FINRA: Quantum Computing and Its Impact on the Securities Industry
The study was conducted by FINRA's Office of Financial Innovation, part of the recently created Office of Regulatory, Economics and Market Analysis. FINRA initiated the research program to bring attention to the opportunities and risks presented by the technology before the securities industry accelerates.
"We look forward to working with the securities industry to understand the impact that quantum computing may have on the financial markets." Haimera Workie, FINRA's vice president and director of the Office of Financial Innovation, said, "From the ways in which this technology can advance the industry to the threats it may pose, it is important that we work together to consider the impact of this technology. This research and the work we are doing to better understand the impact of quantum computing on the securities industry will help FINRA continue its mission of protecting investors and market integrity as the technology evolves."
Potential Applications of Quantum Computing in the Securities Industry
In recent years, several major financial institutions have viewed quantum computing as a technology that has the potential to dramatically disrupt the securities industry over the next decade, and while only 1% of firms reportedly budgeted for quantum-related spending in 2018, according to some estimates, as many as 20% of firms could do so in some form by 2023: an investment of up to $850 billion is projected over the next 30 years .
While the timeline for the development of quantum computing is uncertain, it has the potential to reshape the financial services industry, bringing new capabilities and challenges to firms.
The FINRA report identifies at least three potential areas where quantum computing could have a significant impact on the securities industry: optimization systems, simulation systems and artificial intelligence (AI):
- Quantum computing has the potential to efficiently analyze and process large volumes of financial results in real time, enabling financial institutions to enhance optimization systems for trade execution, trade settlement and portfolio management.
- The technology could also allow firms to better understand and account for the uncertainty associated with market activity, enabling them to run simulations that may not be possible on traditional computers. With quantum computing, risk assessments that may currently take days can be completed in hours, or even close to real time.
- Quantum computing is seen as a potential gas pedal for artificial intelligence, which has become an important topic and tool in the industry. Quantum AI has the potential to increase the ability to process and analyze large data sets, while also introducing new risks.
Threats to financial cybersecurity
The financial services industry relies heavily on encryption to protect digital information.
Whether it's securely storing a customer's personally identifiable information (PII), accessing the Internet via a virtual private network (VPN), or ensuring the integrity of a trade order placed via a mobile application, encryption algorithms play a central role in many of the financial industry's key functions. Whether it's securely storing a customer's personally identifiable information (PII), accessing the Internet via a virtual private network (VPN), or ensuring the integrity of a trade order placed via a mobile application, cryptographic algorithms play a central role in many key functions of the financial system.
These algorithms are based on mathematical problems that take too long for today's classical computers to solve. For example, it would take a hacker using a conventional computer trillions of years to break the encryption of Internet-based communications such as VPNs.
Quantum computing is uniquely positioned to provide a simplified way to break today's standard encryption protections in the future. This is possible because quantum computing can utilize specialized algorithms that greatly reduce the time required to solve the math behind today's encryption. At a high level, this solution works because quantum computers use stacked quantum bits to look at multiple potential solutions to an algorithm at the same time (i.e., quantum parallelism) and choose the right one.
Encryption is widely recognized as a major vulnerability to quantum attacks on businesses. This is because quantum computers are able to utilize algorithms to degrade the performance of certain security methods, such as asymmetric-key cryptography (a system that uses different private/public key pairs between the sender and receiver for encryption), hashing (a system that uses an algorithm to scramble a message of any size into an encoded fixed-length value), and symmetric-key cryptography (a system that uses a shared private key between the sender and the receiver (a system that performs encryption):
- Shor's algorithm.Shor's algorithm is particularly effective in solving the mathematical aspects of asymmetric-key encryption.Shor's algorithm provides an exponential speedup advantage for quantum computers to break the computations of asymmetric-key encryption. Hackers can use the Shor algorithm to devise attacks on encryption standards such as RSA (Rivest-Shamir-Adleman) - the universal standard for securing data transmission.
- Grover's algorithm.Grover's algorithm is not suitable for cracking asymmetric-key cryptography; instead, hackers can use it to provide the so-called quantum acceleration advantage in cracking symmetric-key cryptography and hashing algorithms, i.e., the time to find a possible solution is greatly reduced. Hackers can also use the Grover algorithm to weaken standards such as the Advanced Encryption Standard (AES), which is commonly used to protect sensitive data.
Quantum attacks pose the greatest potential threat to asymmetric-key encryption, given the clear speedup advantage of the Shor algorithm. While the Grover algorithm may be improved, as it stands, symmetric-key encryption and hashing algorithms are still generally considered resistant to quantum attacks.
Corporate Considerations of Quantum Resistance
Almost every company uses encryption for their data (both storage and transmission). In addition, cryptography is the basis for securing more than 90% of Internet connections and plays a key role in blockchain platforms. Cryptography can play a key role in an organization's data security architecture in a number of ways, including securing communication links with customers and other businesses, verifying identity (including through the use of digital signatures or authentication), and securing sensitive information.
As a result, some companies have begun to explore the possibility of upgrading their cryptographic security in light of the potential damage that could be caused by any future quantum attacks, and given the time it may take to finalize a new set of cryptographic algorithms, implement them into a company's hardware and software stacks, and adequately train personnel.
Given all the issues involved in designing and implementing a new standard, the road to quantum resistance could include a series of steps that take years. The National Academy of Science (NAS) has stated that it would take at least a decade to fully replace a widely used encryption standard, and that would come after the already lengthy PQC design and standardization process is complete. After NIST finalizes its new suite of algorithms, these options may be considered for wider standardization for public infrastructure, such as the Internet.
A number of companies have begun to monitor the progress of encryption updates aimed at providing stronger protection through quantum-resistant encryption. Potential factors to consider include re-encrypting sensitive data or re-signing documents while destroying older versions. The steps to achieve quantum resistance can be involved and complex, and may have an impact on operational performance.
With this in mind, a number of standards development organizations have begun to specify the steps to achieve quantum resistance. Notable are the guidelines from the National Institute of Standards and Technology (NIST) and the European Telecommunications Standards Institute (ETSI), which is a non-profit standardization organization in the field of information and communications.
- ETSI Guidelines. In a technical paper released in 2020, ETSI lists three main steps to achieve the Fully Quantum Secure Cryptographic State (FQSCS). The second step is to redesign or phase out assets, adopting quantum-secure or classical algorithms as needed and adopting a flexible stance to upgrade when appropriate. The third step is the implementation phase, where the transition is managed through simulations and exercises to ensure that nothing is missed during the initial inventory and planning phase.
- NIST Guide. The National Cybersecurity Center of Excellence (NCCoE), which is part of NIST, has released a publication detailing the potential steps and challenges associated with migrating to PQC to raise awareness. The publication assesses the quantum risks and complexities involved in critical asset migration and lists migration planning considerations, some of which mirror ETSI's report, including an inventory of how passwords are used in the enterprise to understand how to develop a migration plan.
Since then, NCCoE has worked with public and private stakeholders to continue to raise awareness and develop processes for migration plans.
Regulatory Considerations for Quantum Computing
According to the report, companies considering whether to adopt quantum computers or considering the potential threats posed by quantum computing are likely to consider four key regulatory issues:
cybersecurity, third-party vendor outsourcing, data governance, and supervisory controls. Cybersecurity issues can be particularly challenging for companies because quantum computing technology has the potential to challenge the encryption safeguards currently in use.
Firms may also wish to consider how the use of quantum computing could affect their obligations under FINRA Rule 4370, which requires firms to create and maintain written BCPs identifying policies and procedures for responding to emergencies or other significant business disruptions. The rule provides that such policies and procedures must be reasonably designed to enable the firm to fulfill its existing obligations to customers, counterparties and other broker-dealers.
Developments in quantum computing may pose risks to existing encryption methods. Accordingly, depending on the nature of future developments in quantum computing, firms may wish to consider appropriate BCP-related safeguards or contingency plans, with particular emphasis on mission-critical functions.
This report does not provide an exhaustive list of all factors and regulatory issues associated with the use of quantum computing, nor does it propose new legal or regulatory requirements or new interpretations of existing requirements.
FINRA is currently seeking comments from firms, market participants, and others exploring quantum computing while maintaining investor protection and market integrity. The deadline for comments is March 15, 2024.
About FINRA
FINRA is a nonprofit organization dedicated to investor protection and market integrity. Supervised by the U.S. Securities and Exchange Commission, FINRA is responsible for making rules, examining and enforcing FINRA's rules and the federal securities laws, registering broker-dealer personnel, providing them with education and training, and providing information to the investing public. In addition, FINRA provides supervisory and other regulatory services for the stock and options markets, as well as transaction reports and other industry utilities. FINRA also provides a dispute resolution forum for investors and brokerage firms and their registered employees.
For more information, visit www.finra.org
[3]https://www.finra.org/rules-guidance/key-topics/fintech/report/quantum-computing
