Australia’s cyber security community is raising concerns that organisations with critical infrastructure are failing to adequately account for the risks that quantum computing advances pose to their encryption systems – and that the insurance sector may be carrying more long-term exposure than it has priced in. The Australian Information Security Association (AISA) made the warning as cyber incident volumes across the country remain high. The Australian Signals Directorate’s (ASD) most recent Annual Cyber Threat Report logged more than 87,400 cybercrime reports across a single financial year, or roughly one report every six minutes. A ransomware breach disclosed this week by NSW-based video security distributor VSP Solutions serves as a reminder that near-term threats continue to materialise while longer-horizon risks go unaddressed.
At the core of AISA’s concern is the mismatch between how long the transition to quantum-resistant encryption will take and how little time organisations have set aside to begin it. The association said the work involved goes well beyond a software update cycle – it requires organisations to first understand what encryption they are currently running, where it sits across their infrastructure, and whether the systems involved can realistically be upgraded at all. Dr. Rajiv Shah, an AISA board member with a background in quantum physics and cyber security, said the deadline set by Australia’s own cyber authority makes the current pace of preparation difficult to justify. “The Australian Cyber Security Centre has recommended that organisations should have developed such a plan by the end of 2026 – less than seven months away,” Shah said, as reported by Security Brief.
The problem is compounded in sectors where asset inventories are incomplete or outdated. Shah said this is not a hypothetical concern. “The problem is that, as we see from many recent cyber incidents, organisations often do not have a good understanding of their IT assets and their data. Identifying what needs upgrading to be quantum-resistant, making that plan and implementing it, is likely to take much longer than they anticipate. They might think they just need to apply the upgrades from their vendors, but we already see that governments and operational technology systems struggle to keep their software up to date. Then there is the problem of systems which are no longer supported, or which can’t physically be upgraded. How will you decide what to do about those?” Shah said. Operational technology environments – such as those found in energy, utilities, and transport – present a particular challenge. Equipment in these settings often has decades-long service lives and may have been designed long before modern cryptographic standards were in place, let alone post-quantum ones.
AISA’s position is that the quantum computing issue should sit at the executive and board level rather than being delegated to IT departments. Shah described it as a matter of strategic planning, one that will require sustained investment and cross-sector coordination rather than a one-time fix. “If we don’t start putting the work in now, quantum computing could fundamentally reshape cyber security. This is not about panic or fear. It is about recognising that the transition to post-quantum security will take years of planning, investment, and coordination across government and industry,” Shah said.
The scope of the task includes cataloguing assets, mapping where cryptography is embedded across applications and devices, assessing whether third-party suppliers are prepared, and determining which systems supporting essential services need to be prioritised. This translates into a question about the adequacy of current cyber policy wordings – many of which do not contemplate quantum-enabled decryption as a covered or excluded peril. Several international governments have moved further along this path. The US and the UK have both advanced work on post-quantum cryptography standards and have begun formal migration planning processes. The progress of these programs has added pressure on Australian agencies and operators to conduct their own exposure assessments.
The VSP Solutions incident, disclosed on June 1, 2026, and reported by Cyber Daily, illustrates the scale of data at risk even from conventional ransomware attacks. The Minchinbury-based company, which has distributed video security products since 1993 with operations across New South Wales, Queensland, Victoria, and Western Australia, said it became aware of the breach on May 13, 2026. The Stormous ransomware group claimed responsibility, alleging it had taken more than 40 gigabytes of data including financial records from accounting software, email archives, staff files, and customer databases covering installers and integrators across the country. The data was briefly published on a file-sharing platform before the hosting service removed it.
“We are aware that certain information associated with our business has been referenced on a dark web leak site of a cyber criminal organisation. This incident does not affect our business operations, and we continue to serve our clients as normal with full confidence. We are taking this incident very seriously,” a VSP Solutions spokesperson said, as reported by Cyber Daily. The company said the data involved is historical and linked to a related business. It has engaged forensics specialists and cyber security advisors, reported the matter to Australian government agencies, and is working with law enforcement. Stormous, which has been active since 2022 and has listed more than 140 claimed victims, functions as a ransomware-as-a-service operation.
AISA has urged caution on the regulatory front, noting that poorly designed compliance requirements could push organisations toward superficial responses that do not address the underlying risk. Shah said Australia’s existing legislative and prudential frameworks offer a sounder basis for action than new mandates drafted in haste. “The Australian government may want to consider how to encourage organisations to take the threat seriously while avoiding knee-jerk reactions or compliance directives that could create unwelcome consequences. Rushed or botched implementations that make systems more complex may actually make them less secure. Cyber security is about doing the hard work, identifying and prioritising risks, not just ticking boxes. Australia has good regulatory frameworks for risk management, such as the Security of Critical Infrastructure Act and APRA’s approach to regulating the financial services sector, so we should think about how to leverage these,” Shah said. The combination of sustained ransomware activity and the approaching quantum transition presents a compounding challenge. Policies written today against current threat models may be renewed or extended into a period when the underlying cryptographic assumptions no longer hold – a consideration that is only beginning to surface in market discussions around long-tail cyber risk.
