The Doomsday Clock Speeds Up For Cyber Underwriters

Sometimes, I do a pretty good job at spotlighting a future issue – though sometimes it happened so long ago I have to remind myself what I actually wrote initially. I do feel overall like some of my older writings are more valuable than recent entries, so when there is an opportunity to go into the archives and update a past piece with new information, I think it is worthwhile to do so.

Thus, today we’ll look back at two prior theses. The first was about how cyber underwriters will always be behind the curve and the other is that, more specifically, quantum computing would eventually destroy modern encryption which creates large cyber vulnerabilities (as well as ending the value of all cryptocurrency).

I certainly don’t get every prediction right, so what follows isn’t meant to be a victory lap. In fact, victory is not yet assured, though I do think the odds have risen substantially in my favor.

However, two recent events illustrate why underwriters should have been paying more attention to these concerns. But first, let’s do a brief recap of the prior pieces to set the table.

Ian’s Law of Cyber

I first wrote about this five years ago. My Cyber Law is:

the bad guys will come up with new tricks twice as fast as the insurers figure out the old ones.

Given this, cyber risk is uninsurable. Insurers are always using outdated loss curves and will never have enough IBNR to anticipate future threats.

Three years ago, in the wake of AI, I wrote a follow up piece suggesting AI would accelerate Ian’s Cyber Law, as it would not just keep the bad guys further ahead of insurers but allow them to deploy attacks at greater scale and at lower cost.

Sorry to give you a spoiler, but, as you’ll see below, this is exactly what is about to happen.

Quantum Entanglement

Entanglement is a concept in quantum physics where two particles can be light years apart but act in concert. It seems improbable but has been proven true.

However, I am talking about a different entanglement. The entanglement in the world’s security apparatus when quantum computing is widely deployed. When I wrote about this last (at the dawn of Covid), my focus was on how quantum would someday end modern encryption.

The short story is all modern encryption techniques assume a world where code is made of 0s and 1s, not one where it can possibly be 0 and 1 at the same time. This means when quantum computing arrives all of your passwords are toast and hackers can take whatever they want (it also suggests everyone’s Bitcoin will be stolen).

In other words, it’s Cyber Armageddon. And – another spoiler alert – it’s closer than you think.

Mythos

Many of you have probably heard about Mythos by now. It’s the new release from Anthropic that is far more advanced at finding cybersecurity risks than anything else before it.

That may sound like good news! Mythos can help companies patch their networks and prevent attacks. That is true, up to a point.

The problem is, Ian’s Cyber Law also applies to corporate IT departments, not just insurers. In other words, the bad guys will use Mythos to exploit vulnerabilities before companies can build new defenses.

This means massive cyber losses. In fact, the risk is so massive that Anthropic has had to restrict access and delay its wider release out of fear it will provoke a catastrophic cyber attack.

While some experts suggest Anthropic has overhyped the risk, their actions (refusing to release the model) suggest otherwise and, let’s be honest, we’re mainly debating when an AI model will be able to defeat most IT networks not whether it will happen.

Quantum 2029

The other big story got far less attention but arguably is an even bigger risk than Mythos. Google recently announced they expect quantum computing to be a reality by 2029. This accelerated the timeline vs. the prior 2035 expectation.

That means we are potentially three years away from a new supercomputer being able to break into all your bank accounts. Yes, this problem will be bigger than just cyber insurance (it brings to mind the philosophy some have around writing nuclear “if we have nuclear insured losses, we probably have much bigger problems than insurance solvency”).

There is arguably time for savvy insurers to sneak in some new contract language saying “losses caused by the arrival of quantum computing will be excluded” but I doubt, based on history, that many insurers are going to be this proactive.

What’s A Cyber Insurer To Do?

Quit.

No, seriously, quit. You shouldn’t be writing this stuff. Take Ian’s Cyber Law seriously.

If you are going to write it, you should be charging something like 25% of the limit or have massive exclusions for AI and quantum advances – in which case, nobody will buy your product.

It is not a viable line of business and never will be.

Worse, from a societal standpoint, cyber insurance doesn’t, like most insurance products, spread the cost of cyber claims across many. Instead, it increases aggregate losses leaving everyone worse off. Bad guys view insurance as another deep pocket available to pay their ransoms. Like quantum physics, “observing” cyber risk – by insuring it – can change its outcome.

We should be making it harder for hackers to get away with attacks, not easier. Cyber insurers are enablers of cyber crime.