The advent of quantum computing, which might make existing encryption techniques outdated, presents a serious risk to the financial sector.

Moody's Ratings has released a study emphasizing the pressing necessity of switching to Post-Quantum Cryptography (PQC), which is expected to be a costly and time-consuming procedure.

Recently, the US National Institute of Standards and Technology (NIST) released data encryption standards that have been finalized and are resistant to the capabilities of quantum computers.

These new rules are essential to safeguard government secrets and intellectual property against the exponentially quicker calculations enabled by quantum physics.

Quantum computing: Positive advancements but a costly reality

While McKinsey estimates benefits of up to US$1.3tn in value through 2035 for only four of the first affected industries, quantum improvements are poised to revolutionize computing. However, they also represent a serious challenge to existing encryption systems.

The main problem is that public-key cryptography, or asymmetric encryption, which has been a computer standard since the 1970s, is vulnerable. This type of encryption is frequently used in email correspondence, file transfers, point-of-sale systems for credit cards, instant messaging, and Internet of Things device connection.

The paper notes that "challenges in error correction, scalability, talent shortages and limited computing power currently mitigate quantum computing's threat to asymmetric encryption."

But within five to thirty years, researchers predict, quantum computers will be able to crack asymmetric encryption.

The implications of this discovery might be extensive. According to US International Trade Administration projections, by 2027, worldwide e-commerce would reach a value of US$41.7 trillion annually.

These streams would be jeopardized if confidence in online transactions was eroded. In addition, it is possible to alter GPS signals and air traffic systems, which might put lives in jeopardy.

Two methods have been developed by cryptographers to tackle this threat: Post-Quantum Cryptography (PQC) and Quantum Key Distribution (QKD). The latter is preferred and includes the standards certified by NIST. PQC is already being used by a number of IT businesses as a defense against "harvest now, decrypt later" assaults.

Making the switch to PQC, though, won't be easy. According to US experts, it may take ten to fifteen years to widely apply new cryptographic standards across devices.

Hard-to-reach hardware, like satellites in orbit, and difficult-to-update gear, like vehicles and ATMs, hinder the task.

Although it is difficult to assess the cost of this change, there are similarities to the measures made to mitigate the Y2K issue.

The US government projected that the cost of Y2K preparations would be US$100 billion (US$189 billion in 2024 values) for the US economy as a whole. According to reports, several businesses invested hundreds of millions of dollars in their Y2K initiatives.

Post-quantum transition: Danger of reduced performance

Reduced performance will be another obstacle in the post-quantum transition path. The research states that "lengthier encryption key sizes and more intricate mathematical operations increase the time it takes to encrypt or decrypt data."

Due to this complexity, the already acute skills shortage in the industry will be exacerbated by the need for highly qualified IT experts.

Organizations with limited resources and outdated systems, such as some entities involved in vital infrastructure, could have more difficulties while implementing PQC.

"PQC usually places greater demands on devices and networks than traditional asymmetric encryption," the UK's National Cyber Security Centre advises.

The fintech sector has to move quickly in spite of these obstacles. "Experts recommend swift adoption of quantum-resistant algorithms given the risk that bad actors may harvest sensitive data now to decrypt later," the research emphasizes.

To assist organizations in making the shift to a post-quantum world, the US Cybersecurity and Infrastructure Security Agency (CISA) has published guidelines.

These include decommissioning outdated equipment that will not support PQC, testing new PQC algorithms in a lab setting, inventorying computer systems for applications that require asymmetric encryption, and informing staff members about the shift.

"The overhaul needed to transition to PQC will be unprecedented, and is analogous in some respects to shifting power generation away from fossil fuels to sustainable energy sources," the Moody's assessment warns the fintech sector as it prepares for this looming challenge.