27 February 2024 Peiying Chua Heikes  -  Evan Lam Financial Regulation - Fintech

Managing Cybersecurity Risks Associated with Quantum

On 20 February 2024, the Monetary Authority of Singapore (“MAS”) issued Circular MAS/TCRS/2024/01 (the “Circular”) to financial institutions (“FIs”) in Singapore. The Circular sets out suggested measures that FIs should consider as part of their quantum transition efforts, and should be read as supplementary information to the relevant MAS notices and guidelines.

The Circular cautions that cybersecurity risks associated with quantum will materialise in the near future, due to the advent of cryptographically relevant computers that have the potential to break some of the commonly used encryption and digital signature algorithms. While developments are underway to strengthen the security of communication channels, FIs are expected to attain crypto agility to transition to post-quantum cryptography (“PQC”) without substantially impacting their information technology ("IT”) systems and infrastructure.

Key measures that FIs should consider

In addressing the cybersecurity risks associated with quantum, FIs are expected to:

Keeping abreast of the latest developments and raising awareness
  1. Monitor ongoing quantum computing developments for cybersecurity threats and risks that may impact financial services, and their possible mitigation using quantum security solutions (e.g. PQC and quantum key distribution).
  2. Ensure that the senior management and relevant third-party vendors understand the potential threats of quantum technology, and the importance of supporting efforts on transitioning to quantum security solutions.
  3. Work closely with third-party IT vendors to assess the FI’s IT supply chain risks arising from the quantum threats, and request for vendors to provide quantum-resistant solutions when they become commercially available. 
  4. Connect with relevant industry groups, research bodies, or Information Sharing and Analysis Centres to exchange information and collectively mitigate systemic quantum risks. 
Maintain an inventory of cryptographic assets, identify critical assets to be prioritised for transition, and key distribution
  1. Identify and maintain an inventory of cryptographic solutions used in the FI, and determine which solutions are potentially vulnerable and need to be replaced with quantum-resistant alternatives when the solutions become commercially available. The MAS has set out specific information to be included in the inventory. 
  2. Classify IT and data assets that are dependent on the potentially vulnerable cryptographic solutions to prioritise the risk mitigation efforts. 
  3. Assess whether existing system infrastructures can support crypto-agility and consider upgrading them if there are limitations that may hinder the transition. 
Developing strategies and building capabilities
  1. Uplift the technical competencies of relevant staff to equip them with the requisite skillsets for supporting the transition.
  2. Review the FI’s internal policies, standards, and procedures, to ensure that they remain relevant throughout the transition. 
  3. Develop risk mitigation strategies for assets which cannot be migrated to PQC, and plan for contingency scenarios where cybersecurity risks associated with quantum materialise substantially ahead of the expected timeline. 
  4. Where resource permits, consider proof-of-concept trails with quantum security solutions to sensitise the FI on their potential impact to operations and implementation challenges. Early experimentation would help the FI to make informed decisions on solutions that become commercially available over time.