Quantum computing is set to harness the laws of quantum mechanics to solve problems too complex for today’s classical digital computers. But will the rise of quantum computing increase cyber security risk?

Business concerns about quantum computing

The emerging quantum computing industry has already made enormous advances. As more organisations discover its potential, the global market is expected to hit US$50 billion by the end of this decade.1 Major technology companies such as Amazon, IBM, Google and Microsoft have launched commercial quantum-computing cloud services, and there are significant investments in new players such as Quantinuum and PsiQuantum.

But surveys suggest that businesses have concerns around cyber security and data protection from quantum computing.

What is quantum computing?

Quantum computers are designed to use quantum physics for computing, which introduces unprecedented capabilities over traditional computation methods. Quantum computing has the power to transform drug research, energy use, manufacturing, cyber security and communications, as well as AI applications, autonomous-vehicle navigation, and financial modelling.

Research by KPMG Australia shows that protecting data and dealing with cyber risks is viewed by C-suite executives and board members from private sector enterprises as a top challenge in 2024 – and for the next 3 to 5 years.2

In Australia, to address this quantum threat, the Australian Signals Directorate (ASC) are encouraging organisations to understand and make plans to transition to the use of Post-Quantum Cryptographic algorithms within their own environments.

The ASD have outlined planning considerations for post-quantum cryptography, including, an inventory of encryption, data value assessment, a transition plan for implementing PQC and decommissioning legacy cryptography, vendor engagement and education on the use of PQC.

Encryption is everywhere. As an immediate step, organisations need to understand their risk from the use of public key cryptography and how they value data in their environment. This will impact multiple systems and applications that are fundamental to business operation. The transition to a quantum resilient environment will take many years and multiple budget cycles, so the best strategy is to start understanding this risk now.

Michael Egan
Director – Quantum, KPMG Australia

KPMG in Canada surveyed 250 large corporations and found that around 60 percent of organisations in Canada and 78 percent in the US expect quantum computers to become mainstream by 2030.3 But as quantum computing proliferates, so do concerns about its potential impact on cyber security.

Most of the businesses surveyed were ‘extremely concerned’ about quantum computing’s potential to break through their data encryption. Sixty percent of respondents in Canada and 73 percent in the US believe ‘it’s only a matter of time’ before cybercriminals are using the power of quantum to decrypt and disrupt today’s cyber security protocols. At the same time, however, 62 percent of respondents in Canada and 81 percent in the US admit that they need to do a better job of evaluating their current capabilities to ensure their data remains secure3.

KPMG in Germany’s research in collaboration with Germany’s Federal Office for Information Security (BSI) showed that 95 percent of respondents believe quantum computing’s relevance and potential impact on today’s cryptographic security systems is ‘very high or high’, and 65 percent said the average risk to their own data security is ‘very high or high’. Only 25 percent of firms said the threat posed is currently being addressed in their risk management strategy.4

Planning for quantum computing risk

Quantum computers will be able to break common encryption methods at an alarming speed. Encryption tools currently used to protect everything from banking and retail transactions to business data, documents and digital signatures can be rendered ineffective – fast. Attacks using a ‘harvest-now, decrypt-later’ approach can enable adversaries to steal encrypted files and store them until more advanced quantum computers emerge. So, data with a long life time value, such as health data, financial records and government files will be of immediate interest to bad actors.

The level of preparation that organisations do today is expected to be critical to limiting exposure and vulnerability to emerging threats, making quantum risk planning a priority.

Businesses need to understand the quantum risk in order to take action in areas including:

  • web browsing
  • remote access
  • software
  • digital signatures
  • communication
  • crypto currencies.

Understanding the quantum-risk landscape

Organisations need to quickly understand the risk factors that quantum may pose to their business operations and security. Every organisation that holds and processes data should consider the lifetime value of the data that they use, and the impact of that data being used or misrepresented by bad actors. For example:

Sensitive organisational data

  • Highly confidential data held by military services, national intelligence, finance and government organisations.

Critical infrastructure providers

  • Organisations whose complex systems are critical to the functioning of communities, cities, states, and countries, including healthcare, transportation, utilities and telecommunications. Imagine, for example, the potentially disastrous impact of quantum disrupting the operation of a city’s sprawling power grid.

Long-life infrastructure providers

  • Organisations providing systems built to have a long life span for profitability, including satellite communications, payment terminals, Internet of Things (IoT) sensor networks and transportation. Whether data consists of customer information, medical records or government classified data, a breach can have catastrophic financial, reputational and legal consequences. And some organisations are currently unaware of cyber attackers already accessing and storing encrypted company data with the aim of decrypting it in the future, using a quantum computer.

Personal data handlers

  • Organisations managing personal data with a long confidentiality span are required by law to protect such data, including government, healthcare, financial firms and insurance organisations. They need to ensure protection over an extended period of 5, 10, 20 years or more.

Dr Michele Mosca has developed a theorem that suggests a pathway to consider in order to protect data and keep it quantum-safe.

Mosca’s theorem stresses the need for organisations to begin due diligence in the post-quantum space immediately. It states that the amount of time that data must remain secure (X), plus the time it takes to upgrade cryptographic systems (Y), is greater than the time at which quantum computers have enough power to break cryptography (Z).

Once organisations are aware of their risk environment, they should be in a position to prioritise activity and mitigate or eliminate risks. However, this may not be a quick or simple process and may take years for each organisation.

Managing technical debt, for example, can be a significant challenge for organisations relying on systems that will be incapable of running modern cryptographic profiles. There is now an opportunity to evaluate migration timelines and understand how long it will take to make infrastructure quantum resistant. To do this, organisations should understand the challenge and allocate budgets for both the mitigation and ongoing monitoring that the post-quantum world will require.

It’s critical that organisations not only prepare for the quantum threat in their long-term risk planning, but also strengthen data protection now to help minimise quantum’s potentially disruptive and costly impacts.

Quantum-specific legislation and regulation

As quantum emerges and organisations continue to explore and discover both its game-changing advantages and threats, new legislation and regulations are being developed. In 2022, a US law was passed that requires government agencies to take action in using post-quantum cryptography and encourages the private sector to follow suit7.

In December 2023, the National Institute of Standards and Technology (NIST) in the United States released two draft publications to guide organisations aiming to redefine their capabilities and combat potential quantum-based attacks. The documents Quantum Readiness: Cryptographic Discovery and Quantum Readiness: Testing Draft Standards for Interoperability and Performance outlines concrete issues and potential solutions when migrating to a new post-quantum cryptographic standard8.

The growing list of initiatives includes:

  • the Quantum Computing Cyber security Preparedness Act 2022, advising US federal organisations to prepare now for a post-quantum cyber security (PQC) world
  • National Security Memorandum on Promoting US Leadership in Quantum Computing While Mitigating Risk to Vulnerable Cryptographic Systems
  • White House Memorandum on Migration to Post-Quantum Cryptography
  • Monetary Authority of Singapore MAS/TCRS/2024/01: Advisory on Addressing the Cyber security Risks Associated with Quantum9
  • Quantum Security for the Financial Sector: Informing Global Regulatory Approaches, World Economic Forum in collaboration with the Financial Conduct Authority10.

As we see a global movement towards the identification of risks and requirements of secure quantum technology, further quantum-specific legislation, regulation and compliance is likely to follow.

When should companies implement quantum risk management?

The answer is now. While quantum computing may seem like a futuristic science fiction concept, the technology is poised to exert major consequences across today’s cyber security capabilities. KPMG believes innovation to protect against quantum cyber threats is needed without delay.

In the US, in 2014, the NIST released a draft of the NIST Cyber security Framework 2.0 (CSF 2.0) – a major update to the Cyber Security Framework (CSF)– to help organisations reduce cyber security risk. To be finalised and published in 2024, CSF 2.0 reflects changes in the cyber security landscape and will offer additional guidance on implementing the CSF11

The NIST has also chosen four encryption tools that it says are designed “to withstand the assault of a future quantum computer, which could potentially crack the security used to protect privacy in the digital systems we rely on every day12.” The four encryption algorithms will become part of NIST’s post-quantum cryptographic standard and all are expected to be finalised and ready for use in 202413

Meanwhile, improvements and standards in Quantum Random Number Generators14 (QRNGs), for entropy enhancement and randomisation, and Quantum Key Distribution15, a secure communication method for exchanging encryption keys only known between shared parties, also aim to harness the power of quantum technology and protect data.

It’s important to note that today’s post quantum solutions may create a false sense of security, as we do not know if the quantum algorithms considered resistant today will remain that way as quantum computers become larger and more effective. The danger is illustrated by the discovery of vulnerabilities in the NIST-selected encryption algorithm CRYSTALS-Kyber16.

How can organisations prepare for quantum computing risks?

Organisations can start to prepare for quantum threats by gaining a precise understanding of potential risks across their value chain. They should also identify methods to become more cryptographically agile in updating and deploying new cryptographic techniques as they become available. It’s also crucial to create end-of-life strategies for data, products and systems that will become obsolete or unable to support new cyber security requirements in a quantum-computing world.

Key questions as quantum evolves

  • How long does your data need to be secure and are you liable for its management?
  • What is the actual and reputational damage to your business in case of compromise by quantum computers?
  • How long will it take to increase your quantum resilience to an acceptable level?
  • Do you have an inventory of cyber security measures?
  • Are you liable for a third-party service or cloud provider and are they are moving to a quantum-safe environment?

Key actions to help mitigate quantum risks

  • Provide quantum impact awareness training, education and roadmaps to senior leadership.
  • Implement roadmaps and solutions to modernise cryptographic environments.
  • Provide guidance on investing in quantum-resistant technologies.
  • Develop contingency and mitigation plans to prevent a quantum attack.
  • Continuously monitor the fast-evolving quantum and security environment.

How KPMG can help with quantum risk

KPMG’s technology consulting specialists have extensive experience in cyber security and quantum technologies. By providing quantum risk assessments tailored to your business, we can help you understand specific threats posed by quantum technology.

We can help you prioritise at-risk data and systems, and develop a customised cyber security strategy into your long-term risk planning to assist with preparation for quantum threats.

Steps to quantum-secure encryption include:

  1. Discover: Identify cryptographic algorithms and protocols used to protect data and assets.
  2. Assess: Perform a risk assessment to identify quantum-vulnerable systems and assets.
  3. Manage: Prioritise remediation efforts and develop a remediation roadmap.
  4. Remediate: Implement mechanisms that enable crypto agility, and transition-vulnerable cryptographic systems to post-quantum cryptography based on priority.
  5. Monitor: Perform ongoing monitoring of remediation efforts and changes to the threat and regulatory landscape.

KPMG specialists are using our quantum readiness assessment methodology and innovative collaborations to help make a difference for clients. KPMG firms’ collaboration with IBM Quantum (Quantum Safe) and InfoSec Global allow us to begin understanding the cryptographic footprint/baseline and work towards remediation and potential digital solutions. KPMG specialists are here to help.



KPMG's quantum computing specialists

To arrange a quantum readiness assessment or learn more about quantum computing, get in touch.