Preparing for security: A manual on quantum resilience
In the rapidly evolving digital landscape, financial services companies are gearing up for a strategic shift towards quantum-safe cryptography. This move is crucial for protecting vast amounts of personal, financial, and health-related data, and maintaining their reputation as trusted custodians of sensitive client information.
The transition is necessitated by the emergence of quantum computers, such as those developed by IBM, Google, Microsoft, Rigetti Computing, D-Wave Systems, Fujitsu, SaxonQ, and others. While these machines hold the potential for extraordinary computational power, they are currently limited by factors like qubit coherence time, error rates, and scalability.
Post-quantum cryptography, a term referring to cryptographic algorithms designed to be secure against quantum computers, using mathematical problems believed to resist quantum-driven attacks, is the solution to this impending threat.
Financial services companies are advised to transition to quantum-safe cryptography using a comprehensive, phased approach. In the short term, key employees should be educated, risk assessments conducted, and the transition to quantum-safe cryptography initiated. Cross-functional teams should be established to develop a strategic plan.
In the medium term, financial services companies should prioritise the most critical systems and data, implement post-quantum cryptographic solutions, collaborate with vendors, and update policies and documentation.
The urgency of this transition is highlighted by the potential for quantum computers to break widely used encryption algorithms like RSA and ECC by the end of this decade. A quantum computer attack on a financial services company could result in catastrophic loss of customer data and severe reputational damage.
The practice of "harvest now, decrypt later" is a concern, where cyber criminals or rogue nation-states hack and gather encrypted data, waiting for quantum computers to decrypt it. Financial services companies must protect data that will remain valuable for decades, such as loan application data, long-term policyholder records, and claims histories, from potential quantum computer-driven decryptions.
Financial institutions that work with third-party vendors for services like data storage, analytics, and IT support are vulnerable to quantum computer-driven attacks if those vendors do not adopt quantum-safe encryption. Many IoT devices used in financial services, such as payment terminals and ATMs, use potentially vulnerable encryption keys and could be at risk for material data breaches if not protected with quantum-safe security measures.
In the long term, financial services companies should embed quantum-safe practices into their core operations, establish a long-term strategic roadmap, invest in research and development, and develop a robust incident response plan tailored to potential quantum-driven breaches.
The National Institute of Standards and Technology (NIST) is driving regulations and requirements for quantum-safe cryptography that many large firms will likely have to operationalize in the next 24 months. The Quantum Computing Cybersecurity Preparedness Act, signed into law in December 2022, forces all federal agencies to develop plans to transition their systems to post-quantum encryption standards.
Financial institutions should proactively adopt post-quantum cryptography safeguards to protect their data assets, comply with emerging regulations, and maintain their reputation. Quantum computing represents a significant shift in computational power, using qubits instead of bits and performing calculations exponentially faster than classical computers. This shift could easily penetrate encryption in claims-processing systems and policy management platforms, leading to fraudulent processing, payment redirection, or worse.
As quantum computers become more accessible and powerful, financial services companies must stay ahead of the curve to ensure the security and integrity of their data assets.
