Staying ahead of quantum computing risks
The quantum era threatens to make current cyber security measures obsolete, exposing sensitive data and critical infrastructure to unprecedented risks.
Quantum computing risk is not just a future consideration. Regulatory shifts such as the US Quantum Computing Cybersecurity Preparedness Act 2022 make quantum compliance an immediate imperative. Organisations need to consider the opportunities and threats that quantum computing presents to ensure they can remain competitive, secure and compliant.
In Securing tomorrow: strategic compliance in the quantum age, we explain how the evolving quantum risk and regulatory landscape accelerates the need to prioritise resilience and compliance and introduce a framework that enables organisations to thrive in the quantum computing age.
Quantum computing: why it's time to act
Quantum will disrupt existing cryptographic systems.
Sensitive data with a lifespan of 10–15 years may already be at risk.
The economic impact of quantum computing could reach USD $1.3 trillion by 2035.
More than 20 billion digital devices will need updating or replacing in the next 10–20 years.
Adapting to new quantum computing legislation
Latest legislation such as the US Quantum Computing Cybersecurity Preparedness Act 2022 mandates transitioning US federal IT systems to quantum-resistant cryptography, setting a new global precedent. Businesses operating internationally and with the US need to adapt to new cyber security standards that consider the impacts of quantum computing, or risk being locked out of certain markets.
Post-Quantum Cryptography (PQC) standards have already been released. In August 2024, the US National Institute of Standards and Technology (NIST) released its first three finalised PQC algorithms for key encapsulation and digital signatures. These are ready to be used now and Dustin Moody, the head of the NIST PQC standardisation project, acknowledged that full integration will take time, so system administrators should act immediately.
Quantum compliance is imperative for market viability
Quantum compliance is rapidly becoming central not just to security but also to ensuring a competitive edge. Although movements towards quantum compliance are accelerating, many organisations face challenges in prioritising readiness and closing knowledge gaps – increasing their risk of non-compliance and vulnerability.
While quantum technologies are rapidly developing, the threat of 'Harvest now, Decrypt later' is real and immediate. With increasing legislation, together with long procurement and mitigation cycles, there is a need to act now.
A quantum security framework for compliance and resilience
KPMG has developed a comprehensive quantum security framework that helps organisations transition to quantum resilience and ensure they remain compliant, secure and ahead of the curve.
KPMG Quantum Care includes five phases:
Perform ongoing monitoring of remediation efforts and changes to the threat and regulatory landscape.
Objective
The monitor phase seeks to achieve the following:
- Monitor risks identified from assessment
- Monitor cryptography used
- Monitor changes to the threat and regulatory landscape
Identify assets and the cryptographic controls used to protect them.
Objective
The discovery phase seeks to achieve the following:
- Identify key technology group areas that are at risk
- Identify assets for each technology group
- Understand the classification of the asset and the information it processes
- Identify cryptography used for protection
Perform risk assessment to identify quantum-vulnerable assets.
Objective
The assess phase seeks to achieve the following:
- Perform a quantum risk assessment
- Develop a high-level remediation roadmap
- Develop a cryptographic inventory
Develop detailed remediation recommendations and enhance remediation roadmap.
Objective
The manage phase seeks to achieve the following:
- Develop detailed remediation recommendations
- Prioritise remediation actions
- Enhance remediation roadmap
Uplift existing security controls and transition vulnerable cryptographic systems to Post Quantum Cryptography (PQC).
Objective
The remediate phase seeks to achieve the following:
- Uplift existing security controls
- Implement cryptographic agility
- Implement Post Quantum Cryptography
Quantum computing FAQs
-
Why is quantum computing a cyber security risk? Quantum computing poses a significant cyber threat to current cryptographic algorithms which rely on computational complexities that quantum computers may be able to solve in a matter of hours.
Attackers may be able to manipulate documents through forged updates or fraudulent authentication, decrypt confidential historical data and alter legal documents undetected by counterfeiting digital signatures.
-
Is quantum encryption already putting sensitive data at risk? Many state and criminal actors may already be harvesting encrypted data and storing it for decryption later, so delays in addressing vulnerable encryption technologies can increase the risk of data exposure and exploitation.
-
Which industries are vulnerable to quantum computing threats? The quantum era threatens to make current cyber security measures obsolete and expose sensitive data and critical infrastructure across many industries. Examples include financial transactions and data, patient and pharmaceutical data in healthcare, national infrastructure, secure communications and technological innovations.
-
How do quantum cyber threats affect blockchain and cryptocurrency? Quantum computing could potentially break common encryption methods at an alarming speed. These include the cryptographic processes used in blockchain technology and cryptocurrency. For example, quantum algorithms pose a risk to cryptographic hashing and the encryption used to protect individual wallets.
-
How will quantum computing impact digital technology supply chains? Quantum computing exposes security weaknesses in supply chains, especially with the growing reliance on Software as a Service models. To reduce the quantum risks to supply chains, organisations need to secure their information through detailed contractual agreements and stringent assurance policies, ensure a thorough understanding of where critical ICT assets are located across the supply chain and update procurement to include quantum-resistant technologies.
How KPMG can help you become quantum safe
KPMG’s team of quantum and cyber security specialists help you assess and remediate your quantum risks and align with current and upcoming regulations to protect your organisation against emerging threats and gain a competitive edge. Contact us to learn more.