Emerging Risks in 2026: Preparing for the legal and regulatory implications of quantum computing – an insurance perspective

Quantum computing is a new type of computing that works very differently from the computers we use today. Traditional computers process information in a simple on‑off way (using 0s and 1s). Quantum computers use qubits, which can exist in more than one state at the same time. This means they may, in future, be able to solve certain problems far more quickly than current computers.

Why does this matter for insurers? Because many of the digital protections we rely on today, such as encryption used to protect customer data, claims information and financial transactions are based on mathematical problems that quantum computers are expected to solve much faster. Over time, this could weaken the security of systems that insurers depend on every day.

Although large scale quantum computing is still developing, regulators and market participants are increasingly focused on the long term risk it creates now. Decisions insurers make today about data storage, encryption, outsourcing, and operational resilience are being taken with the growing understanding that existing security methods may not last indefinitely.

For insurance legal, compliance and risk teams, the challenge is therefore not to predict exactly when quantum computing will become mainstream, but to show that the organisation is thinking ahead and managing the risk sensibly and proportionately.

Why quantum computing matters for insurers

The main legal concern linked to quantum computing is its potential impact on the encryption that keeps digital information secure. This encryption underpins:

• customer and claims data systems,
• online policy and payment platforms, and
• sensitive communications with reinsurers and business partners.

For insurers, this creates risk in three key areas:

• Data protection and confidentiality, where customer, claims, health, or underwriting data stored today could become easier to access in the future;
• Operational and contractual risk, especially in long term technology, cloud and outsourcing arrangements that assume current security standards will remain effective; and
• Regulatory and governance risk, as regulators increasingly expect firms to plan for emerging cyber and resilience threats.

Quantum risk is therefore not just a technology issue. It affects contracts, outsourcing decisions, regulatory compliance, and board oversight.

UK and EU watch points for insurers in 2026

As awareness of quantum related risk increases, insurers in the UK and EU should keep a close eye on the following areas:

• Data protection and encryption
  Regulators already require insurers to protect personal data appropriately. Increasingly, they are looking at whether firms are considering how secure their encryption will remain over time—especially where sensitive data is kept for many years.
• Operational resilience and cyber risk
  Quantum computing fits within a wider regulatory focus on cyber security and operational resilience. Supervisors are placing more emphasis on forward‑looking planning and stress‑testing, not just responding to incidents after they occur.
• Long‑term data exposure
  There is growing concern about data being collected now and decrypted later when technology improves. This is particularly relevant for insurers, given the long lifespan of policy, claims and actuarial data.
• Outsourcing and delegated authority arrangements
  Where third parties, such as technology providers or MGAs, control security systems, insurers remain accountable. Contracts need to address what happens if security standards become outdated.
• Governance and disclosure
  Boards and senior management are increasingly expected to show that emerging risks, including quantum‑related threats, are identified and considered as part of enterprise risk management.

Data protection, contracting and supply chain risk

UK and EU data protection laws require insurers to put in place security measures that reflect current risks and available technology. While regulators are not yet requiring “quantum safe” encryption, they are increasingly interested in whether firms are planning ahead in a reasonable way.

For insurers, this affects data retention policies, encryption practices, supplier contracts, and incident response planning. Firms holding large volumes of sensitive or long term data may face particular scrutiny if future risks are not considered.

Quantum computing also highlights weaknesses in long term technology and outsourcing contracts. Many agreements assume today’s security methods will continue indefinitely. Insurers are therefore beginning to review whether contracts:

• allow security standards to evolve over time;
• give rights to require upgrades or changes;
• clearly allocate responsibility if protections fail; and
• provide exit or remediation options if suppliers cannot adapt.

These issues are especially important for core systems, cloud platforms and claims infrastructure.

Quantum risk checklist for insurers

As part of 2026 risk planning, insurers may wish to ask:

• Do we know where our long term sensitive data is stored and how it is protected?
• Are our encryption methods reviewed with future risks in mind?
• Do our technology and outsourcing contracts allow security standards to change?
• Is quantum risk considered within operational resilience and outsourcing governance?
• Are third party security responsibilities clearly defined and monitored?
• Is this risk visible to senior management and the board?

Conclusion

For insurers, quantum computing represents a slow burning but potentially significant risk. While the technology itself is still evolving, expectations around preparedness, governance and resilience are already taking shape in the UK and EU.

The key challenge in 2026 is to engage with quantum risk early and sensibly, building it into data protection, contracting and governance frameworks now, rather than reacting later under regulatory or operational pressure.

Authored by Karishma Paroha.