Software engineer writes code with two monitors

Preparing financial services cybersecurity for quantum computing

Quantum computing may seem years off, but financial services cybersecurity teams can take steps now to secure data.

In brief
  • Quantum computing has the potential to be a boon for financial services firms, but it also raises a new level of cybersecurity concern.
  • Quantum computing can rapidly solve current encryption, putting at risk customer data and potentially leading to significant financial and reputational loss.
  • Financial services firms can prepare now by engaging with regulators, looking at potential vulnerabilities with a quantum lens and remediating vulnerabilities.

Quantum computing will soon become a critical tool for financial services organizations, as it promises to solve a class of complex problems at exponential speed. As quantum computers continue to advance in power and availability, however, they are expected to pose a significant challenge to classical cryptographic systems, a serious risk for these same organizations.

While it may take several years for these computers to break traditional encryption, it is crucial for organizations to take proactive measures now to safeguard their confidential data, particularly in high-security and heavily regulated environments.¹ This critical need for safeguards is particularly true for financial services organizations, which handle vast amounts of high-value customer data and intellectual property, a breach of which can result in significant financial loss, reputational damage and legal liability. Waiting until the threat becomes imminent could result in severe repercussions, including the potential loss of valuable information, financial assets and reputational damage. It is essential to recognize that the risks posed by quantum computing are not distant problems but rather a threat that requires immediate attention and action.

By implementing quantum-safe security protocols and staying abreast of advancements in quantum computing, financial services organizations can help ensure the protection of their critical data.

How EY can help

Assessing the quantum cybersecurity threat

 

The backbone of cybersecurity is encryption: the ability to send and store sensitive data by rendering it inaccessible to unauthorized parties. This inaccessibility is achieved using complex mathematical problems that are difficult to solve, yet easy to verify. Even the most powerful classical computers would take longer than the current estimated age of the universe to crack the mathematical framework behind modern encryption, according to the National Institute of Standards and Technology (NIST).²

 

Quantum computing, with its ability to rapidly solve the mathematical puzzles that keep modern encryption secure, is likely to render the current encryption playbook obsolete. Unlike traditional cyberattacks that leverage coding errors, backdoors and social engineering, quantum attacks will simply bypass encryption and walk straight in, fundamentally disrupting modern cybersecurity.

 

The problem is immense: More than 20 billion digital devices will require updates to quantum-safe cryptography in the next two decades.³

 

Beating the quantum timeline

 

A growing number of global financial services organizations have begun to take note, hiring experts and investing in the development of quantum-resistant technologies and intellectual property. Others are still on the sidelines, not wanting to be the first to act but running the risk of falling behind in a rapidly evolving technological landscape.

 

Their hesitancy is understandable. Most experts estimate it will take another five to 10 years before quantum computers can break RSA, the world’s most widely used encryption system. While large state actors are expected to be the first to achieve quantum capabilities, democratization of the technology by rogue actors is anticipated to follow quickly. Despite this timeline, the moment for most financial services organizations to begin addressing their vulnerabilities to quantum threats is now, before large-scale quantum machines arrive.

 

A particularly urgent concern is the possibility of "harvest now, decrypt later" quantum attacks, where perpetrators intercept and store encrypted data that is currently secured by public-keys like RSA or elliptic curve cryptography. They can then wait until a large-scale quantum computer is available and quickly decrypt the stored data, granting access to proprietary systems, infrastructure and customer accounts (see figure below). This threat highlights the organizational urgency to develop and deploy post-quantum cryptographic systems that can resist attacks from both classical and quantum computers. Mitigation measures such as limiting the amount of data encrypted with a single key and using key lengths that are less vulnerable can be immediately deployed.

The anatomy of a quantum cyber-attack

Data owners must inventory, identify and prioritize critical assets before post-quantum threats mature.

Chart of cyber attack anatomy

Recent US government actions underscore the need to prepare for quantum threats. In 2022, the Cybersecurity and Infrastructure Security Agency (CISA) published a report⁴ outlining the steps those managing critical infrastructure must take to prepare for security threats. In November, the Office of Management and Budget directed federal agencies to submit inventories of quantum vulnerable assets by May 2023 and annually thereafter. In December, President Biden signed the Quantum Computing Cybersecurity Preparedness Act. Financial regulators are expected to follow suit, emphasizing the need for the financial services industry to be proactive in addressing quantum threats.

Fortunately, progress is being made in the development of post-quantum cryptography (PQC) technologies. The NIST, in collaboration with other international standards organizations, is leading a program and public competition to identify the first standardized generation of PQC algorithms and implementation requirements. This effort is expected to result in the release of a new standard within a year. Financial services organizations must be ready to update their encryption suites with implementations of the new standards.

Turbocharge your strategy with digital and emerging tech

We work with you from strategy to implementation, so every dollar invested has the potential to exponentially impact profitable growth.

Find out more

How EY can help

  • Advanced analytics

    Discover how EY tech-enabled Strategy and Transactions advanced analytics teams helps turn information into connected intelligent insights.

    Read more

Shifting winds in the financial sector

 

Forecasts for the arrival of cryptographically relevant quantum hardware are getting shorter, and the financial services industry is starting to shift its attitude. Rapid advancements in quantum capabilities, an increasing amount of attention from government agencies and regulators, and several high-profile cyber attacks on financial institutions have highlighted the urgency for deploying more robust security measures. Major credit and debit card payment organizations have recently applied quantum-resistant technology to the next generation of payment protocols. The new enhanced-contactless (Ecos) specifications go beyond industry standards to ensure that transactions are resistant to attacks from both traditional and quantum threats. Mastercard has already introduced cards with these new specifications,⁵ giving consumers high levels of “future-proof” security for decades to come. Beginning to realize the immense security threats, the world’s largest global banks are also placing big bets on talent, intellectual property and strategic partnerships surrounding quantum security. For example, JP Morgan Chase demonstrated a first-of-its-kind, production-grade quantum key distribution (QKD) network,⁶ a mathematically proven way to defend against quantum attacks. The fact that a financial services organization led a technological effort of this magnitude underscores how paramount quantum security will be.

 

This preparation is sound business; the consequences of inaction are difficult to overstate. The 2014 breach of a major financial institution⁷ by foreign hackers exposed a web application vulnerability that allowed access to sensitive information belonging to 76 million households and 7 million small businesses. The affected bank spent $250 million annually on cybersecurity to remediate the breach, in addition to settling a class-action lawsuit for $80 million. Similarly, in 2019, a misconfigured firewall at a different bank resulted in the release of social security and bank account numbers of over 100 million customers. This incident cost the bank more than $200 million in remediation, including class-action lawsuit settlements and credit monitoring for affected customers.

 

These breaches not only resulted in significant financial harm but also damaged the organizations' reputation and customer trust. They further prompted the passage of increased regulatory oversight, including the Cybersecurity Information Sharing Act and the New York State Department of Financial Services Cybersecurity Regulation, requiring financial institutions to have a robust cybersecurity program in place, including periodic risk assessments, vulnerability testing and incident response planning. Despite these regulations and updated security methods, financial organizations are still vulnerable to new, quantum-based attack vectors, drastically increasing cyber-risk and demanding immediate attention.

A deliberate strategy for financial services cybersecurity

In terms of cybersecurity, though, there are immediate actions all organizations, particularly financial institutions, can take to minimize risks and ensure a smooth and efficient transition to a post-quantum world. Some concrete and proactive recommendations include:

Engage with regulatory bodies on quantum computing cybersecurity standards

Compliance and regulatory environments are shifting, particularly those related to data protection. This landscape will only become more complex as the threats of a post-quantum future become clearer. Financial institutions must stay abreast of relevant timelines and decisions from standards setting bodies, such as NIST and CISA; they can equip themselves with the technical expertise necessary to understand how decisions will impact the timing and scale of investment for remediation. Industry specific engagement will also be necessary with regulators such as the Federal Reserve, Consumer Financial Protection Bureau, FDIC, and others. Financial services organizations will also need to advocate and monitor for new and potentially far-reaching requirements around quantum encryption. In fact, current regulations such as Europe’s GDPR act may require implementation of new standards without additional oversight.

Inventory, map and prioritize with a quantum cybersecurity lens

Organizations have large IT “systems of systems.” Regular cyber-hygiene may already include taking stock, inventorying and understanding all assets, including networking equipment; data acquisition systems; and financial, client, and proprietary data. This can now be done with a quantum-specific lens to prioritize remediation and implementation of PQC algorithms. Vulnerabilities to “harvest now, decrypt later” attacks can be prioritized, specifically examining organizational public-key (RSA) encryption protocols, as well as data with long security shelf lives. Any previous cybersecurity and cryptological assessments and inventories can be re-examined through this quantum-specific prioritization.

With high-profile incidents gaining media and customer attention, cybersecurity has become a board-level agenda item. Systems need to be thoroughly evaluated for risks and resilience, including the existence of sensitive information, access controls, data sharing protocols and dependence on third parties. Vulnerabilities will not be evenly distributed across assets; it is important to precisely understand each element of the system as a single weak link can compromise the entire enterprise. It is critical that organizations build capabilities and partnerships that bring both cybersecurity and quantum security expertise as they prepare to transition to a post-quantum future.

Prepare and remediate

There is much that can be done before the arrival of the NIST-approved PQC algorithms. Additional analyses can be done on hardware assets to determine the suitability for post-NIST computational requirements (i.e., fast lattice-based encryption computations), and time and investment required for necessary upgrades to be performed. Stress-test modeling and simulation in digital twin and virtual environments that represent complex enterprise IT systems is an emerging technique that can help identify vulnerabilities for immediate remediation against a wide variety of possible cyber and quantum attacks.

Where possible, efforts can be made to harden public key encryption-vulnerabilities against quantum attacks. Indeed, concern around the relatively short timeline of the NIST process suggest this may be strategically beneficial in the event of early-stage PQC algorithmic vulnerabilities. New methods for symmetric key generation can be explored and implemented to severely limit the vulnerability of key distribution to “harvest now, decrypt later” quantum attacks. Quantum key distribution is a promising long-term solution, though there are many feasible computational solutions.

Thanks to Jon Watts, Alex Giles and Sayyaf Masood for their contributions to this article.


Summary 

Quantum computing may still seem years away, but quantum threats exist now. Companies may need to take a proactive view to protect their cyber assets and ready their organizations for new cybersecurity protocols or face serious consequences, including reputational damage and the loss of valuable assets. It is essential for all financial services organizations to recognize the urgency of this issue and to take the necessary steps to ensure their security measures are quantum-resistant. Doing so will not only protect their own interests but also promote the overall security and stability of the financial sector.

Related articles

Why organizations should prepare for quantum computing cybersecurity now

This technology is finding its way out of research labs and into commercial applications, upending the norms of cryptography. Learn how to be ready.

14 Apr 2023 Jeff Wong + 1

How to keep cybercriminals out of your divestiture

Corporate deals are where the money is, for cybercriminals. But companies can protect themselves and the deal.

15 Jul 2022 John Hauser + 1

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.