FIN.

G7 Cyber Expert Group publishes guidance on combatting quantum computing risks in the financial sector

The G7 Cyber Expert Group (CEG) has published a statement highlighting potential cybersecurity risks arising from developments in quantum computing, and how these may be addressed by the financial sector.

The CEG highlights that while potentially providing significant benefits to the financial system, quantum computers will inevitably also carry unique cybersecurity risks. One of the most significant of these is is that cyber threat actors might use the technology to defeat cryptographic techniques that secure communications and IT systems, potentially exposing financial entity data, including customer information.

Although the exact timelines for developing quantum computers is unclear, the CEG stresses that the financial sector should start risk management planning now, because not only could future data be at risk, but also any previously transmitted data that threat actors intercept and store with the intent of decrypting later with quantum computers.

The National Institute of Standards and Technology (NIST) published an initial set of quantum-resilient encryption standards in August 2024, and additional standards are expected going forwards. The CEG stated that financial entities ought to maintain the agility required to incorporate new encryption standards in a timely and appropriate manner as they become available. Regardless of where entities are in their standards-adoption timelines, the CEG recommends financial authorities and institutions to begin taking the following steps to build resilience against quantum computing risks:

  • Develop a better understanding of the issue, the risks involved, and strategies for mitigating those risks
    • Firms might consider contacting vendors, third parties, and other subject matter experts to better understand the risks of quantum computing and potential technology solutions, with focus on cryptographic risks.
    • Entities should also consider processes to track developments in areas of interest, like technology development timelines, the threat landscape, and existing and emerging resilience approaches.
  • Assess quantum computing risks in their areas of responsibility
    • Financial entities should understand quantum computing risks to their particular areas of responsibility, in order to identify the level of effort required toward the issue and the specific area(s) where it should focus.
    • For entities that are more progressed in this space, this may involve beginning to inventory critical data and current cryptographic technologies in use within their organizations and key third parties on which they are dependent in order to identify and prioritize areas for
      mitigation.
    • For others, a starting point may be discussions with the entity’s IT leadership and key service providers, with a view to conducting a more in-depth analysis. They may also wish to discuss their risk tolerance for protecting critical data before quantum technologies become more mature.
  • Develop a plan for mitigating quantum computing risks
    • Entities should consider establishing governance processes, identifying key stakeholders and their roles and responsibilities, and establishing milestones for key actions based on the anticipated deployment of a cryptographically relevant quantum computer.
    • In addition to the inventory of cryptography use identified above, such future actions may include planning for the orderly replacement of vulnerable technologies with those that are quantum resistant. The CEG highlights the Canadian Government’s Quantum Readiness Guide that can help entities prepare for quantum threat.

Laura Wiles