As global financial regulators gear up to face the cybersecurity threat posed by quantum computing — which has the potential to defeat existing encryption protocols — the industry’s compliance costs are set to grow, says Fitch Ratings.
In a new report, the rating agency said governments and regulators around the world are devoting increased attention to the risks that advances in quantum computing could pose to the cryptography protocols widely used in the global financial system.
For instance, the Bank of International Settlements (BIS) has warned that the existing cryptography standards used to secure financial data and transactions could be compromised by quantum computers.
“A number of major financial regulators and industry bodies are piloting responses,” it said, noting that the U.S. National Institute of Standards and Technology recently completed a consultation on draft cryptographic standards that would be designed to withstand attacks by quantum computers.
While the development of quantum-safe cryptography standards represents “a major milestone,” Fitch warned there’s a risk that cybersecurity breaches could occur before financial firms can implement systems that utilize these new standards.
“Financial institutions are also likely to face significant costs, as well as implementation and operational challenges, transitioning cryptographic systems,” it said.
Firms will have to re-engineer their protocols and services to meet the increased demands of quantum-safe cryptography standards, it said. “This would require replacement of hardware and updating of operating systems and code, and some legacy systems would be difficult to upgrade.”
Additionally, ensuring the new systems work with existing cryptography systems “could present particular issues for financial institutions,” Fitch said, and this could be further complicated by “competing political, strategic or national security objectives among countries.”
A lack of human resources with the relevant skills to support the adoption of the new systems could also present a challenge, it suggested.
While the quantum threat is not expected to materialize in the next five years, Fitch warned about potential breakthroughs.
“Regulators in major financial markets have encouraged pre-emptive moves to strengthen cryptographic security,” it said.
For instance, the U.S. Office of Budget and Management issued guidance last year that called for federal agencies to migrate to quantum-safe systems by 2035.
And late last year, the Office of the Superintendent of Financial Institutions and the Financial Consumer Agency of Canada launched a consultation on the financial sector’s readiness to deal with the emergence of quantum computing. That consultation runs until Feb. 19.
Over the medium term, Fitch said, regulation of cybersecurity may add to compliance burdens, particularly for smaller firms.