Light Dark
January 26, 2024 By Dinesh Nagarajan
Joachim Schäfer
5 min read
Risk Management
Banking & Finance
Data Protection

Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.

The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a “high level of operational resilience” in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology (ICT) service providers, etc. — are expected to comply by January 17, 2025.

New requirements for financial entities in the EU

DORA lays out a set of requirements across ICT risk management, incident reporting, operational resilience testing, cyber threat and vulnerability information sharing, and third-party risk management. As part of those requirements and in the context of data protection and cryptography, it lays out in Article 9 (“Protection and prevention”) that financial entities “shall use ICT solutions and processes” that “(a) ensure the security of the means of transfer of data” or “(c) prevent […] the impairment of the authenticity and integrity, the breaches of confidentiality and the loss of data.”

Further elements to consider in the context of Article 9 are referred to in Article 15 and laid out in the related (draft) regulatory technical standards, which the ESA published on January 17, 2024. Particularly, JC 2023 86 provides detailed requirements on cryptographic guidance. In addition, in its preambles, the following is stated:

“Given the rapid technological developments in the field of cryptographic techniques, financial entities […] should remain abreast of relevant developments in cryptanalysis and consider leading practices and standards and should hence follow a flexible approach based on mitigation and monitoring to deal with the dynamic landscape of cryptographic threats, including those from quantum advancements.”

Below, we will further elaborate on the referred ‘cryptographic threats’ and the implications they could have on financial institutions in the context of quantum computing.

Quantum threats and quantum-safe cryptography

While current quantum computers still struggle with noise and are not yet “fault-tolerant,” impressive milestones have been reached already proving their utility. Given the number of investments being made in both the private sector and academia, it is expected that this technology will scale and drastically improve over time. As it does, the potential threat to the digital economy will grow.

In 1994, the physicist Peter Shor introduced an algorithm that, when run on a large-scale quantum computer, could break public key-cryptography algorithms such as Rivest-Shamir-Adleman (RSA), Diffie-Hellman and Elliptic Curve Cryptography (ECC). The financial sector relies on these algorithms to ensure the confidentiality and integrity of bank transactions, the authenticity of its customers, the validity of digitally signed documents and the confidentiality of customer financial data. If the supporting cryptography can no longer be trusted, the entire financial sector is at risk.

Quantum threats posed to cryptography

To break today’s cryptography, a so-called Cryptographically Relevant Quantum Computer (CRQC) would need to be realized (some experts estimate it could happen in the early 2030s). However, while the impact is in the future, we are at risk already. One can imagine an attacker harvesting encrypted confidential data today to decrypt it later.

Fast-tracking quantum-resistant cryptography

Fortunately, new “quantum-safe” cryptography is being standardized, with the most noteworthy effort being run by the National Institute of Standards and Technology (NIST). In 2016, NIST launched a competition with more than 80 submissions to standardize a new form of cryptography that will run on ordinary systems (e.g., laptops, cloud, etc.) but will be resistant to a quantum attacker because it relies on mathematical problems that are hard to solve by a quantum (and classical) computer.

The first four algorithms for standardization were selected by NIST in July 2022 (out of which three were co-contributed by IBM). While the standards are planned to be released in 2024, additional alternate candidates are still being considered.

NIST standardization timeline for quantum-safe (aka ‘post-quantum’) cryptography

A quantum-safe cryptography standard is in sight. Unfortunately, due to the complexity of the financial sector in particular, a lengthy journey lies ahead. NIST assumes that “five to 15 or more years will elapse […] before a full implementation of those standards is completed.” If we overlay this with the development timelines of a CRQC, one realizes that entities have to start this journey today.

Why quantum has an impact on DORA

Quantum threats, when they materialize, have the potential to drastically impact the operational resilience of financial entities and could disrupt the economy globally. Fortunately, new quantum-safe cryptography algorithms are available (with standards very soon to be published), which will be needed to mitigate those threats.

If we relate this to the requirements of DORA, we can draw several direct links. To satisfy Article 9, financial entities will need to adopt quantum-safe means of data transfer, as well as quantum-safe mechanisms to “prevent […] the impairment of the authenticity and integrity, the breaches of confidentiality and loss of data.”

This implies the need to adopt upcoming, quantum-safe data-in-transit protocols such as quantum-safe transport layer security (TLS) or quantum-safe virtual private networks (VPNs), as well as quantum-safe mechanisms for signing (legally binding) documents or bank transactions. As a result, financial entities will need to implement supporting infrastructure such as quantum-safe public key infrastructure (PKI) and key management systems.

Additionally, implementations today are often in the hands of third-party suppliers. To add to the complexity, in many cases, existing programs, such as a “move to cloud” or “zero trust” implementation, will be impacting several of the above-mentioned elements.

Quantum threats can have serious consequences

In a worst-case scenario, if financial services organizations do not remediate quantum threats in their digital ecosystem, this can impact the resilience of their business by:

  • Being unable to verify authorized users on their network leads to confusion and a complete lack of trust in their digital ecosystem.
  • Being unable to fulfill their data privacy regulations due to a lack of trust in the mechanisms (e.g., encryption) used to protect such data.
  • Increased risk of exposure to external threats from the presence of vulnerable cryptography protocols and algorithms on business-to-business and supply chain networks.
  • Disruption of day-to-day business from downtime required to remediate digital services and applications.

Given current draft requirements as per JC 2023 86, one can anticipate that soon after quantum-safe cryptography is standardized, it will be considered an account-leading practice. Hence, regardless of when quantum threats might materialize, regulatory requirements, such as DORA, will soon implicitly mandate the adoption of quantum-safe cryptography in the financial industry.

At the same time, organizations should seize the opportunity to improve their overall cryptographic agility by modernizing the way cryptography is implemented today and making future changes much more timely and cost-efficient.

Implement your quantum-safe migration

It is clear that implementing quantum-safe cryptography will not be an easy endeavor. Such a migration program will require agility and also offers the possibility to exploit an early mover advantage. It will require a multi-pronged approach, including top-down business priorities as well as bottom-up technical capabilities.

We recommend the following steps that organizations impacted by DORA should take at a minimum:

  • Assess and review your enterprise cryptographic posture and identify elements (applications, networks, strategic projects, etc.) potentially impacted by quantum threats.
  • Develop a plan based on business priorities and take into account synergies with existing transformation programs, laying out an approach to remediation for the impacted digital services and corresponding systems.
  • Improve your cryptographic posture by introducing cryptographic discovery and inventory capabilities. Introduce cryptographic observability to validate cryptographic compliance on an ongoing basis, including leveraging “cryptography bills of material.” Such elements will increase the cryptographic agility of your organization.
  • Ensure current change processes and strategic projects take into consideration the impact of cryptography and provisions are made to implement remediation on the least disruptive basis.
  • Sponsor a program to continue the steps above continually.

Above all, do not wait to begin tackling these steps. We strongly recommend that organizations define a quantum-safe migration program today.

Start your quantum safe journey
 |  |  |  |  |  | 
Dinesh Nagarajan
Global Partner - IBM Consulting Cybersecurity
Joachim Schäfer
Managing Security Consultant, IBM

More from Risk Management
April 24, 2024

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

April 17, 2024

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature