Preparing financial services for the quantum computer

As Feynman received a Nobel prize for his work, it’s safe to assume that he did understand quantum mechanics. Luckily for those of us not destined for a Nobel Prize in physics, when it comes to quantum computing, we don’t need to understand the intricate and complex details. However, we need to understand the immense implications of quantum computing – not least the threat it poses to classical encryption techniques that the world relies on to protect electronic commerce.

Advances in quantum computing offer many potential benefits. But these advances also come with risks of major systemic disruption for the financial services sector; primarily because quantum computing can break classic encryption techniques organisations rely on to protect data. This can happen because of quantum computing’s ability to undermine the mathematical techniques that classical encryption relies on. 

The exact timeline for when quantum computers will have the processing power to break classical encryption is unclear. However, the capabilities of quantum computers are being developed at pace, and investment in the field by big hardware manufacturers is massive. So, we can expect to see big leaps forward over the next decade in terms of performance and computing power.

The World Economic Forum (WEF) and the UK’s Financial Conduct Authority (FCA) have recognised the risks of advances in quantum computing and in January 2024 issued a white paper on quantum security for the financial sector. The paper sets out the basis of the problem and calls for global regulators to think about common approaches to prevent a fragmented global approach to regulation. It also outlines that the financial services industry needs to prepare without actually setting out concrete measures or steps for firms to adopt.

The FCA has taken a positive, global leadership role in tackling the risks associated with quantum computing’s ability to break classic encryption. While this is welcome and sensible, it may well result in regulators taking longer to develop a common position; leaving financial services firms with little time to react. So, organisations will need to work with regulators and be prepared to move ahead of regulatory expectations to give themselves enough time to act.

The question then becomes: how should financial firms prepare for a post-quantum world without measures or clear direction from the regulators?

Engage early and often with regulators

Financial services organisations have a vested interest in working with regulators to shape a common view of the problem and to gain insights into the direction of travel for regulations. They should use existing industry groups to monitor regulatory thinking and manage regulatory engagement. These groups are ideally placed to engage with regulators, disseminate information, and co-ordinate large-scale change between firms as they migrate to new quantum-safe encryption standards. 

For organisations that deliver market infrastructure such as exchanges and payment services, they should prepare to engage with regulators on their client’s behalf. Every financial services firm should prepare their compliance and regulatory teams to understand quantum computing implications. This will position teams to respond to regulatory queries or initiatives before the regulators make a request.

Build understanding and support amongst stakeholders

The rise of quantum computers, the role of encryption in protecting financial services, and the need to move to new quantum-safe encryption standards are complex topics. Preparing to make the transition to quantum-safe encryption will involve senior staff. CISOs, CTOs, and CIOs need to build understanding amongst internal stakeholders over the next 12 months to prepare and educate boards for future changes. Organisations should also start to track risks and issues related to quantum-safe computing via Operational Risk Management systems. 

For many, the move from classical to quantum-safe encryption will involve major change programmes. In this case, they’ll need to start building the business case to fund large-scale change programmes and to gain the board’s support to fund the transition. To provide a sense of scale, at a recent financial services leaders forum meeting hosted by PA, the attendees estimated that transition for their organisations would take between eight and 12 years.

Plan to save time and effort

Early engagement and planning to address risks will prevent frenetic and expensive last-minute programmes to introduce quantum-safe encryption. Leaving the transition to the last-minute as deadlines approach means risking derailing other change initiatives as employees and resources are reallocated – develop clear, evidence-based plans to avoid being caught out.

There are practical steps to adopt now to prepare for the future. For example, firms can adopt technology strategies and architectures that simplify the transition to post-quantum encryption standards. Collecting information on where and when encryption is used across the organisation will also help with estimating and planning for a transition to the use of quantum-safe encryption. Organisations should also factor the transition to quantum-safe encryption into their medium to long-term change plans. As a minimum, this should involve allocating budget and resources in future years to manage migration to new encryption standards. 

The final step is to start conversations with suppliers about when they will bring forward new products and services incorporating quantum-safe encryption. Getting suppliers to commit to a roadmap for new quantum-safe encryption capabilities will also drive the IT industry towards addressing the issue.

Early and regular engagement will position the financial services industry to migrate to quantum-safe encryption with relative ease. Those organisations who leave the migration to the last-minute risk derailing change programmes and exposing themselves to loss as their encryption controls are undermined. Acting early will benefit all.