G7 Cyber Experts Warn Financial Sector: Prepare Now for Quantum Computing’s Opportunities and Threats

September 2024 – A recent statement by the G7 Cyber Expert Group (CEG) – an advisory panel to G7 finance ministries and central banks – sounds a dual alarm and call to action on quantum computing. In a memo released in late September, the group highlights quantum computing as both a revolutionary opportunity and a looming cyber risk for the financial system. The CEG’s message is clear: while quantum technology promises unprecedented computational power that could transform finance, it also threatens to upend the cryptographic foundations of cybersecurity. Financial institutions are urged to act now to harness the benefits and mitigate the risks before it’s too late.

The G7 experts frame quantum computing as a double-edged sword for banks and markets – a technology that offers immense potential gains even as it introduces new perils. On the upside, next-generation quantum computers could supercharge financial operations. The memo notes that quantum’s speed and power might “optimize market trading, investment processes – including those for risk management – internal operations, and prediction strategies”. It could enable more efficient payment systems and portfolio optimization, and even bolster security through technologies like quantum key distribution, which can harden communications against eavesdropping. In short, quantum computing might unlock faster analytics, smarter algorithms, and new tools for financial innovation that today’s classical computers cannot handle.

However, the perilous side of this innovation is equally emphasized. As quantum capabilities mature, they could be weaponized by malicious actors. The G7 group warns that the very power enabling quantum breakthroughs can “provide an opportunity for nefarious actors to exploit the technology for malicious purposes”, potentially creating severe organizational and systemic risks in finance. In particular, a fully capable quantum computer would imperil the cryptographic algorithms that underpin everything from online banking transactions to inter-bank communications. Encryption – the bedrock of digital finance – is at stake. The statement bluntly notes that future cyber threat actors “could use the unique properties of quantum computers to… defeat certain cryptographic techniques used in secure communications, potentially exposing financial institution data including customer information”. In other words, the very codes that keep financial data confidential might one day be cracked open by quantum attacks.

One especially sobering risk highlighted by the G7 memo is the “harvest now, decrypt later” threat. Even before quantum computers are fully operational, adversaries may be stealing encrypted data today and stockpiling it, betting that quantum decryption capabilities in the near future will allow them to read it. The statement cautions that hostile actors “may be implementing a ‘harvest now, decrypt later’ scheme to intercept confidential data now with the intent of decrypting it once quantum computers become more capable and widely available”. This means sensitive financial information being transmitted securely at this moment – from bank customer records to payment transactions – could be captured and held by attackers, only to be unscrambled once a quantum machine strong enough to break the encryption comes online. The consequences would be far-reaching, undermining customer privacy and organizational integrity. Industry experts echo that this is “not a future problem, but an immediate problem”, stressing that every organization should already be evaluating which secrets and data would be most at risk if decrypted by 2030. The G7’s urgent point: the quantum threat to current encryption isn’t theoretical or distant – the clock is already ticking.

Perhaps the most direct element of the G7 Cyber Expert Group’s statement is its call to immediate action. Despite uncertainty about exactly when a powerful quantum computer (sometimes dubbed “Q-Day”) will arrive – it could be a decade or more, or it could surprise us sooner – the consensus is that preparing for it will be a massive, time-consuming effort. “An operational quantum computer… is viewed as increasingly possible within a decade,” the memo states, “although its capability to undermine existing cryptography… remains uncertain”. Critically, the group warns that coordinating the necessary defenses and upgrades across the financial sector will take many years. “Given the long lead time,” the G7 memo urges, “entities should ready themselves to handle impending threats as soon as possible.” In plain terms: the quantum countdown has begun, and every bank, exchange, insurer, and financial player should start planning now, not later, to be prepared in time.

What should that planning entail? The G7 Cyber Expert Group outlines a high-level roadmap for financial institutions to build quantum resilience. The recommended steps include :

1. Educate and Assess – Develop a deep understanding of quantum computing and its attendant risks, especially cryptographic vulnerabilities, within your organization. This means engaging experts, vendors, and internal teams to stay informed about quantum advancements and threat timelines. Boards and executives should be made aware that quantum risk is a real (if still developing) issue, and that planning for it is part of prudent risk management. Firms might conduct scenario exercises or consult with quantum scientists to grasp how, for example, a broken encryption algorithm could impact their specific operations.
2. Inventory and Prioritize – Assess your exposure to quantum-related risks in every area of responsibility. Concretely, this involves identifying where and how your organization uses cryptography today. The G7 memo suggests that more advanced entities “begin to inventory critical data and current cryptographic technologies in use” across their systems and those of key third-party providers. This cryptographic inventory will reveal which applications, databases, or communications are protected by potentially vulnerable algorithms (like RSA, ECC, Diffie-Hellman), and which sensitive data would be most damaging to see decrypted. With this map in hand, firms can prioritize: which systems or data channels should get quantum-safe upgrades first? The statement notes that some firms may start this formally, while others might simply begin with high-level discussions with IT leadership to scope the problem. In either case, the end goal is the same – know your weak points before attackers do.
3. Plan and Mitigate – Develop a concrete plan to mitigate quantum risks, instituting governance and allocating resources for the transition. The G7 experts advise establishing clear ownership of the issue (e.g. a quantum readiness taskforce), setting milestones, and aligning this plan with estimates for when quantum threats could materialize. A key part of the plan will be the “orderly replacement of vulnerable technologies with those that are quantum resistant”. In practice, this might mean scheduling upgrades of cryptographic libraries, purchasing hardware that supports new algorithms, and ensuring vendors will offer PQC-compliant solutions. The statement even points to a Quantum Readiness Guide from the Canadian government as a helpful resource for organizations to chart their path. The overarching idea is proactivity: don’t wait for panic on the eve of Q-Day, but rather start budgeting, experimenting, and rolling out quantum-safe measures now in a phased manner.

Underpinning all these steps is a broader mandate for awareness and collaboration. The G7 group calls on financial authorities to work hand-in-hand with firms to raise awareness about the importance of transitioning to quantum-safe tech. It envisions ongoing dialogue between regulators, industry, tech companies, and international bodies to share insights and avoid duplication of effort.