. Policy details, too, are among hackers’ favorite targets. Any breach of policy data can highlight policy limits and be used for ransomware attacks on customers.

According to the Shred-it 2021 Data Protection Report, insurance companies are more likely to experience a data breach than companies in other industries. The stolen data can be used as a launchpad for subsequent attacks on their customers across industries. It could trigger a cyber catastrophe. A few areas that need attention include the following:

  • Insurers hold customer data for long periods as part of regulatory compliance. Over time, the implemented encryptions might be ineffective or not strong enough for present-day technologies.
  • Most insurers mandate agencies and intermediaries to encrypt their communications and data storage. This could be another vulnerable area.

Vulnerability of Insured’s Business Data

If they don’t already, I believe insurers need to understand the vulnerabilities of their insured’s business data and the implications during risk assessment. They also should take necessary risk mitigation steps to prevent unforeseen claim damages.

Data security is paramount to the banking and financial services, retail and health care industries. Regulations such as the Data Privacy Act, Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA) have mandated encryption to prevent data breaches. However, some organizations may increasingly opt for cyber insurance to cover their data breach costs rather than enhance their security. I believe this may be a ticking time bomb for insurers and needs early redressal.

Insurers leverage Internet of Things (IoT) devices to offer personalized services. They stream and analyze vast amounts of data to provide them. While some IoT devices have encryption, it is typically basic and can be hacked.5 Even digital signatures widely used to authenticate software updates in connected devices are susceptible to quantum attacks, thus rendering them vulnerable.

Industries increasingly are adopting blockchain for applications such as smart contracts, financial settlements, supply chains, central bank digital currencies (CBDCs) and so on. Cryptography is one of the core principles of blockchain used to secure personal data, transaction data, wallets and voting systems. The $600 million hack of Axie Infinity Ronin bridge highlights the security threat involved with blockchain and its impact. Blockchain apps that aren’t quantum-resistant will be prone to exploitation in the PQC era.6

Ways to Safeguard Businesses and Readiness for the Post-Quantum Era

Businesses will need to be aware of the crypto mechanism used in their IT systems. With computational advances, strong encryption methods may be rendered weak over time. Awareness of their encryption inventory is the first step organizations should take toward being crypto agile. While regulations are still catching up, insurers and financial organizations can follow the National Institute of Standards and Technology (NIST) quantum-proof encryption algorithms. Insurers also can mandate that customers take stock of their cryptography inventory and monitor it as a prerequisite for policy coverage. In addition to tracking data repositories and encryption inventory, avoiding data retention beyond the necessary shelf life is equally important to reducing risk exposure.

Insurers hold encrypted customer data that is key for actuaries’ statistical analysis—that is, to assess risks, understand historical trends and build propensity models. Rather than decrypting sensitive data, actuaries can perform basic calculations on the data in its encrypted form using methods such as homomorphic encryption. These support math operations on cipher text, as performed on the original data. Fully homomorphic encryption involves high computational expense today, so it may be worth considering partially homomorphic encryption for simple computations. With evolving technology trends like machine learning as a service (MLaaS), such encryption methods can help mitigate risks of third-party data sharing.

Emerging quantum technologies can help address the security challenges posed by quantum threats. Quantum random number generation (QRNG) increases encryption strength using the inherent randomness of quantum properties. Similarly, quantum key distribution (QKD) comes to the rescue by providing secure key sharing, thereby avoiding key distribution risks. QRNG, QKD and quantum photonics all offer means to improve the security of IoT devices. They overcome IoT device limitations in terms of form factor and processing capabilities. According to one report, the adoption of QRNG in IoT applications is set to grow as they provide a means for a quantum-safe strategy.

Conclusion

Recently, the U.S. government enacted the Quantum Cybersecurity Preparedness Act for federal agencies, which signals that the PQC era is being viewed as a security threat. In this regard, insurers’ awareness of the sensitive data they hold and their ability to proactively guide their customers in transitioning to the PQC phase is critical. Although customers may opt for risk mitigation through insurance, coverage may not be viable without a proper risk mitigation strategy. End-to-end encryption—from mobile devices to emails to hardware with quantum-safe encryption mechanisms—is a means to improve organizations’ cybersecurity and be quantum safe. Insurers are uniquely positioned to play an anchoring role in the journey toward the post-quantum era, where starting early is key.

Nirmal Kumar J is a consultant and solution architect in the BFSI CTO unit at Tata Consultancy Services Ltd. He is based in Chennai, India.

Statements of fact and opinions expressed herein are those of the individual authors and are not necessarily those of the Society of Actuaries or the respective authors’ employers.

Copyright © 2023 by the Society of Actuaries, Chicago, Illinois.