FIN.

Government publishes post-quantum cryptography roadmap

The Government has published the G7 Cyber Expert Group statement on advancing a coordinated roadmap for the transition to a post-quantum cryptography in the financial sector. The group has previously highlighted the benefits and risks associated with quantum computing, noting that there was a risk that advanced quantum computers could break widely used protocols that protect systems and data. A primary way to address these risks is for entities to transition to post-quantum cryptography and quantum-resistant cryptographic algorithms.

The G7 CEG has as a result developed a roadmap to help businesses consider what they might do to proactively address the risks. The roadmap is based on:

  • flexibility to suit each business’ circumstances;
  • a risk-based approach allowing businesses to apply more or less aggressive timelines to different areas of their business;
  • a stadards-based approach which can establish quantifiable metrics to track progress, demonstrate accountability and enable recalibration; and
  • collaboration and cooperation across businesses and jurisdictions.

The group suggests key migration activities and outcomes and, against those potential activities for financial institutions and for public authorities. These are based on the following stages leading up to institutions incorporating new cryptographic standards and regulators having in place adaptive policy frameworks:

  • awareness and preparation;
  • discovery and inventory;
  • risk assessment and planning;
  • migration execution;
  • migration testing; and
  • validation and monitoring.

In terms of timing, the awareness and preparation stage should start now and 2035 is a possible overall target date, but the group recommends that businesses consider addressing systems that are most critical a few years earlier would limit the downside risk of the identified risks being realised earlier than expected. So firms should start considering integrating their approaches into their existing governance and risk management frameworks, and keep up pressure with senior management engagement.

If you’d like to discuss this further, please contact Caroline Churchill or me, Katie.

Katie Simmonds