Managing the quantum computing risk in financial services
Quantum computing is no longer science fiction. It’s a very real technology that financial services organisations can experiment with today. And it’s one that holds many significant opportunities for the industry, from optimising investment allocation to improving risk assessment, as we explored in our recent report with UK Finance.
But with any new technology come new risks, especially in a sensitive industry like financial services. And the complexity of quantum computing makes its risks particularly daunting. Nevertheless, the opportunities are too vast to miss out on due to fear, so leaders must properly address the risks to support and prepare their firm.
Using our experience of working with various industries to explore the opportunities of quantum technology, we’ve identified three key risk areas financial services leaders need to understand and respond to today.
1. The encryption cliff risk
With quantum computers predicted to break many of our current encryption standards by 2030 (and possibly as soon as 2025), there’s a real risk of our digital world falling off an encryption cliff, where everything becomes unsecure almost all at once. In the UK, both the National Cyber Security Centre (NCSC) and FCA have recognised this threat and outlined the need to plan for the threat that quantum attacks could pose.
Risk leaders, particularly within information security, must consider the encryption cliff as part of long-term IT development plans to identify necessary future changes. Key to this will be keeping an eye on the National Institute for Standards and Technology (NIST), which should publish standards for quantum-safe-cryptography between 2022-24.
Yet forward-thinking risk leaders can get ahead of the curve by exploring the potential of quantum computing today. To do so, they should:
- identify any high value and persistently sensitive data the organisation must keep in a long-term secure state
- catalogue how they currently protect this data and how it interacts with internal and external cryptographic infrastructure
- evaluate the possible impact of emerging quantum cryptography – for example, could the emergence of standards for quantum-safe-cryptography increase the pace of legacy IT replacement?
- consult their technology partners to understand their quantum cryptography roadmap and ensure it meets with the needs of the organisation
- identify whether the organisation will need to replace existing technology sooner than planned to ensure appropriate budget resource allocation.
2. The technology novelty risk
With quantum computing still very new, there are inherent risks in how it currently runs. Quantum computers require large refrigeration units or other bulky technology like lasers, making them difficult to embed on-premises. And as they’re so new, they still cost millions of dollars. That means most firms are testing the technology through cloud services, buying processing time from providers such as DWave, IBM, Amazon or Microsoft.
As in all instances where there is a reliance on external providers, risk leaders will need to evaluate their guidance for managing and controlling data in a third-party environment and assess whether it’s appropriate for a quantum cloud environment. Guidance must manage risk without preventing innovation.
So, think of quantum computing as an innovation opportunity. For innovation to progress, innovation leaders need to identify, consult and inform stakeholders so they’re part of the transformation and are ready to support initiatives with the potential to create value. This means developing a communication and briefing plan that encourages contributions that support the transformation.
3. The Black Box risk
Quantum computing will be excellent for solving very complex problems where there are a wide range of possible outcomes, such as insurance. As with artificial intelligence (AI), the nature of quantum computing and its programming makes it difficult to understand exactly how an output comes about. People can’t monitor quantum calculations without disrupting the quantum effects the computer relies on.
Risk leaders will need to work with technical and ethics experts to evaluate whether quantum computing can limit bias by considering the ethical benefits that can be derived from increased accuracy of computational outcomes. This can be achieved by expanding AI ethics policies to capture the new challenges and risks of quantum computing. Using known good models, risk leaders should provide guidance to software developers and testers to enable the creation of test cases that challenge the computing outcome and help the determination of whether the outcome is within the expected ethics and risk boundaries.
Risk leaders must manage the quantum computing risk
Quantum computing promises to be a significant and exciting opportunity for financial services firms. But risk leaders will have an important part to play in helping manage the risks to their firms. By experimenting with quantum computing and proactively preparing for the risks today, firms will be ready to seize all the opportunities that arise as quantum computing rapidly advances over the next decade.