DTCC Warns on Quantum Computing Security Threat
Posted by Colin Lambert. Last updated: September 22, 2022
A new paper argues that as quantum computing creates vast new possibilities to analyse and solve complex problems that are unsolvable by today’s computers, it also has the potential to disrupt entire industries and create significant new risks for financial firms by making even the most highly protected computer systems vulnerable to hacking.
Post-trade market infrastructure provider The Depository Trust & Clearing Corporation (DTCC), has issued a white paper that brings this risk into focus, while identifying initial steps organisations can take to protect themselves in the future.
In the paper, Post-Quantum Security Considerations for the Financial Industry, DTCC explains that, as safekeepers of investments, public assets, pensions and retirement accounts, financial institutions are responsible for securing personal information, accounts, holdings, and financial transactions, often using traditional encryption methods. It adds that experts estimate that quantum-based computers will one day have the power to break the industry’s existing cryptography codes in seconds.
“We recognise that the quantum technology threat is coming, says Ajoy Kumar, chief information security officer at DTCC. “With some experts estimating that the industry’s protected data could become vulnerable within the next decade, the time to act is now. DTCC is already taking proactive steps to protect our data.”
Given that quantum computing will compromise much of the cryptography that protects today’s digital information, DTCC has suggested that firms begin to assess and respond to this security threat by sizing up the effort by identifying systems and encryption mechanisms in scope for remediation.
It also says firms should strengthen cryptography practices by centralising the management of keys and certificates, instilling standards for encryption mechanisms, and implementing change management for new encryption solutions. It adds that developing and exercising a playbook that details the steps needed to replace an encryption platform while ensuring the plan can be executed on time, is also required.
Furthermore, it says modifying and separating systems, as needed, to facilitate work to come; and beginning organisational change management efforts to build a strong risk culture and risk-based mindset within organisations, will also provide benefits down the road.
The firm also suggests closely monitoring activities taking place within the regulatory community that address topics like standardisation, including NIST’s focus on post-quantum cryptography (PQC) standards.
DTCC says it plans to use the white paper to create an intentional dialogue about how the industry can defend against post-quantum risk. “We look forward to partnering with the industry to continue this critical dialogue and to prepare for the emergence of PQC standards,” says Kumar. “Collaboration and preparation will be key to ensuring that the security, privacy, and integrity of the financial industry is preserved.”