For at least quarter of the past century, financial firms relied on encryption as the go-to solution for maintaining the security and privacy of the information stored on their systems. However, as the prominence and the accessibility of quantum computing increases, cyber security specialists have been raising the alarm around quantum-based computers’ ability to break long-established encryption codes in a matter of seconds. Some experts predict that the majority of traditionally encrypted data could be vulnerable as soon as within the next decade.
Related: Post-Quantum Security Considerations for the Financial Industry
Quantum computing leverages the properties of quantum physics to perform calculations a multitude of times faster than conventional binary computing – in fact, its capabilities are simply unachievable for traditional computers. As a result, quantum computing carries significant potential to positively disrupt financial services industry by offering new ways to analyze and solve complex problems. More specifically, it will help solve the “needle in the haystack” type of problems to understand the impact of risk and uncertainty in various scenarios. To bring this example into our day-to-day lives, quantum computing will improve weather forecasting, serving as a valuable resource on both a local and global scale for more accurate warnings of extreme weather events.
That said, quantum computing will also equip bad actors with greater capabilities, creating significant risks to any organization relying on traditional encryption methods. Malicious actors are already exploring quantum-based hacks today. Such actors — which include criminals, terrorists, and rogue governments — may already be harvesting encrypted data with a view to accessing it with quantum-driven decryption soon. Similarly, any encrypted data that has been stolen over the past decade may have been retained by criminal players, who are awaiting the availability of quantum-enabled decryption methods to unlock its secrets. With quantum-enabled decryption likely to become possible in the next few years, much of this data will still be relevant and valuable.
It is only a question of time before bad actors gain access to quantum computers of sufficient power, jeopardizing today’s cyber security practices reliant on cryptography.
Business can – and should – start preparing now and get ready for these new, quantum-related risks by following some key steps.
First, organizations should just start to consider post-quantum readiness, focusing on understanding their current state. Part of this is identifying their quantum awareness and evaluate their crypto readiness. Most organizations are quantum-unaware and have not started scoping out post-quantum threats, while quantum-aware organizations are taking steps to build familiarity with quantum computing developments and forecasts. Similarly, crypto-advancing organizations have begun identifying their critical data and use of cryptography, while crypto-agile organizations have already implemented processes and resources to replace their existing algorithms and protocols.
Once this initial step has taken place, here are a few additional considerations firms should take into account:
- What is the scale of any upcoming system migration? Firms should identify systems and encryption mechanisms to be addressed and consider creating a systems inventory identifying locations containing sensitive data, as well as helping to understand encryption mechanisms used by the systems that contain sensitive data.
- How can your firm’s cryptography practices be augmented? Consider centralizing of keys and certificates management, instilling standards for encryption mechanisms, and implementing change management for encryption solutions. Deploying encryption mechanisms based on data sensitivity; upgrading current IT systems so they can support secure encryption practices, such as key rotation and distribution; automating processing to minimise manual interactions; and deprecating insecure protocols and security mechanisms throughout the system landscape can help achieve this.
- What would be the required steps to replace an encryption platform? Consider developing a playbook outlining the steps and trialling it through a pilot or prototype to ensure it can be successfully executed in a timely manner.
- Are your firm’s systems suitable for future work? Consider updating them to separate data based on its sensitivity, which will also help prioritize remediation of encryption risks.
- How strong is your firm’s risk culture? Explore opportunities to kick off organizational change management (OCM) efforts to strengthen risk culture throughout the organization, with objectives such as raising staff awareness and initiating conversations with customers and third-party providers about quantum risk.
It is only a question of time before bad actors gain access to quantum computers of sufficient power, jeopardizing today’s cyber security practices reliant on cryptography. Financial services firms remain a highly attractive target for cyber criminals and should therefore start planning now for any replacements of hardware, software, and processes using today’s public-key cryptography. Taking steps now will be the most effective route to protection against future attacks.
This article was originally published in IBS Intelligence FinTech Journal on April 28, 2023.