Post-quantum cyber risk moved from academic concern to regulatory mandate on June 22, 2026, when the White House signed two executive orders requiring federal systems to adopt NIST-approved cryptography standards — and explicitly naming the “harvest now, decrypt later” threat that cyber insurers have not yet priced. With premiums still falling after ten straight quarters of pricing decreases, underwriters face an uncomfortable question: is existing coverage language already generating unquantified tail exposure?
What the June 22 Orders Actually Mandate
The first order, Securing the Nation Against Advanced Cryptographic Attacks, establishes US policy to transition all federal information systems to NIST-approved Federal Information Processing Standards (FIPS) for Post-Quantum Cryptography (PQC). The deadlines are hard: all High Value Assets and high-impact systems must migrate to PQC for key establishment by December 31, 2030, and complete the transition to PQC for digital signatures by December 31, 2031.
The second order, focused on quantum innovation, directs the NSA and Director of National Intelligence to identify the national security implications of the increasing scale and performance of commercial quantum computers, including implications for the migration to post-quantum cryptography. Together the two orders signal that Washington no longer treats large-scale quantum decryption as a distant theoretical risk.
The technical baseline was set earlier: NIST finalized FIPS 203, 204, and 205 on August 13, 2024, after an eight-year evaluation process. FIPS 203 specifies ML-KEM (key encapsulation, based on CRYSTALS-Kyber); FIPS 204 specifies ML-DSA (digital signatures, based on CRYSTALS-Dilithium); and FIPS 205 specifies SLH-DSA, a hash-based backup digital signature scheme. These are now the mandated standards federal contractors and regulated entities will be expected to adopt. NIST’s own guidance sets a broader goal: migrate the most sensitive systems no later than 2035.
Harvest Now, Decrypt Later: The Liability Already on the Books
The June 22 order is unusually candid about the mechanics of the threat. It acknowledges directly that ongoing cyber activity against the nation presents the risk of adversaries collecting United States information now, and decrypting it later once large-scale quantum computers are operational. This is not a hypothetical future event — it describes data exfiltration that is, by definition, already happening.
The Federal Reserve reached the same conclusion in its own analysis: a bad actor can obtain a replica of encrypted data, harvest it, and in the fullness of time reveal previously confidential information using a sufficiently powerful quantum computer. The implication for cyber insurers is structural: breaches that occurred under policies already written — and closed — may trigger claims years from now when decryption becomes feasible. Coverage wordings that define a breach as the moment of unauthorized access do not obviously anticipate that the damage surfaces on a ten-year delay.
This creates a category of latent liability with no clear analogue in current actuarial models. Unlike ransomware, where the loss event is immediate and measurable, harvest-now-decrypt-later exposures accumulate silently. Insurers writing broad data-breach coverage today for healthcare records, financial data, or defense-contractor intellectual property may be underwriting future quantum-decryption losses without knowing it. For context on how cyber threats are evolving alongside technological change, see coverage of UK regulators warning that frontier AI cyber threats outpace human defenders — the pattern of technology amplifying attack capability faster than defense adapts is not unique to quantum.
Why a Soft Cyber Market Is the Worst Time to Discover This
The timing of the executive orders collides with an uncomfortable market reality. According to Aon’s cyber risk data, cyber insurance pricing declined for ten consecutive quarters through Q1 2025, with a 7% average premium decrease driven by ample capacity and aggressive incumbent competition. Demand is broad: 90% of organizations with 500 to 1,000 employees now carry some form of cyber coverage — 50% via standalone policies and 40% as part of a wider business insurance policy. And 25% of Aon clients purchased additional limits in 2024, suggesting buyers are expanding exposure even as premiums fall.
A soft market is structurally ill-suited to absorbing a newly surfaced systemic risk. When pricing is competitive and carriers are chasing retention, incentives run against introducing restrictive quantum exclusions or demanding PQC compliance attestations at renewal. The market that correctly re-priced ransomware after 2020 did so reactively, after losses had already concentrated. Post-quantum exposure offers no such warning shot: losses are deferred by years, and the decryption event may be triggered by a technological threshold — quantum computer scale — that insurers cannot directly observe or audit.
The frequency trend meanwhile points in one direction. Aon recorded 1,228 cyber incidents across its client base in 2024, a 22% increase year-on-year, including 776 ransomware incidents — up 31%. Three-quarters of completed attacks led to financial losses. That baseline of incident frequency is what quantum-enabled decryption would layer on top of, not replace. Previous analysis of how Marsh’s reported drop in cyber extortion events in 2025 illustrates how quickly market narratives can shift — and how rapidly underwriters need to adjust when they do.
What Commercial Insurers and Brokers Should Be Doing Now
The executive orders affect federal agencies directly, but the compliance cascade reaches commercial insureds through supply chain requirements, federal contracting clauses, and sector-specific regulators that tend to track White House security mandates. A defense contractor, a healthcare IT provider, or a financial services firm with federal business will face PQC migration obligations well before the 2030 key-establishment deadline. Insurers writing coverage for those sectors need to understand whether their insureds’ cryptographic infrastructure is a material risk factor — and whether current policy language captures the exposure.
Several practical steps are available to underwriters and brokers in the near term. First, policy wordings should be reviewed for how they define the trigger of a data-breach event — specifically whether language could be interpreted to cover decryption of previously exfiltrated data as a future breach. Second, PQC readiness can be added to cyber risk questionnaires at renewal: does the insured have an inventory of cryptographic assets? Have they begun migration planning toward FIPS 203, 204, or 205? Third, aggregation models should flag concentrations in sectors — defense, healthcare, financial services — where harvest-now-decrypt-later exposure is highest.
The analogy to asbestos liability is imperfect but instructive: a risk already present in the built environment, not visible in current loss runs, whose full cost would surface years later under policies already written. The difference is that quantum computing timelines are actively monitored by government intelligence agencies — the same agencies that just directed the NSA to assess commercial quantum computer scale. Insurers have access to the same public record.
The broader technology risk picture is equally relevant for insurers tracking systemic exposures. Analysis of AM Best’s findings on AI data centre insurance risks highlights how infrastructure-level technology shifts create coverage gaps that require proactive underwriting — the dynamic is directly comparable to quantum cryptographic migration.
