Looming Quantum Deadlines: The Cryptographic Preparedness Challenge for Banks
As the era of quantum computing approaches, financial institutions face pressing questions regarding their cryptographic infrastructure. A recent report outlines the urgent need for banks to understand where and how their encryption is deployed, as the threat of quantum capabilities looms larger.
In a significant breakthrough in December 2024, Google showcased its Willow chip, which achieved below-threshold quantum error correction by employing 105 superconducting qubits. This pivotal development demonstrated that error rates in quantum computing decrease exponentially with an increase in qubit count—disproving previous concerns that scaling qubits would only amplify errors. In the months leading up to 2026, research continued to progress rapidly, indicating that the quantum resources initially estimated to be necessary for breaking current cryptographic systems have drastically diminished. It was reported that what once required around 20 million qubits now could potentially be accomplished with fewer than one million for RSA, and possibly under 100,000 for newer encryption architectures.
In response to these developments, Google has adjusted its timeline for migrating to quantum-resistant encryption, signaling that the previously envisaged deadline of 2035 may not suffice for proper preparation. Alongside the technological advancements, regulatory frameworks have begun to take shape. In August 2024, the National Institute of Standards and Technology (NIST) finalized its standards for post-quantum cryptography after an extensive eight-year evaluation process. These standards include ML-KEM for key encapsulation, ML-DSA for digital signatures, and SLH-DSA as a hash-based fallback. NIST has outlined a deprecation timeline, mandating that quantum-vulnerable algorithms be phased out by 2030 and prohibited entirely after 2035. Notably, both RSA-2048 and Elliptic Curve Digital Signature Algorithm (ECDSA) with P-256 fall under this directive.
In October 2024, CERT-In released vital technical guidelines detailing cryptographic elements, quantum readiness, and artificial intelligence systems for Indian banking and financial services institutions. These guidelines emphasize that a cryptographic bill of materials is transitioning from a best practice to an essential security capability. Despite the clarity in standards, a considerable gap in execution remains evident.
A crucial challenge lies in the fact that most banks are unable to precisely identify where cryptography is deployed within their systems. This lack of visibility is problematic, especially as regulators begin to demand detailed accounts of cryptographic deployment. Questions linger: Which applications utilize RSA encryption? What systems depend on elliptic-curve cryptography? Which certificates are set to expire, on which systems, and under what trust chains? Unfortunately, many institutions cannot accurately answer these inquiries, exposing what is termed the "visibility gap."
To address these concerns, financial organizations should start with basic questions regarding their cryptographic preparedness. Is there a comprehensive inventory of all cryptographic assets? While many banks maintain inventories of their assets, few have chronicled where cryptography is used. A Cryptographic Bill of Materials (CBOM) can offer transparency by documenting algorithms, libraries, protocols, and key management practices across the organization. This documentation must include specifics on cryptographic libraries, active algorithms, protocol versions, key rotation policies, and expiry data for certificates.
Amidst these growing concerns, institutions also need to identify which data must remain secure beyond the quantum horizon. The concept of "harvest now, decrypt later" has become significant, where adversaries collect encrypted information now with the intent of decrypting it later using advanced quantum capabilities. Institutions must contemplate the longevity of their encrypted data, particularly sensitive information such as customer records, credit histories, and strategic communications. As they process this question, they should consider the relevance of the stored data well beyond the year 2035.
Another critical issue is the agility of cryptographic systems. Organizations must assess whether they can switch algorithms without fundamentally redesigning their systems. Unfortunately, many traditional banking systems were not designed with this flexibility in mind. Instead, embedded cryptographic protocols often require significant redesign to replace, which means that early investment in crypto agility will enable smoother transitions in the future.
Moreover, it is imperative that banks evaluate the readiness of their vendors and partners concerning quantum preparedness. Leading cloud providers, such as AWS and Microsoft, have begun integrating post-quantum solutions, yet not all payment processors and core banking platform providers are moving in the same direction. A bank that has adopted quantum-ready protocols could still be vulnerable if its ecosystem is compromised.
To navigate this challenging landscape, a structured transition roadmap is critical. Organizations should undertake the following steps:
-
Assess Current Cryptographic Deployments: Map out cryptographic dependencies across both internal systems and third-party applications.
-
Classify Data Sensitivity: Prioritize data based on its confidentiality lifespan and evaluate which systems carry the most risk under the harvest-and-decrypt model.
-
Instill Crypto Agility: Develop a culture of flexibility in new systems, maintain open dialogues with vendors, and stay updated with NIST and CERT-In guidelines.
- Begin Migration Efforts: Transition high-priority systems to post-quantum standards while simultaneously testing interoperability with existing technologies to avoid a last-minute rush.
As the countdown to quantum computing continues, it is essential for organizations to begin this journey now. Boards are becoming increasingly aware of the risks associated with AI and cyber resilience, and soon, quantum vulnerability will join this conversation. Chief Information Security Officers (CISOs) who can demonstrate clear visibility of cryptographic exposure—with a comprehensive inventory and transition plan—will be well-positioned when regulators and board members inevitably inquire about post-quantum preparedness.
The standards are established, guidelines are laid out, and the critical question remains: are financial institutions adequately preparing to meet these expectations? As the clock ticks down, the time for action is now.