By Ben Packman, Senior Vice President of Strategy at post-quantum cryptography company, PQShield

Quantum computing is expected to be revolutionary for financial institutions.

During 2022, we saw a number of financial institutions partnering with leading tech companies to establish quantum projects, hoping to glean a competitive advantage from this potentially transformational technology. Goldman Sachs has partnered with AWS and HSBC is working with IBM to study the uses of quantum for pricing derivatives and portfolio optimization. Beyond these use cases, Standard Chartered has begun exploring the ESG opportunities with quantum, building on a lengthy partnership with the Universities Space Research Association.

But although quantum technology could be transformational to the future of the finance industry, it also comes with a warning. While quantum computers will have the ability to process vast amounts of data at record breaking speeds, these very capabilities will also allow them to break the current encryption standards currently relied on today to secure sensitive information, including encrypted transaction data, account details, and customer information.

Public key encryption is vulnerable to quantum attack, yet it underpins everything from the security of messaging and communications right through to online payments and physical bank cards. That’s a big problem for financial institutions whose reputation is built on the trust we put in their ability to keep our money – and personal information – safe.

New standards for cryptography

The threat of a quantum attack is so great that it is already high on the agenda of governments and security agencies worldwide. Last year, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) announced finalist candidates for post-quantum cryptography (PQC) standardisation, creating a new kind of encryption designed to withstand attacks from quantum computers. This was followed by NSA guidelines that laid out a timeline for US government agencies and partners to start their transition to quantum-resistant software and cloud services by 2025, with the full transition process expected to be completed by 2035.

This has been bolstered by support from the White House, in the form of two presidential directives and the Quantum Computing Cybersecurity Preparedness Act that aim to mitigate the risks that quantum computers pose to national and economic security. The directives and legislation require all US government agencies to upgrade their infrastructure to new quantum-resistant standards whilst also calling for increased collaboration with the private sector to drive the adoption of post-quantum cryptography.

With guidance in place from NIST and the NSA, there is no reason financial institutions should hold off before migrating their systems to the new cryptographic standards.

Harvest now, decrypt later

One of the dangerous misconceptions surrounding post-quantum cryptography is that the cybersecurity industry is overhyping a threat that’s yet to materialise, from technology that is too far in the future to warrant any concern in the present.

Financial institutions are already exposed to the threat, via what’s known as “harvest now, decrypt later” retrospective attacks. Bad actors have the capability to harvest a large amount of sensitive encrypted data today that they can decipher as soon as a quantum machine is available and used for malicious purposes. Until PQC is in place, any strategic data, sensitive intellectual property and corporate secrets are potentially exposed.

Those financial institutions that have already started laying the groundwork to transition to PQC will benefit from a first-mover advantage, both in terms of their reputation and because the transition to full quantum security will be long and complex. The sooner banks start working on it, the less painful it will ultimately be.

The road to PQC adoptio

We have already seen Mastercard roll out a quantum-secure credit card, and while this is a positive first step, without a more wholesale programme of implementation this would be similar to replacing the reinforced door on a bank vault that has no walls: every touchpoint in the transaction process, from hardware to software and data in transit, must also be quantum-secure before you can truly consider the threat managed.

Even if you were to take the view that the quantum threat is unlikely to materialise until years from now, you wouldn’t want to underestimate the timelines associated with a full-scale implementation of post-quantum cryptography solutions across all core technologies. It took almost two decades to deploy the public key cryptography infrastructure that we currently rely on, and the shift to full quantum security could be equally time-consuming. As we witness quantum technology developing at speed never seen before, delays in implementation today could prove extremely damaging a few years down the line.

So how should financial institutions start planning for the transition?

• Follow developments on quantum computing and PQC: Advances in quantum computing and PQC solutions will pave the way for the financial sector to prepare and mitigate risks properly. Understanding these developments will be key for organisations to move quickly and manoeuvre effectively.
• Train your team: Because a cryptography transition is a major, multi-year undertaking, key stakeholders also need to understand what it means and why it matters. Specialist cryptographers are available to provide training on the subject, tailored to an executive-level audience. Once technical teams have supportive leaders behind them, they are more likely to access the budget and approvals needed to manage an efficient transition to PQC.
• Conduct a cryptography audit: Organisations need to know exactly where they are using cryptography before they can start to upgrade it. The best place to start is by interviewing internal system owners and experts to find out where and how cryptography is currently in use, followed by external vendors and suppliers.  Look at every place where data is kept in storage, used in applications or is in transit, and create a thorough map. Once you’ve completed your audit, you should better understand your exposure and be able to determine who would be best-placed  to start the implementation process.
• Identify risk areas: As part of a cryptography audit, financial institutions should consider the areas where data is at highest risk of attack so they can be prioritised for the transition to PQC. This means considering the sensitivity of the encrypted data being handled by each of your systems, for how long that data is expected to remain sensitive, and whether a system is public-facing. Financial institutions experience significantly more cyber attacks than any other organisations, so security for the post-quantum era is imperative.
• Ensure crypto-agility: Cryptographic agility is where systems are designed to support multiple cryptographic algorithms at the same time – a smart decision at this stage in time, while NIST still has several draft standards in play. Crypto-agility provides insurance if one of your cryptographic algorithms is subsequently discovered to be vulnerable, as you can replace it easily without making disruptive and wide-scale changes to your system’s infrastructure. Ensuring crypto-agility and designing a long-term strategy for migration to a quantum ready architecture will be vital in ensuring that your organisation’s sensitive information is fully-protected from the threats of tomorrow.

Moving forward

The transition to full quantum security will be a lengthy and costly process, but in the coming year, we will see early movers in the financial sector taking advantage of the opportunity to deliver quantum-secure products to their customers.

For security and IT leaders at financial institutions, it’s time to start transition planning and making their case to the board for a dedicated post-quantum cryptography budget, ready to begin implementation.