Quantum Security for the Financial Sector: FCA and World Economic Forum publish a collaborative report

The risks and rewards posed by quantum computing have been on our mind for some time now, and last week the World Economic Form and the FCA catapulted this topic back into the headlines with a collaborative report on quantum security for the financial sector.

The report takes as its catalyst the fact that quantum computing could render most current encryption schemes obsolete (as we have written about here), threatening the integrity of digital infrastructures, communications and data—and, by extension, trust in the financial system. The quantum threat could materialise within the next decade, and this near-horizon has implications for the current risk landscape with the emergence of ‘harvest now, decrypt later’ attacks. 

Regulatory authorities in the financial sector are keenly aware of the quantum threat, and this report joins the work of the Bank for International Settlements on quantum-proofing the financial system. As a precursor to the report, the FCA surveyed regulatory authorities across a number of jurisdictions worldwide; 60% of respondents said they anticipated quantum computing to significantly impact the financial sector within the next seven years, and 93% agreed that quantum technologies will have significant implications for their regulatory frameworks. 

Meeting this challenge head on, the report sets out four guiding principles to guide and inform global regulatory approaches for a quantum-secure transition (with predictable emphasis on the need for transparency and to avoid regulatory fragmentation) alongside a four-phase roadmap in the transition to a quantum-secure financial sector. These phases are:

1. Prepare, where organisations in the financial sector should raise awareness among stakeholders at all levels, should consider conducting comprehensive reviews of their cryptographic infrastructure, and should build internal capabilities and upskill workforces to transition to quantum-secure systems;
2. Clarify, where both regulators and industry should engage in a comprehensive review of existing regulatory frameworks to understand how they capture quantum risks and identify potential gaps, and financial sector organisations should begin modelling the costs and time frame of transitioning. In the UK, the senior managers and certification regime and regulatory rules around operational resilience (including the new critical third parties regime) will be invaluable tools in the FCA and PRA’s toolbox;
3. Guide, where identified regulatory gaps should be plugged and industry should understand and plan for implementation of technical security standards (such as those being developed by the US National Institute of Standards and Technology or ‘NIST’ by 2024) across new and existing systems; and
4. Transition and monitor, where implementation occurs and the emphasis shifts to modernising cryptographic management and refining policy development processes to ensure long-term agility and resilience.

Taking a step back, it is important to hold in mind the potential benefits posed by quantum computing to the financial sector (and indeed, we've previously highlighted the potential for quantum computing to bolster firms' operational resilience). It is striking that, as the report highlights, investments by the financial sector are expected to reach up to $850 billion over the next 30 years. 

Nevertheless, with their complex digital infrastructure and reliance on third-party ICT providers, and against a backdrop where the UK's National Quantum Strategy places emphasis on managing the quantum encryption risk, financial sector firms must sit up and pay attention to the quantum threat as a matter of priority.  As a first step the World Economic Forum and the FCA invite ongoing engagement from all stakeholders, and the FCA encourages UK firms to share their thoughts with its Emerging Tech team.