Category: Emerging risks · Reviewed by Matt Bartlett, Director · Founder · Last reviewed 2026-06-10
Quantum computing risk insurance is an emerging line of cyber and professional indemnity cover that addresses the prospective ability of large-scale fault-tolerant quantum computers to break the public-key cryptography presently used to protect data, communications and financial systems.
The principal underwriting concern is the so-called “harvest now, decrypt later” attack: adversaries copy encrypted data today with the intention of decrypting it once a cryptographically relevant quantum computer (CRQC) becomes available. The UK National Cyber Security Centre’s (NCSC) post-quantum cryptography migration guidance and the United States National Institute of Standards and Technology (NIST) Federal Information Processing Standards FIPS 203, FIPS 204 and FIPS 205, published in August 2024, set out the migration framework against which insurers are now assessing exposure.
Definition
Quantum computing risk insurance is not a single product but a developing constellation of underwriting responses to a foreseeable but unrealised peril, including:
Cyber policy carve-backs and exclusions addressing data that has been exfiltrated whilst encrypted and later decrypted through quantum cryptanalysis.
Professional indemnity cover for advisers, auditors and technology providers in respect of negligent failure to migrate clients to post-quantum cryptography (PQC).
Directors’ and officers’ considerations for boards that fail to plan for cryptographic agility.
Bespoke parametric or named-peril cover as quantum capability and standardised PQC adoption mature.
There is no UK statute specific to quantum cryptography risk. The relevant framework is drawn from:
Data Protection Act 2018 and UK GDPR — Article 32 requires “appropriate technical and organisational measures” including encryption “as appropriate”, which over time will require migration to PQC.
FCA Handbook SYSC — operational resilience and information security obligations on regulated firms (see FCA).
PRA SS1/21 and SS2/21 — operational resilience for PRA-authorised firms.
NIS Regulations 2018 — applicable to operators of essential services and digital service providers.
NCSC, “Preparing for Quantum-Safe Cryptography” — UK government guidance (initially 2020, updated 2024) on migration planning.
NIST, FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA) — first finalised post-quantum cryptographic standards, August 2024.
How it works in practice
Insurer responses currently fall into four categories:
Exclusionary language — cyber wordings increasingly contemplate exclusion or sub-limit for losses arising from cryptanalysis of historic data using future quantum capability.
Migration warranties — affirmative requirements that insureds maintain a documented PQC migration plan consistent with NCSC or NIST guidance.
Affirmative cyber extension — limited capacity offered by Lloyd’s syndicates and specialty markets for breach-response costs and regulatory liability arising from decryption events.
Silent risk reviews — insurers conducting portfolio-wide reviews of long-tail liability and BI exposures (analogous to “silent cyber” remediation following Lloyd’s market bulletin Y5258).
Common variations and subsequent developments
PQC readiness assessments as underwriting inputs, drawing on NCSC’s three-phase migration model (discovery, planning, execution).
Crypto-agility warranties requiring policyholders to demonstrate ability to switch cryptographic primitives without service redesign.
Q-Day scenario modelling — Lloyd’s emerging risk reports and Geneva Association papers exploring loss accumulation scenarios.
Interaction with operational resilience regimes — DORA in the EU and the FCA / PRA / Bank of England operational resilience framework in the UK.
Example
A UK fintech holds five years of customer transaction data encrypted under RSA-2048. In 2026 its cyber insurer requires, at renewal, a warranty that the firm will commence migration to ML-KEM (FIPS 203) for new data in transit within 12 months and complete migration of stored data within 36 months. The policy excludes loss arising from decryption of historical data exfiltrated prior to migration, save for a sub-limited GBP 1 million breach-response extension. The firm engages its CISO and external cryptographer to deliver the migration plan and records progress against NCSC’s discovery and planning phases.
Geneva Association, “Quantum Risk and Insurance” working paper.
UK GDPR and Data Protection Act 2018, legislation.gov.uk.
Network and Information Systems Regulations 2018 (SI 2018/506), legislation.gov.uk.
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-10. Next review: 2026-12-10.
Apex Insurance Brokers Limited. Authorised and regulated by the Financial Conduct Authority, FRN 724952. Registered in England and Wales, Companies House 07014570. This entry provides general information about UK insurance concepts and is not regulated advice. Consult your insurance broker on your specific position.
Our service promise. We acknowledge every quote request the same working day. For straightforward risks, indicative terms typically follow within five working days. Complex risks — higher-risk buildings, cladding, mid-term proposals requiring fresh underwriting — may take longer; we’ll send you a progress note by the end of the fifth working day in those cases.