Key takeaways
- The Monetary Authority of Singapore (MAS) has issued an advisory on measures that financial institutions (FIs) should consider as part of their quantum transition efforts, such as:
- Keep abreast of the latest developments in quantum computing and raise awareness of the associated cybersecurity risks among senior management and relevant third-party vendors.
- Maintain an inventory of cryptographic assets and identify critical assets to be prioritised for migration to quantum-resistant encryption and key distribution.
- Develop strategies and build capabilities to address cybersecurity risks associated with quantum, such as uplifting technical competencies, reviewing internal policies and standards, and conducting proof-of-concept trials with quantum security solutions.
On 20 February 2024, the MAS issued an advisory on addressing the cybersecurity risks associated with quantum computing, highlighting the potential impact of quantum computing on cybersecurity and the ongoing efforts to develop quantum-resistant cryptography. It warns that quantum computers could break some of the current encryption and digital signature algorithms used by financial institutions and that this threat could materialise in the next decade.The advisory suggests that FIs should assess the risks arising from quantum computing by applying existing MAS notices and guidelines on technology risk management and cyber hygiene, and additionally recommends that FIs take the following measures:
Keep abreast of the latest developments in quantum computing and raise awareness of the associated cybersecurity risks
FIs should monitor ongoing quantum computing developments for cybersecurity threats and risks that may impact financial services, and investigate their possible mitigation using quantum security solutions such as post-quantum cryptography (PQC) and quantum key distribution (QKD). PQC refers to quantum-resistant public-key cryptographic algorithms that are being standardised by the National Institute of Standards and Technology (NIST), while QKD involves using quantum technology to establish secure communication channels for distributing encryption keys. FIs should ensure that their senior management and relevant third-party vendors understand the potential threats of quantum technology and the importance of supporting efforts on transitioning to quantum security solutions. FIs should work closely with their third-party IT vendors to assess their IT supply chain risks arising from the quantum threats, and request that vendors provide quantum-resistant solutions when they become commercially available. FIs should also connect with relevant industry groups, research bodies, or Information Sharing and Analysis Centres (ISACs) to exchange information and collectively mitigate systemic quantum risks.
Maintain an inventory of cryptographic assets and identify critical assets to be prioritised for migration to quantum-resistant encryption and key distribution
FIs should identify and maintain an inventory of cryptographic solutions used in their operations and determine those that are potentially vulnerable and need to be replaced with quantum-resistant alternatives when they become commercially available. The inventory should include information about the cryptographic algorithm and key length used, the ownership and parties responsible for maintaining cryptographic assets, and the specific system or application where the cryptographic algorithm is embedded or used. FIs should classify their IT and data assets that are dependent on the potentially vulnerable cryptographic solutions, so as to prioritise their risk mitigation efforts. The classification should be based on the sensitivity, criticality, and risk exposure of the IT and data assets, and the period for which they are deemed sensitive. FIs should also assess whether their existing system infrastructures can support crypto-agility, which is the ability to efficiently migrate away from the vulnerable cryptographic algorithms to PQC without significantly impacting their IT systems and infrastructure. FIs should consider upgrading their system infrastructures over time if there are limitations that may hinder the transition to quantum security solutions.