Where the Insurance Industry Is Right Now

Cyber insurers are not asking about post-quantum cryptography at every renewal yet. I want to be straight with you about that. If you told a client last week that their carrier was already demanding a PQC roadmap, you may have gotten ahead of the facts.

Here is what is actually happening.

Carriers are watching. The same way they watched multi-factor authentication for two years before it became a hard underwriting requirement around 2021. The same way endpoint detection and response went from “nice to have” to “non-negotiable” almost overnight once loss data started showing the gap. The pattern is consistent and the timeline is compressing.

The National Security Agency published its Commercial National Security Algorithm Suite 2.0 in 2022, mandating post-quantum migration for National Security Systems by 2030. NIST finalized FIPS 203, 204, and 205 in August 2024. The major reinsurers, the firms that underwrite the underwriters, are already running actuarial models on quantum exposure. When reinsurers price something, carriers follow. That is not speculation. That is how the market works.

The question is not whether cyber insurers will require PQC posture documentation. The question is whether your clients will be ready when they do.

What the Questionnaire Looks Like Today

Right now the quantum related questions showing up at renewal are indirect. You will recognize them if you know what you are looking for.

“Do you have an inventory of your cryptographic assets?” Some carriers are already asking this, framed as part of broader data protection controls.

“What is your process for managing certificate expiration and algorithm updates?” Standard question. The answer your client gives today is the baseline the carrier uses when they update the question in 18 months.

“Do you have documented procedures for responding to cryptographic vulnerabilities?” This one matters because PQC migration is, at its core, a response to a structural cryptographic vulnerability that affects the entire industry.

If your clients are answering these questions without a documented process behind them, they are creating a paper trail that will work against them at the first disputed claim.

What Is Coming in the Next Renewal Cycle

Based on where the market is moving, here is what I expect to see in cyber insurance questionnaires within 24 months.

“Has your organization completed a cryptographic inventory identifying RSA and ECC dependencies across your environment?”

“Do you have a documented migration roadmap aligned to NIST post-quantum cryptography standards?”

“Have you identified which systems handle data with confidentiality requirements extending beyond 2030?”

“What is your organization’s plan for addressing harvest now, decrypt later exposure for long retention data?”

None of those questions are invented. They are direct translations of what CISA, NSA, and NIST have already published as migration requirements. Carriers write their questionnaires from regulatory frameworks. The regulatory framework is already written.

What This Means for Your Practice

The MSP who runs a cryptographic inventory and produces a signed migration roadmap today is building a document their client can show a carrier. That is not a theoretical future benefit. It is a concrete deliverable with immediate value.

Think about how MFA changed your conversations. Three years before it was a hard requirement, the MSPs who were already deploying it had a story to tell at renewal. Lower premiums. Smoother underwriting. A documented reason for the carrier to price the client as lower risk.

PQC posture is the same play. The window to be early is still open. It will not stay open.

The Conversation to Have This Week

Call one client, your highest exposure account, the one with healthcare data or legal files or government contracts. Before you talk about migration or scope or billing, ask them one question.

“When your cyber insurance renews, do you know what they are going to ask you about encryption?”

Most of them will say no.

That is your opening. Not to sell them something. To show them something is coming and that you are already thinking about it on their behalf.

That is the trusted advisor move. It costs you nothing today and it banks significant relationship capital before the question becomes urgent.

The carriers are not there yet. You should be.

Stay sharp.

The Quantum Guy

The information in this post is provided for general informational purposes only and does not constitute professional, legal, technical, or security advice. Readers act on this content at their own discretion and risk; IoTSSA assumes no liability for any loss or damage arising from its use.