Banks Need to Act Now to Ensure Post-Quantum Cybersecurity

Banks Need to Act Now to Ensure Post-Quantum Cybersecurity

The Financial Services Industry has long been a lucrative playground for cyber thieves. These days, the push toward a digital banking economy has opened financial institutions to an overwhelming number of new and sophisticated cyberattacks. The list of cyberattacks on banks just in 2021 is long, including Flagstar Bank, the European Banking Authority, New Zealand’s central bank, and more. According to a Trend Micro report, banks experienced a 1,318 percent year-on-year increase in ransomware attacks in the first half of 2021.

To make things worse, quantum computers will be used to disrupt service to critical financial cyber-systems, which could have devasting effects on the American economy. A study conducted by Arthur Herman at the Hudson Institute revealed that an attack from a quantum computer that disrupts any of the five largest financial institutions’ access to the Fedwire Funds Service could cost up to nearly $2 Trillion. It is imperative that banks and financial services institutions take measures to protect themselves and the American economy from these future cyberattacks.

The issue has become so pervasive that during a congressional hearing last year, CEOs from six of the largest U.S. banks testified that cybersecurity is the most significant risk for their industry. The dramatic increase in cyberattacks over the past few years has prompted President Biden, NIST, and the FBI to address growing concerns over our nation’s cybersecurity. In addition, in January the White House issued a Memorandum on Improving the Cybersecurity of National Security, which outlines near term standards (including Post-Quantum Cybersecurity (PQC mandates) for National Security Systems (NSS) that are equivalent to or exceed existing cybersecurity requirements.

The challenge of modernizing cybersecurity is exacerbated by the rapid development of quantum computers and the threat of Cryptographically Relevant Quantum Computers (CRQC) which will be capable of breaking public-key encryption.

Public key encryption secures 90 percent of all global encrypted data. It is used by nearly every U.S. financial institution to secure transactions, client data, online payments, highly valuable information, and IP. Using a quantum algorithm, known as Shor’s algorithm, CRQCs will be able to easily factor large prime numbers which form the basis of public-key encryption. Shor’s algorithm will be used via a quantum computer to break public-key encryption and access the contents of the encrypted data at financial institutions in the coming years.

In addition to the future CRQC threat directly aimed at financial services organizations, hackers today are harvesting encrypted data with the intention of retroactively decrypting the data using a quantum computer, a process known as “steal now decrypt later.” It is rumored that one nation state has already harvested 25 percent of the world’s encrypted data, including sensitive information belonging to U.S financial institutions.

It is commonly accepted that the length of time sensitive banking data requires secure protection is at least 25 years. As a result, banks must update their cybersecurity standards now to prevent further loss and liability. Some large financial institutions such as J.P. Morgan, Visa and Barclays are closely monitoring quantum technologies and investing in post-quantum encryption methods to combat classical and quantum attacks. The National Institute of Standards and Technology (NIST) is currently developing standards for post-quantum cryptography, but the implementation of NIST-approved post-quantum algorithms may take decades due to the scale and complexity of today’s security networks. NIST is urging enterprises to begin the transition to a new approach called post-quantum cryptography now to protect their data from future attacks.

Post-quantum cryptography (PQC) uses cryptographic systems for classical computers that can protect against quantum computing attacks. Since PQC is software-based, it can be deployed quickly across networks and data. PQC algorithms such as those studied by NIST use complex mathematics such as 400-hundred-dimensional lattice infrastructures to hide a cryptographic key. Studies so far have determined that these chosen algorithms are highly resistant to quantum attacks.

A successful migration to post-quantum cryptography will be judged, in part, by the ease or difficulty of replacing existing systems. Since NIST has not yet finalized its PQC algorithm choices, it is particularly important that financial services organizations remain crypto-agile as part of their overall PQC transition. Crypto-agility means that a bank can start the transition to post-quantum cryptography without making a final choice on NIST approved algorithms. If a financial organization develops the right crypto-agile architecture, it can use any/all of the final NIST approved algorithms. This allows banks to begin testing PQC now, with little or no risk. Financial services organizations can migrate their cybersecurity systems to PQC as NIST continues to finalize post-quantum cryptography standards.

It is also recommended that banks immediately assess their existing systems to determine which components are most vulnerable to quantum attacks and thus need to be prioritized for future updates. Financial institutions can conduct low-cost experiments with hybrid post-quantum and public key solutions, accelerating the transition toward quantum resiliency. Additionally, they can prioritize extremely sensitive data to mitigate risk as the process progresses. Financial institutions must take it upon themselves to conduct these risk analyses now to prepare for the implementation of future NIST post-quantum standards.

To accelerate the transition into the post-quantum era it is critical that financial institutions begin testing practical PQC solutions that minimize disruption to existing systems. These practices and new approaches will play a pivotal role in securing the future of our financial institutions. Banks should look to PQC solutions that offer quantum resilience, crypto-agility and backwards compatibility.

Featured

  • Maximizing Your Security Budget This Year

    7 Ways You Can Secure a High-Traffic Commercial Security Gate  

    Your commercial security gate is one of your most powerful tools to keep thieves off your property. Without a security gate, your commercial perimeter security plan is all for nothing. Read Now

  • Survey: Only 13 Percent of Research Institutions Are Prepared for AI

    A new survey commissioned by SHI International and Dell Technologies underscores the transformative potential of artificial intelligence (AI) while exposing significant gaps in preparedness at many research institutions. Read Now

  • Survey: 70 Percent of Organizations Have Established Dedicated SaaS Security Teams

    Seventy percent of organizations have prioritized investment in SaaS security, establishing dedicated SaaS security teams, despite economic uncertainty and workforce reductions. This was a key finding in the fourth Annual SaaS Security Survey Report: 2025 CISO Plans and Priorities released today by the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Read Now

  • Mobile Applications Are Empowering Security Personnel

    From real-time surveillance and access control management to remote monitoring and communications, a new generation of mobile applications is empowering security personnel to protect people and places. Mobile applications for physical security systems are emerging as indispensable tools to enhance safety. They also offer many features that are reshaping how modern security professionals approach their work. Read Now

Featured Cybersecurity

Webinars

New Products

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3