From Awareness to Action: Financial Regulators on Quantum Security Readiness

Quantum computing is poised to revolutionize industries, including finance, by enabling breakthroughs in complex problem-solving, optimization, and data processing. However, alongside these advancements comes a significant cybersecurity challenge—the potential to break widely used encryption protocols that safeguard financial transactions, sensitive customer data, and regulatory compliance frameworks. The emergence of quantum threats, particularly the risk of "Harvest Now, Decrypt Later" attacks, means that encrypted data stolen today could be decrypted in the future when quantum computers become powerful enough.

This poses a significant risk to financial institutions, as breaches could expose confidential information, disrupt operations, and undermine trust. Recognizing the urgency of this threat, regulatory bodies worldwide are stepping in to provide guidance, urging financial institutions to assess their cryptographic resilience and initiate a transition toward quantum-safe security solutions. Two recent regulatory initiatives highlight this urgency: Singapore’s Monetary Authority of Singapore (MAS) advisory and Israel’s banking cybersecurity directive. While both emphasize the need for quantum preparedness, their approaches differ.

Singapore’s MAS Advisory: A Strategic, Awareness-Driven Approach

MAS issued its advisory in February 2024 to encourage financial institutions to prepare for proactive assessment and mitigation quantum risks. The key measures suggested by the advisory are covered under three headlines as given below:

Keeping abreast of the latest developments in quantum computing, and raising awareness of the associated cybersecurity risks (Section 3 a, b, c and d)

In summary these sections say that, the financial institutions must proactively address quantum cybersecurity risks by:

• Monitoring Developments – Continuously track advancements in quantum computing that could impact cybersecurity and explore mitigation strategies like PQC and QKD.

• Raising Awareness – Ensure senior management and key third-party vendors understand quantum threats and support the transition to quantum-safe security solutions.

• Assessing IT Supply Chain Risks – Work closely with third-party vendors to evaluate risks and require them to provide quantum-resistant solutions when commercially available.

• Industry Collaboration – Engage with industry groups, research organizations, and ISACs to exchange insights and collectively mitigate systemic quantum risks.

Maintaining an inventory of cryptographic assets, and identifying critical assets to be prioritized for migration to quantum-resistant encryption and key distribution (Sections 3 e, f, and g)

In summary these sections say that financial institutions must proactively manage cryptographic assets for quantum security by:

• Maintaining an Inventory – Identify and track cryptographic solutions, including algorithms, key lengths, ownership, and their associated systems or applications.

• Prioritizing Critical Assets – Classify IT and data assets based on sensitivity, criticality, and risk exposure to focus mitigation efforts on the most vulnerable systems.

• Assessing Crypto-Agility – Evaluate existing system infrastructures for their ability to support quantum-resistant encryption and plan necessary upgrades to ensure a smooth transition.

Developing strategies and building capabilities to address cybersecurity risks associated with quantum (Sections 3 h, i, j and k)

In summary these sections say that financial institutions must develop strategies and capabilities to address quantum cybersecurity risks by:

• Building Technical Expertise – Train staff with the necessary skills to support the transition to quantum security solutions.

• Updating Policies and Standards – Review and adapt internal policies, standards, and procedures to align with quantum security requirements.

• Mitigating Non-Migratable Assets – Develop risk management strategies for assets that cannot transition to post-quantum cryptography and plan for early threat scenarios.

• Exploring Quantum Security Solutions – Conduct proof-of-concept trials to assess the impact, challenges, and feasibility of quantum security solutions before full-scale adoption.

MAS recommends, but does not mandate, that institutions perform cryptographic inventory assessments, engage in industry collaboration, and begin exploring PQC and quantum key distribution (QKD). This advisory serves as a strategic guideline rather than a strict regulatory requirement.

Israel’s Banking Directive: A Prescriptive, Compliance-Driven Approach

This directive, issued in January 2025, from the Supervisor of Banks outlines critical steps for banking corporations and licensed payment service providers to prepare for cyber risks associated with quantum computing. This directive to Prepare the Banking System for the Quantum Computing Era are mainly covered in three sections 6, 7 and 8.

Raise awareness within the banking corporation, continuously monitor developments in quantum computing, and assess the associated cyber risks. (Section 6)

In summary section 6 says that banks must continuously monitor quantum computing developments, raise awareness of associated cyber risks, and integrate quantum considerations into risk management. This includes:

• Board & Management Awareness – Regularly inform leadership about quantum threats and the need for post-quantum security, with discussions at least every two years.

• Continuous Monitoring – Track advancements in quantum computing and quantum security solutions (PQC, QKD) while engaging with industry bodies and research institutions.

• Supply Chain Risk Management – Assess quantum risks in third-party relationships, ensuring key suppliers adopt quantum-resilient solutions and avoiding dependencies on unprepared vendors.

Mapping and Managing Encrypted Information Assets (Section 7)

In summary section 7 says that banks must map and manage encrypted information assets to assess quantum security risks and plan for future quantum-safe encryption. This includes:

• Mapping Encrypted Data at Rest – Identify encryption algorithms, key lengths, data owners, associated systems, data retention periods, and sensitivity levels, particularly considering "Harvest Now, Decrypt Later" risks.

• Mapping Encryption in Transit – Identify processes and systems using asymmetric encryption when communicating with external entities.

• Mapping Externally Stored Encrypted Data – Track asymmetrically encrypted information stored outside the organization, including cloud environments, backups, and potential data leaks.

Readiness for the development of skills and capabilities to address cyber risks related to quantum computing (according to developments in the field). (Section 8)

In summary section 8 says that banks must develop skills and infrastructure to address quantum-related cyber risks by:

• Employee Training – Preparing staff for the transition to quantum-safe security solutions.

• Testing Environment – Establishing labs for evaluating quantum security solutions.

• Infrastructure Assessment – Evaluating existing systems for post-quantum encryption readiness.

• Algorithm Transition Planning – Ensuring a smooth migration from vulnerable to quantum-resistant encryption.

• Policy & Procedure Updates – Identifying and revising policies to align with post-quantum security requirements.

• Alternative Solutions – Planning for systems that cannot transition or in case of earlier-than-expected quantum threats.

This directive mandates that banks must proactively address quantum-era cyber risks, particularly encryption-breaking threats. It requires developing an initial preparedness plan that outlines quantum risks, encryption challenges, and mitigation strategies, ensuring board-level review and approval. Additionally, banks must complete the mapping of encrypted assets to meet regulatory compliance and submit the finalized plan to the Banking Supervision Department’s Technology, Innovation, and Cyber Division within one year.

Shifting approach to quantum safe migration preparedness by financial regulators

Overall, both the MAS Singapore Advisory and Israel’s Banking Directive look similar in the content with some minor differences. However, the MAS Singapore Advisory published in February 2024, offers non-mandatory strategic guidance, while the Israeli Banking Directive published in January 2025, enforces regulatory compliance, signaling the urgency of addressing quantum risks.

These two approaches reflect changing regulatory philosophies. Singapore’s MAS emphasizes awareness and voluntary action, allowing institutions to determine their own pace. Israel’s directive, however, enforces strict timelines and compliance measures, ensuring rapid action toward quantum readiness. Mandatory board discussions, cryptographic inventories, supply chain risk assessments and one-year compliance deadline in Israel emphasize proactive governance and push for swift action.

What This Means for Financial Institutions

Financial institutions should take these regulatory developments as a call to action. Whether through voluntary guidance or strict compliance measures, the message is clear: quantum threats are real, and proactive steps are necessary today to secure financial systems against future risks. Organizations must assess their cryptographic resilience, engage with industry peers, and begin transitioning to quantum-safe security solutions before quantum computers render traditional encryption obsolete.

Is your organization preparing for quantum threats? Let’s discuss!