Seminal whitepaper highlights the case for and implementation of cryptographic agility to trust across the financial services sector
Reston, VA, US, October 8, 2024 – FS-ISAC, the member-driven, not-for-profit organization that advances cybersecurity and resilience in the global financial system, today announced the release of a seminal whitepaper designed to help financial services institutions understand the challenges, elements and processes of building cryptographic agility in the face of emerging threat vectors like quantum computing.
The paper, titled Building Cryptographic Agility in the Financial Sector, is the first to define cryptographic (crypto) agility holistically for both business and technical audiences, with the goal of helping stakeholders across the sector grasp the necessity of crypto agility and define an approach that works for their institutions. The move to crypto agility must begin immediately because quantum computing is likely to make a commonly used class of cryptography algorithms insecure in the next few years, creating a risk of exposed data transmission or storage that would break the way business is conducted today.
“The financial services industry must take a leadership position in cryptographic agility, ensuring the sanctity and safety of data and storage as threats continue to evolve,” said Michael Silverman, Chief Strategy & Innovation Officer, FS-ISAC. “The goal of crypto agility is simple: to enable business continuity when existing cryptography is compromised or weakened. The transition to crypto agility is vital in maintaining the trust upon which the financial services sector is built and ensuring the safety of business operations in today’s complex, ever-evolving computing environment.”
The paper focuses on three key concepts: a framework for implementing crypto agility, an explanation of the challenges organizations may face implementing crypto agility and how to overcome them, and a set of insights on transition governance and architecture. Authored by FS-ISAC’s Post-Quantum Cryptography Working Group, composed of quantum subject matter experts from some of the largest global financial firms, the whitepaper explains that as the pace of technological change accelerates, crypto agility must be viewed as a long-term strategy, not a one-off implementation, in order to keep financial services firms secure and compliant for the long term.
The guidance is broken into two main sections:
- Why a Crypto Agile Approach to Infrastructure Change is a Security and Business Necessity, which defines and builds on prior work for a new comprehensive approach to crypto agility, testing crypto agility capacity, challenges of crypto agility migration and frameworks for successfully replacing insecure algorithms.
- Implementing Crypto Agility, which discusses the financial sector’s vision for adapting cryptographic schemes, implementation and governance considerations and process guidelines.
“Cryptographic agility is a critical success factor in the long-term journey to protect the world’s data from quantum and other emerging threats,” said Peter Bordow, FS-ISAC PQC Workgroup Chair & Distinguished Engineer / Managing Director of Quantum Security, Wells Fargo. “This paper is an extraordinary collaboration, combining the knowledge and experience of more than 30 quantum and security subject matter experts from the financial services sector, into a single artifact for both business and technical audiences.”
Jamie Gómez García, Banco Santander, Quantum Safe Financial Forum, added, "The transition to quantum-safe cryptography offers organizations a unique opportunity to strengthen their cryptographic management. Now is the time to anticipate future threats and embrace crypto agility, ensuring resilience in the face of evolving challenges."
“The FS-ISAC cryptographic agility paper is an important steppingstone towards a successful transition from legacy cryptography to post-quantum cryptography,” stated Steve Stevens, Executive Director, Accredited Standards Committee X9 Financial Services. “This fits nicely into ASC X9’s work on the long-term sustainability of post-quantum cryptography standards.”
With the release of this paper, FS-ISAC continues to lead the charge in advancing cybersecurity and resilience in the global financial system, aligning its efforts with cross-border initiatives like the G7 Cyber Expert Group’s recent call to action on quantum computing risks, in which it urged the financial sector to monitor developments in quantum computing, promote collaboration among public and private stakeholders, and begin planning for potential risks posed by the emerging technology.
Download the paper here.
About FS-ISAC
FS-ISAC is the member-driven, not-for-profit organization that advances cybersecurity and resilience in the global financial system, protecting the financial institutions and the people they serve. Founded in 1999, the organization’s real-time information-sharing network amplifies the intelligence, knowledge, and practices of its members for the financial sector’s collective security and defenses. Member financial firms represent $100 trillion in assets in 75 countries.
Contacts for Media
media@fsisac.com
+++