Claim your CPD points
Unlike nuclear fusion (despite recent developments there [1] ), quantum computers capable of solving significant problems [2] may be only five to ten years away, and the potential risks and opportunities they pose are materialising now. These will affect organisations that actuaries advise, and Appointed Actuaries may consider referencing them in Financial Condition Reports (FCR) now: the Australian Signals Directorate (ASD) recommends [3] that by the end of 2026, every Australian business develops a plan to secure against quantum computing capabilities by replacing traditional asymmetric cryptography by the end of 2030.
And acknowledging the ASD recommendation, “APRA wants to see our regulated entities at least starting to map where cryptography is relied upon across their systems, data, and third-party providers, including long-lived data and critical infrastructure. Over the coming year, we intend to step up our supervisory engagement on this issue too - commensurate with the threat. We will want to see evidence that boards understand the risk, recognise their obligation to act and are advancing plans to meet the ASD’s recommended timeline”. [4]
Current quantum computers are fragile, with physical challenges to building one that can solve real-world problems, but considerable research and investment efforts are being made around the world today. And while a general-purpose quantum computer is unlikely to replace general-purpose classical computers for many applications, quantum computers may create significant breakthroughs for solving certain types of problems, including cryptography and optimisation. And those breakthroughs may be highly disruptive across economies as well as sectors.
A key risk of quantum computing is its potential to break the most widely used asymmetric encryption algorithms that currently underpin the privacy and security of our online lives.
Such algorithms depend on mathematical problems that are easy to calculate in one direction given the inputs, but difficult to reverse without knowing a secret ‘key’. These include cryptographic algorithms such as the Rivest-Shamir-Adleman (RSA), Diffie-Hellman (DH), Elliptic Curve Diffie-Hellman (ECDH) and Elliptic Curve Digital Signature Algorithm (ECDSA) primitives. [5] However, they all belong to a class of mathematical problems known as the ‘Hidden Subgroup Problem’, which can be broken by a quantum computer running Shor’s algorithm [6] .
While “cryptographically relevant quantum computers” (CRQC) – those capable of breaking traditional cryptographic algorithms – may be years away, an important question for insurers (and any corporation that holds personal, private or sensitive data) is: what would happen if our encrypted data were stolen now and decrypted using quantum methods years later? Data that remains sensitive for a long time, such health data or intellectual property, may already be at risk.
In contrast to asymmetric encryption, Post Quantum Cryptography (PQC) uses algorithms that currently appear resistant to decryption by quantum computers. The US National Institute of Standards and Technology (NIST) has published three standards for PQC algorithms to address general encryption and digital signatures. The algorithms are based on different mathematics (two on structured lattices, and one on hash functions) that are believed to be not easily solvable by quantum or classical computers. [7]
Transition to PQC is expected to be expensive and take time, requiring hardware and software changes, as well as needing to work with data encrypted by current as well as the post-transition standards – some estimate 10-20 years. [8] There are also different opinions as to how much CRQC development might occur in secret. CRQC may operate earlier than is publicised, as some developers may silently advance their own, for potentially nefarious, purposes, rather than advertising their capability.
One formulation of the risk is Mosca’s Theorem, which states that: if the shelf-life of the data plus the migration time exceeds the time to when a CRQC would appear, then there is a problem today. [9] For context, early estimates are that CRQC could arrive by 2029-2030, which already puts organisations under threat if they have even a five-year transition timeline.
Marvin Ivezic presents a compelling article Post-Quantum Negligence: Legal Risks of Failing to Prepare for the Quantum Threat [10] which not only considers the so-called “Harvest Now, Decrypt Later” (HNDL) strategy [11] for stored data but also “Trust Now, Forge Later” (TNFL) [12] , essentially the digital-signature equivalent of HNDL, and potentially even more disruptive [13] .
For the Appointed Actuary preparing an FCR today, questions relevant to how quantum computing might impact the insurer’s future business prospects and operations might include:
Having identified the potential problem, actuaries could help organisations to address it by:
But where there is risk, there is (or should be) opportunity.
Quantum computers pose risks to the wider business community and society that need to be effectively managed. An insurer might consider: what changes to current cyber or public liability covers could help clients and develop additional profitable revenue streams?
And what currently intractable problems are there for insurers or their clients that more reliable quantum computers might enable? Optimisation problems or those involving Monte Carlo simulation techniques may be close to tractable solutions, and actuaries are already addressing how quantum computing might be applied to developing internal models for quantitative risk management [14] .
The potential to undertake more extensive simulations in a quantum environment than is practical with classical computing – beyond considering solvency measures alone – may create opportunities for those individuals and corporations who become involved in the process early. This includes finding ways to efficiently encode multivariate distributions, map polynomials to qubits, and construct large quantum circuits in the quantum realm.
Then again, many people set out in a gold rush, but few (and usually only the suppliers of tools, food and alcohol rather than the miners themselves) make any money out of such enterprises…
Perhaps these opportunities are less relevant to the FCR and more to business development team discussions, but actuaries can hopefully help raise awareness and contribute.
PS 102 states that in preparing an FCR, the “assessment criteria and the reasons for conclusion can be based on both financial (e.g. capital adequacy, profitability of product) and non-financial assessments (e.g. reputation risk and the Entity’s operating environment), to the extent that non-financial risks may impact on the future financial position of the Entity.”
There may be significant transition costs for insurers in protecting their own systems, and potential liabilities arising from their own or their clients’ failures to do so, so the financial costs to an insurer could be significant, let alone the reputation costs if (or when) such circumstances emerge. These are likely relevant considerations for the Appointed Actuary advising the Board about an insurer’s emerging financial condition.
And as a profession we need to keep watching the world around us and how it may impact our clients, as well as seeking opportunities for our own futures.
For actuaries wanting to go deeper, the Actuaries Institute's Quantum Computing for Actuaries Insights session on 28 July, delivered with Quantum Australia, unpacks realistic timelines, use cases and what a post-quantum world means in practice.
[1] refer Trevor Matthews’ paper “ Prepare for the Fusion Investment Opportunity? ” A paper prepared for the Australian Retired Actuaries Group meeting 7 May 2026
[2] devices capable of sustaining the physical conditions to undertake quantum computing at scales necessary to do so
[3] Planning for post-quantum cryptography. https://www.cyber.gov.au/business-government/secure-design/quantum/planning-for-post-quantum-cryptography
[4] APRA Deputy Chair Therese McCarthy Hockey's remarks to the 2026 AFIA Risk Summit. https://www.apra.gov.au/news-and-publications/apra-member-therese-mccarthy-hockeys-remarks-2026-afia-risk-summit#toc-quantum-of-concern
[5] ‘Asymmetric key cryptography’, IBM Quantum Learning https://quantum.cloud.ibm.com/learning/en/courses/quantum-safe-cryptography/asymmetric-key-cryptography
[6] https://quantum.cloud.ibm.com/learning/en/courses/fundamentals-of-quantum-algorithms/phase-estimation-and-factoring/shor-algorithm
[7] ‘NIST Releases First 3 Finalized Post-Quantum Encryption Standards’ (13 August 2024). https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
[8] Katie Hunt, ‘A quantum computing deadline looms. It threatens to kick off the biggest cybersecurity crisis ever’, CNN Science (17 May 2026). https://edition.cnn.com/2026/05/17/science/quantum-computing-cybersecurity-q-day
[9] Michele Mosca, ‘Cybersecurity in an era of quantum computers: will we be ready?’. https://eprint.iacr.org/2015/1075.pdf
[10] https://postquantum.com/post-quantum/legal-risks-quantum/
[11] https://postquantum.com/post-quantum/harvest-now-decrypt-later-hndl/ , where a breach may occur today (data exfiltration), even if the actual harm (decryption of sensitive information) only manifests years later when quantum decryption becomes feasible.
[12] https://postquantum.com/post-quantum/trust-now-forge-later/
[13] “Today we implicitly trust digital signatures and certificates (for software updates, contracts, identities, etc.) as proof of authenticity, but a future attacker with a quantum computer could forge those signatures at will, undermining their validity. In practical terms, any document or record signed with vulnerable algorithms (RSA/ECDSA) today – from legal contracts to software code – could be falsified in the future while still appearing authentic.”
[14] Muhammad Ahmer Amjad, Quantum internal models for Solvency II and quantitative risk management, British Actuarial Journal (2025), Vol. 30, e1, pp. 1–41. https://www.cambridge.org/core/journals/british-actuarial-journal/article/quantum-internal-models-for-solvency-ii-and-quantitative-risk-management/B4C79AC89C6758240C97237672B1218E
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivatives CC BY-NC-ND Version 4.0.
From natural hazard pricing to claims analytics, explore actuarial perspectives on Australia's general insurance sector
Subscribe to Actuaries Digital for free and receive the latest actuarial analysis, research, and commentary direct to your inbox