Quantum computing – Singapore financial institutions advised of risks | Perspectivas

27 February 2024 Reed Smith Client Alerts

Inicio Perspectivas Quantum computing – Singapore financial institutions advised of risks

Key takeaways

The Monetary Authority of Singapore (MAS) has issued an advisory on measures that financial institutions (FIs) should consider as part of their quantum transition efforts, such as:
Keep abreast of the latest developments in quantum computing and raise awareness of the associated cybersecurity risks among senior management and relevant third-party vendors.
Maintain an inventory of cryptographic assets and identify critical assets to be prioritised for migration to quantum-resistant encryption and key distribution.
Develop strategies and build capabilities to address cybersecurity risks associated with quantum, such as uplifting technical competencies, reviewing internal policies and standards, and conducting proof-of-concept trials with quantum security solutions.

Autores: Hagen Rooke Bryan Tan Jun Qi Chin Nicholas Tok (Resource Law LLC), Eng Han Goh (Resource Law LLC)

On 20 February 2024, the MAS issued an advisory on addressing the cybersecurity risks associated with quantum computing, highlighting the potential impact of quantum computing on cybersecurity and the ongoing efforts to develop quantum-resistant cryptography. It warns that quantum computers could break some of the current encryption and digital signature algorithms used by financial institutions and that this threat could materialise in the next decade.The advisory suggests that FIs should assess the risks arising from quantum computing by applying existing MAS notices and guidelines on technology risk management and cyber hygiene, and additionally recommends that FIs take the following measures:

Keep abreast of the latest developments in quantum computing and raise awareness of the associated cybersecurity risks

FIs should monitor ongoing quantum computing developments for cybersecurity threats and risks that may impact financial services, and investigate their possible mitigation using quantum security solutions such as post-quantum cryptography (PQC) and quantum key distribution (QKD). PQC refers to quantum-resistant public-key cryptographic algorithms that are being standardised by the National Institute of Standards and Technology (NIST), while QKD involves using quantum technology to establish secure communication channels for distributing encryption keys. FIs should ensure that their senior management and relevant third-party vendors understand the potential threats of quantum technology and the importance of supporting efforts on transitioning to quantum security solutions. FIs should work closely with their third-party IT vendors to assess their IT supply chain risks arising from the quantum threats, and request that vendors provide quantum-resistant solutions when they become commercially available. FIs should also connect with relevant industry groups, research bodies, or Information Sharing and Analysis Centres (ISACs) to exchange information and collectively mitigate systemic quantum risks.

Maintain an inventory of cryptographic assets and identify critical assets to be prioritised for migration to quantum-resistant encryption and key distribution

FIs should identify and maintain an inventory of cryptographic solutions used in their operations and determine those that are potentially vulnerable and need to be replaced with quantum-resistant alternatives when they become commercially available. The inventory should include information about the cryptographic algorithm and key length used, the ownership and parties responsible for maintaining cryptographic assets, and the specific system or application where the cryptographic algorithm is embedded or used. FIs should classify their IT and data assets that are dependent on the potentially vulnerable cryptographic solutions, so as to prioritise their risk mitigation efforts. The classification should be based on the sensitivity, criticality, and risk exposure of the IT and data assets, and the period for which they are deemed sensitive. FIs should also assess whether their existing system infrastructures can support crypto-agility, which is the ability to efficiently migrate away from the vulnerable cryptographic algorithms to PQC without significantly impacting their IT systems and infrastructure. FIs should consider upgrading their system infrastructures over time if there are limitations that may hinder the transition to quantum security solutions.

Develop strategies and build capabilities to address cybersecurity risks associated with quantum

FIs should uplift the technical competencies of their relevant staff to equip them with the requisite skillsets for supporting the transition to quantum security solutions. Additionally, FIs should review their internal policies, standards, and procedures to ensure that they remain relevant as they transition to quantum security solutions. FIs should develop risk mitigation strategies for assets that cannot be migrated to PQC, and plan for contingency scenarios where cybersecurity risks associated with quantum materialise substantially ahead of the predicted timeline. FIs should also consider proof-of-concept trials with quantum security solutions to sensitise themselves to their potential impact on operations and implementation challenges. Early experimentation would help FIs to make informed decisions on solutions that become commercially available as the nascent market matures.

Practical next steps

The practical steps that FIs may wish to take in response to the advisory will differ depending on the operating model of the FI, its exposure to quantum computing risks, and the nature, scale, and complexity of its business. Measures that FIs may consider taking include the following:

Designate relevant personnel to oversee and coordinate the quantum transition efforts, and to liaise with external stakeholders such as vendors, industry groups, and regulators.
Conduct a quantum risk assessment to identify and prioritise the cryptographic assets and IT and data assets that are most vulnerable and critical to the FI's operations, and to estimate the potential impact and likelihood of quantum threats.
Develop a quantum transition roadmap and timeline to outline the key milestones and activities for migrating to quantum security solutions, and allocate the necessary resources and budget for the transition.
Implement a quantum security awareness and training programme to educate and inform the senior management, staff, and relevant third-party vendors on the quantum threats and quantum security solutions, and to foster a culture of quantum readiness and resilience.
Monitor and evaluate the quantum transition progress and performance, and update the quantum risk assessment and transition roadmap as needed, based on the latest developments and feedback from the quantum security solutions trials and implementation.

Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style Reed Smith Pte Ltd (hereafter collectively, "Reed Smith"). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith's Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.

Client Alert 2024-046

Cheng, Cue named among top lawyers for DeSPAC transactions

Industrias

Servicios

Equipos comerciales

PitchBook: Reed Smith leads on PE transactions in healthcare

Quantum computing – Singapore financial institutions advised of risks

You May Be Interested

Cheng, Cue named among top lawyers for DeSPAC transactions

PitchBook: Reed Smith leads on PE transactions in healthcare

Herramientas para compartir contenido