MAS publishes advisory on addressing cybersecurity risks associated with quantum
27 March 2024
On 20 February 2024, the Monetary Authority of Singapore (“MAS”) published Circular No. MAS/TCRS/2024/01 on Advisory on Addressing the Cybersecurity Risks Associated with Quantum (“Advisory”). The Advisory, which is addressed to chief executive officers of all financial institutions (“FIs”), outlines cybersecurity risks arising from developments in quantum computing, and highlights mitigating measures that financial institutions should consider.
The Advisory states that the potential of quantum computers to break some of the commonly used encryption and digital signature algorithms poses a major cybersecurity concern. The security of financial transactions and sensitive data that FIs process could be at risk with the advent of these cryptographically relevant quantum computers.
Some of the measures highlighted in the Advisory that FIs should consider as part of their quantum transition efforts include the following:
- Keeping abreast of the latest developments in quantum computing, and raising awareness of the associated cybersecurity risks, including:
- monitoring ongoing quantum computing developments for cybersecurity threats and risks that may impact financial services, and their possible mitigation using quantum security solutions such as post-quantum cryptography (“PQC”) and quantum key distribution;
- ensuring that the senior management and relevant third-party vendors understand the potential threats of quantum technology, and the importance of supporting efforts on transitioning to quantum security solutions;
- working closely with third-party information technology (“IT”) vendors to assess the FI’s IT supply chain risks arising from the quantum threats, and requesting that vendors provide quantum-resistant solutions when they become commercially available; and
- connecting with relevant industry groups, research bodies, or Information Sharing and Analysis Centres to exchange information and collectively mitigate systemic quantum risks.
- Maintaining an inventory of cryptographic assets, and identifying critical assets to be prioritised for migration to quantum-resistant encryption and key distribution, including:
- identifying and maintaining an inventory of cryptographic solutions used in the FI, and determining those which are potentially vulnerable and need to be replaced with quantum-resistant alternatives when the solutions become commercially available; and
- classifying IT and data assets that are dependent on the potentially vulnerable cryptographic solutions, so as to prioritise the risk mitigation efforts; and
- assessing whether existing system infrastructures can support crypto-agility, and consider upgrading them over time if there are limitations that may hinder the transition to quantum security solutions.
- Developing strategies and building capabilities to address cybersecurity risks associated with quantum by:
- uplifting the technical competencies of relevant staff to equip them with the requisite skillsets for supporting the transition to quantum security solutions;
- reviewing the FI’s internal policies, standards, and procedures to ensure that they remain relevant as the FI transitions to quantum security solutions;
- developing risk mitigation strategies for assets which cannot be migrated to PQC, and planning for contingency scenarios where cybersecurity risks associated with quantum materialise substantially ahead of the predicted timeline; and
- where resource permits, consider proof-of-concept trials with quantum security solutions to sensitise the FI on their potential impact to operations and implementation challenges.
The Advisory should be read as supplementary information to the MAS notices and guidelines, including the Notice on Technology Risk Management (“TRM”), Notice on Cyber Hygiene, TRM Guidelines, and Outsourcing Guidelines which are available on the MAS website.
Reference materials
The Advisory is available on the MAS website www.mas.gov.sg.