By Joshua Hubbard
Experts warn that advances in quantum computing could threaten commonly used encryption, undermining the confidentiality, integrity and availability of critical data. The open question is when advances in quantum computing will break or undermine confidence in commonly used encryption and how quickly banks and third-party providers can make the transition to the next generation of quantum secure encryption algorithms that the National Institute of Standards and Technology has developed.
The following is an overview of the risks, efforts to mitigate the risks and actions that bankers should consider now to prepare.
What is the risk?
Encryption is essential for safeguarding confidential and sensitive information. Banks utilize a variety of encryption algorithms to secure bank transactions and ensure the privacy, confidentiality and integrity of account information. Quantum computers threaten to undermine information security through decryption processes that these computers are expected to break. CNBC produced a noteworthy video that clearly explains how quantum computers work and how they are different from classical computers: “A Practical Quantum Computer is Coming! But When?” In response, public and private sector experts are developing “post-quantum cryptography” to defend against quantum computers.
Mathematically, public key cryptography takes advantage of the fact that classical computers have difficulty in factoring semiprime large numbers into their original two prime factors. Current supercomputers are unable to factor out these numbers in a reasonable amount of time, helping keep information encrypted and accessible only to authorized personnel who have the decryption keys. However, experts believe that quantum computers will crack public key cryptographic encryption standards, including AES, RSA and ECC, by applying the properties of quantum mechanics with Shor’s algorithm. Shor’s algorithm can be used to factor large integers in a computationally reasonable amount of time, which classical computers cannot perform, to brute-force its way into encrypted data.
When this happens, nefarious actors, whether they are hostile nation states or criminal enterprises, could use quantum computers to target banks and other critical infrastructure entities. Intelligence experts warn that cyber threat actors are already harvesting encrypted data now with the goal of decrypting it later once quantum computers are more widely available. Furthermore, when widely available, this means that every bank that utilizes traditional public key algorithms could be susceptible and potentially exploitable to data theft. Other consequences include damage to an organization’s reputation and customers’ privacy. Some experts draw parallels to the concerns raised in the late 1990s with the risk of computers malfunctioning during the century date change or more commonly known as Y2K.
What are the U.S. government and global authorities doing?
NIST launched a program in 2016 that continues to this day to develop the next generation of post quantum encryption standards through a highly collaborative and global process. In 2024, NIST developed and released post-quantum cryptographic public key algorithms to secure current classical systems from quantum computer attacks. For more information, check out NIST Projects on PQC. In 2017, NIST launched a public competition to identify quantum-resistant algorithms that will form the basis of new encryption standards expected to be published in 2024.
Outside of the U.S., the European Union Agency for Cybersecurity has published a study on the current state of affairs on the standardization process of PQC, which highlights work at organizations such as NIST and the International Organization for Standardization, and a report on post-standardization challenges and protocol recommendations. Further international coordination can mitigate the risk of regulatory gaps and asymmetries across the G7 jurisdictions. The World Economic Forum has been investigating quantum resilience through a collaboration with the United Kingdom’s Financial Conduct Authority, and, with the participation of several global financial authorities, released a report discussing global regulatory approaches.
The Group of 7 Cyber Expert Group, which advises G7 Finance Ministers and Central Bank Governors on cybersecurity policy matters of importance for the security and resilience of the financial system, released a paper in September 2024 that identified quantum computing as an area of both potential benefit and risk to the financial system. The CEG encourages jurisdictions to monitor developments in quantum computing, to promote collaboration among relevant public and private stakeholders and to begin planning for the potential risks posed by quantum computing on some current encryption methods. The G7 CEG encourages financial authorities to work closely with firms and other relevant parties in their jurisdiction to raise awareness of the importance of the transition to quantum resilient technologies.
Based on conversations with some bankers, examiners from the three U.S. federal banking agencies have already begun asking questions about preparations. There’s always the potential that these agencies will issue guidance to draw attention to the risk and the need for financial institutions to mitigate this risk.
What is the financial sector doing?
ABA is one of several organizations that has been raising awareness of the risk and developing materials that financial institutions can use. For example, in 2022 ABA convened a panel discussion during its annual convention to discuss the risks and has continued to provide updates to members on NIST’s efforts to develop post quantum computing encryption algorithms. ABA Banking Journal is continuing to publish articles on the matter including the emerging implications including from Ryan Jackson, VP innovation strategy. JP Morgan Chase researchers have recently announced a quantum computing randomness breakthrough with enhancements to both security and trading. The ABA Banking Journal Podcast recently addressed the issue. And this article addressed hot topics in technology for bankers.
In addition, ABA, through its leadership roles in the Financial Services Sector Coordinating Council, has highlighted the importance of mitigating PQC risks. Two examples stand out. The FSSCC R&D Committee updated its list of R&D priorities to include PQC as one of three top priorities. In November 2024 during the joint meeting of the FSSCC and its public sector partner, Financial Banking Information Infrastructure Committee, John Carlson (ABA senior VP for cybersecurity regulation and resilience) moderated a panel on post-quantum computing risks to encryption with executives from the Federal Reserve Board, IBM and Financial Services Information Sharing and Analysis Center.
The FS-ISAC outlined key concerns for banks and steps to help combat potential security risks through the release of multiple papers for their established Post-Quantum Cryptography (PQC) working group.
Key points:
- Building a clear inventory of assets and cryptography uses helps organizations identify risks from PQC advances and stay crypto-agile in adapting to future cryptographic changes.
- To ensure the potential impact on an organization is adequately monitored at a minimum, the following items should be considered:
- In-house and vendor applications for encryption / decryption.
- Inventory of critical and high-availability applications, and external application connections.
- Third-party risk management: Vendor roadmaps to support PQC.
- Consider how long the data asset need to be protected for.
- Consider inventorying the organization’s most sensitive and critical datasets.
- Is the data at risk from a harvest now / decrypt later attack scenario?
- Regulatory considerations: Is the data under external regulation?
- Data residency/location of data – there may be different timelines associated with different regions.
The BITS division of the Bank Policy Institute published in 2018 the Quantum Risk Calculator, or QRC, which is a tool designed to help any person or company better understand how a Post-Quantum Computing future may impact data and applications reliant on cryptography such as encryption, hashing and signatures.
The Cloud Security Alliance has released research and “practical preparations” in order to draw attention to the challenge and to outline actions major cloud service providers are talking about. Two examples include: “Cloud Security Alliance on Quantum Safe Security” and “Cloud Security Alliance Practical Preparations for the Post Quantum World.” In addition, some of the major cloud service providers have released details on how they are preparing for a post quantum world..
The Cyber Risk Institute plans on updating the encryption section of the “Protection” portion of the Profile. Once this is completed it will be integrated into the 2.0 version of the Profile and will be a good resource to attest that banks are mitigating the risk.
Actions banks can take now
The following are actions that banks and third-party providers to financial institutions can take now.
Monitor
- NIST efforts to develop the next generation of encryption algorithms.
- CISA efforts to develop risk mitigation plans.
Engage
- Information security, vendor management, and business continuity professionals to ensure that these risks are being addressed and coordinated internally.
- Core service providers and other significant technology service providers to ask about their plans.
- In future ABA webinars.
Develop
- Questions from bank examiners about how your bank is addressing post quantum computing risk.
- Plans to embrace “crypto agility” so that new encryption algorithms can be integrated without causing disruption. Crypto agility is “the ability to enable rapid adaptations of new cryptographic primitives and algorithms without making disruptive changes to a system’s infrastructure.”
Joshua Hubbard is program manager, cybersecurity, at ABA.
