Moody’s: Fintech Industry Set for Costly Encryption Overhaul

The fintech industry is facing a significant challenge as the threat of quantum computing looms on the horizon, potentially rendering current encryption methods obsolete. 

A recent report from Moody's Ratings highlights the urgent need for a transition to Post-Quantum Cryptography (PQC), a process that promises to be both lengthy and expensive.

The US National Institute of Standards and Technology (NIST) has recently unveiled finalised data encryption standards designed to withstand the power of quantum computers. 

These new standards are crucial for protecting intellectual property and classified government documents from the exponentially faster calculations made possible by quantum mechanics.

Quantum computing: Positive advancements but a costly reality

While quantum advancements are set to revolutionise computing, with McKinsey estimating gains of up to US$1.3tn in value through 2035 for just four of the earliest affected industries, they also pose a significant threat to current encryption techniques.

The crux of the issue lies in the vulnerability of asymmetric encryption, also known as public-key cryptography, which has been a computing standard since the 1970s. This form of encryption is widely used in instant messaging, emails, file transfers, credit card point-of-sale systems and device communication through the Internet of Things.

“Quantum computing's threat to asymmetric encryption is currently mitigated by challenges in error correction, scalability, talent shortages and limited computing power,” the report states. 

However, experts believe that quantum computers will be able to break asymmetric encryption within five to 30 years.

The potential consequences of this breakthrough are far-reaching. The US International Trade Administration projects that global e-commerce will grow to US$41.7tn a year by 2027. 

If trust in online transactions is compromised, these flows would be at risk. Moreover, air traffic systems and GPS signals could be manipulated, potentially endangering lives.

To counter this threat, cryptographers have proposed two solutions: Quantum Key Distribution (QKD) and Post-Quantum Cryptography (PQC). The latter is favoured and encompasses the NIST-approved standards. Several tech companies have already begun adopting PQC as a countermeasure against "harvest now, decrypt later" attacks.

The transition to PQC, however, will be no small feat. US officials estimate that it could take 10 to 15 years to implement new cryptographic standards across devices widely. 

The effort is complicated by hard-to-reach devices, such as satellites in orbit, and hardware that is difficult to update, like cars and ATMs.

The cost of this transition is challenging to estimate, but parallels can be drawn with the Y2K bug mitigation efforts. 

The US government estimated the cost to the entire US economy at US$100bn (US$189bn in 2024 dollars) for Y2K preparations. Some companies reportedly spent hundreds of millions of dollars on their Y2K efforts.

Post-quantum transition: Danger of reduced performance

Another hurdle in the post-quantum transition will be reduced performance. “Larger encryption key sizes and more complex mathematical operations increase the time it takes to encrypt or decrypt data,” the report notes. 

This complexity will require highly skilled IT technicians, adding to the already significant talent shortage in the field.

Organisations with legacy systems and constrained resources, including some critical infrastructure entities, may face greater challenges in transitioning to PQC. 

The UK's National Cyber Security Centre warns that “PQC usually places greater demands on devices and networks than traditional asymmetric encryption”.

Despite these challenges, the fintech industry must act swiftly. As the report emphasises: “Given the risk that bad actors may harvest sensitive data now to decrypt later, experts recommend swift adoption of quantum-resistant algorithms”.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released guidelines to help organisations transition to a post-quantum environment. 

These include inventorying computer systems for applications that use asymmetric encryption, testing new PQC algorithms in a lab environment, decommissioning old technology that will not support PQC and educating employees about the transition.

As the fintech industry grapples with this impending challenge, the Moody's report serves as a stark reminder: “The overhaul needed to transition to PQC will be unprecedented, and is analogous in some respects to shifting power generation away from fossil fuels to sustainable energy sources”.

**************

Make sure you check out the latest edition of FinTech Magazine and also sign up to our global conference series – FinTech LIVE 2024. 

**************

FinTech Magazine is a BizClik brand.