DTCC outlines post-quantum security risks and considerations for the financial industry as technology capabilities continue to advance
As quantum computing creates vast new possibilities to analyze and solve complex problems that are unsolvable by today’s computers, it also has the potential to disrupt entire industries and create significant new risks for financial firms by making even the most highly protected computer systems vulnerable to hacking. The Depository Trust & Clearing Corporation (DTCC), the premier post-trade market infrastructure for the global financial services industry, have issued a white paper that brings this risk into focus, while identifying initial steps organizations can take to protect themselves in the future.
In its latest white paper, “Post-Quantum Security Considerations for the Financial Industry” DTCC explains that, as safekeepers of investments, public assets, pensions and retirement accounts, financial institutions are responsible for securing personal information, accounts, holdings, and financial transactions, often using traditional encryption methods. As DTCC outlines in its paper, experts estimate that quantum-based computers will one day have the power to break the industry’s existing cryptography codes in seconds.
“We recognize that the quantum technology threat is coming. With some experts estimating that the industry’s protected data could become vulnerable within the next decade, the time to act is now,” said Ajoy Kumar (pictured), DTCC Managing Director and Chief Information Security Officer. “DTCC is already taking proactive steps to protect our data.”
Given that quantum computing will compromise much of the cryptography that protects today’s digital information, DTCC has suggested that firms begin to assess and respond to this security threat by:
- Sizing up the effort by identifying systems and encryption mechanisms in scope for remediation.
- Strengthening cryptography practices by centralizing the management of keys and certificates, instilling standards for encryption mechanisms, and implementing change management for new encryption solutions.
- Developing and exercising a playbook that details the steps needed to replace an encryption platform while ensuring the plan can be executed on time.
- Modifying and separating systems, as needed, to facilitate work to come.
- Beginning organizational change management efforts to build a strong risk culture and risk-based mindset within organizations.
The firm also suggests closely monitoring activities taking place within the regulatory community that address topics like standardization, including NIST’s focus on post-quantum cryptography (PQC) standards.
DTCC plans to use the white paper to create an intentional dialogue about how the industry can defend against post-quantum risk.
Kumar added, “We look forward to partnering with the industry to continue this critical dialogue and to prepare for the emergence of PQC standards. Collaboration and preparation will be key to ensuring that the security, privacy, and integrity of the financial industry is preserved.”