Singapore has issued an advisory for financial institutions (FIs) to mitigate cyber security risks linked with quantum computing.
Quantum computers that harness the laws of quantum mechanics have the potential to solve certain mathematical problems exponentially faster than traditional computers.
Yet their potential to break some of the commonly used encryption and digital signature algorithms poses a major cybersecurity concern.
The Monetary Authority of Singapore (MAS) said the security of financial transactions and sensitive data processed by FIs could be at risk with the advent of these cryptographically relevant quantum computers (CRQCs).
It added that FIs need to build 'crypto agility' for migrating away from vulnerable cryptographic algorithms.
MAS directs the monitoring of ongoing quantum computing developments for cybersecurity threats and risks that may impact financial services, and their possible mitigation using quantum security solutions such as post-quantum cryptography (PQC) and quantum key distribution (QKD).
It also recommends working closely with third-party IT vendors to assess the FI’s IT supply chain risks arising from the quantum threats and connect with relevant industry groups, research bodies, or Information Sharing and Analysis Centres to collectively mitigate systemic quantum risks.
The current advisory builds on MAS notices and guidelines to all banks in Singapore to set out requirements for highly reliable IT systems and controls to protect customer information from unauthorised access or disclosure.
POC Trials
Where resource permits, MAS suggests FIs consider proof-of-concept trials with quantum security solutions to sensitise their potential impact on operations and implementation challenges.
"Early experimentation would help FIs make informed decisions on solutions once they become commercially available," it added.
The agency also suggests identifying and maintaining an inventory of cryptographic solutions to later determine those which are potentially vulnerable and need to be replaced with quantum-resistant alternatives.
This includes assessing whether an institution's existing system infrastructures can support crypto-agility, and consider upgrading them over time if there are limitations that may hinder the transition to quantum security solutions.
MAS added that classifying IT and data assets based on sensitivity, criticality, and risk exposure will also prioritise their risk mitigation efforts.
