(IT.Pro.Portal) Technological innovation in the financial services industry has always had to balance risks like fraud and theft against the new opportunities it brings like access to capital, greater margins and new customers. The coming wave of quantum computers promises more of the same, though on an even greater scale. Given the glut of sensitive (therefore valuable) data that financial institutions hold, it should not be surprising that they heavily rely on cryptography at all levels of their businesses from bank cards and ATMs to mobile apps and online payments.
Worryingly there is a widespread lack of awareness in financial services of the cybersecurity risks posed by quantum technologies.
Britain’s FCA recently organized a virtual workshop with the UK Quantum Computing & Simulation Hub (QCS), attended by 25 stakeholders including the Bank of England to explore the ways in which organisations can take advantage of quantum computers but also prepare to meet the threats that arise from them.
Given the glut of sensitive (therefore valuable) data that financial institutions hold, it should not be surprising that they heavily rely on cryptography at all levels of their businesses from bank cards and ATMs to mobile apps and online payments.
The changes necessitated by the quantum threat will fundamentally alter how banks and other institutions use cryptography. It is no exaggeration to say this will be one of the biggest cryptographic transitions in generations.
Financial institutions cannot approach this period of radical change with the same piecemeal approach used in the (almost) 20-year process for the adoption of current standards. It must be a more systematic, deliberate and comprehensive approach.
An audit of security architecture and system design is something that financial institutions can – and should – be doing now. At a basic level, this analysis should account for hurdles like backward compatibility and interoperability with legacy systems and infrastructures.
At the end of this process, an organization should have a list of systems that can or can’t be upgraded easily, allowing it to identify key areas of concern. Once the analysis phase is done, an organization can then look towards providing cryptographic implementations to support changes as needed and with minimal disruption to core business activities. NIST has even suggested certain solutions to be used in the transition phase which combine one or more post-quantum candidates to get the best of both worlds.