MAS advisory on addressing quantum cybersecurity threats

In February 2024, the Monetary Authority of Singapore (MAS) issued an advisory to CEOs of financial institutions, urging them to address the cybersecurity risks associated with quantum.

MAS is the central bank and financial regulatory authority of Singapore. On 20 February 2024 it issued a circular to the CEOs of all financial institutions: Advisory on addressing the cybersecurity risks associated with quantum.

In the 3 page memo, MAS sets the scene by highlighting the recognised risks associated with the advent of quantum computers – specifically the threat posed to conventional asymmetric cryptography used widely in todays public key infrastructure.

The MAS advisory comprises two core recommendations:

Attain cryptographic agility
Implement quantum security

Crypto agility is essential if financial institutions are to effectively migrate away from a vulnerable state to more secure, post-quantum cryptography (PQC) without having a disruptive impact on their IT infrastructure. At the same time, MAS advocates for the inclusion of other quantum technologies, specifically QKD, to help further mitigate risk.

The advisory highlights three initiatives for CEOs to follow:

Keep abreast of the latest developments in quantum computing and raise awareness of of the associated cybersecurity risks.
Maintain an inventory of all cryptographic assets and identify priority assets for migration to a quantum-resistant state.
Develop strategies and build capabilities to address the cybersecurity risks associated with quantum.

As part of the monitoring process, MAS advocates for financial institutions to work closely with third party IT vendors and relevant industry groups as part of a “we’re all in this together” strategy – a policy that is echoed by industry giants such as IBM and Thales.

A common-sense approach to quantum-safe migration must include an audit of all existing cryptographic systems. Identify any and all systems that are dependent upon cryptography for data security, integrity and authenticity. Prioritise those systems most vulnerable to the quantum threat and establish a roadmap for migration to PQC and QKD.

MAS offers up a few strategies to help financial institutions on their quantum journey:

Uplift internal technical competencies to support the quantum migration
Review all security policies and procedures to ensure they are quantum-relevant
Develop risk mitigation strategies for those systems that cannot be migrated

Importantly, MAS also advocates for early adoption and establishing proof-of-concept trials to gauge the likely impact on incumbent systems and highlight any potential implementation challenges.

If you would like to find out more about PQC and QKD, or want to discuss a potential POC, please reach out and contact us.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CLID	1 year	Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
MR	7 days	This cookie, set by Bing, is used to collect user information for analytics purposes.
SM	session	Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.
_clck	1 year	Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
_clsk	1 day	Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_gat_UA-*	1 minute	Google Analytics sets this cookie for user behaviour tracking.n
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and verify ads' clicks on the Bing search engine. The cookie helps in reporting and personalization as well.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
MUID	1 year 24 days	Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
datatranscw-woocommerce-context-id	session	Description is currently not available.
datatranscw-woocommerce-context-key	session	Description is currently not available.
VISITOR_PRIVACY_METADATA	5 months 27 days	Description is currently not available.
wp11868	1 year	Marketing automation. Automatically sets cookie tracking when visitors engage through form submissions, clickthrough’s in email messages, and web pages containing the Act-On Beacon Tracker.

MAS advisory on addressing quantum cybersecurity threats

Stay one step ahead