As quantum computing technology continues to advance, widely used asymmetric cryptographic algorithms (such as RSA and ECC) may face structural risks of being compromised in the future. Financial institutions rely heavily on cryptographic technologies to ensure transaction security and asset trust. Therefore, prudent planning for the migration to Post-Quantum Cryptography (PQC) has become a critical issue in financial cybersecurity governance.

From Y2K to Y2Q

In retrospect, the Year 2000 problem (Y2K) in the late 1990s was a known programming logic issue that could be effectively resolved through code modifications. In contrast, the “Year 2 Quantum (Y2Q)” represents a fundamental shift in computational paradigms that may pose systemic challenges to current cryptographic frameworks.

Quantum computers have potential computational advantages in solving specific mathematical problems. Once the technology matures in the future, it may significantly impact current digital signature and identity authentication systems that rely on asymmetric cryptography.

Therefore, financial institutions should begin conducting cryptographic asset inventories, risk assessments, and crypto-agility planning at this stage, adopting a prudent and phased migration strategy to mitigate long-term risks.

Potential Impact of Quantum Threats on the Financial Sector

If quantum computing technology becomes mature, it may have the following impacts on the financial sector:

1. Risk of Cryptographic Infrastructure Breakdown

The failure of asymmetric cryptography could undermine the technical foundation for establishing trusted connections between financial institutions. This could affect transactions, clearing, and certificate validation mechanisms, potentially leading to a breakdown of trust in the overall financial market infrastructure.

2. Challenges to the Trust Foundation of Digital Signatures

Digital signatures are a core mechanism of digital transactions. Once signatures can be forged, it will no longer be possible to verify that a transaction was genuinely authorized, thereby undermining non-repudiation and legal validity.

3. “Harvest Now, Decrypt Later” (HNDL) Risk

Attackers may first collect encrypted data and decrypt it in the future when quantum technology becomes capable, posing risks to sensitive data stored for long periods.

4. Trust Chain Integrity Issues

The financial system relies heavily on the trust chain mechanisms of certificate authorities and clearing systems. If upstream cryptographic foundations are compromised, the overall stability of the financial system will be at risk.

The FSC’s PQC Policy and Planning

Drawing on the National Institute of Standards and Technology (NIST)’s migration practices and global PQC migration experience, the Financial Supervisory Commission (FSC) has incorporated PQC into its “Financial Operational Resilience on Cybersecurity Ecosystem Blueprint” as a key forward-looking initiative. To promote PQC migration in a prudent manner, the FSC has launched the “Financial Sector Post-Quantum Cryptography Migration Pilot Program” and established a pilot working group. Through the F-ISAC platform, cross-institutional communication and coordination mechanisms have been established to foster consensus and assess the financial sector’s overall readiness.

The pilot program aims to evaluate the readiness of financial institutions for PQC migration, with key tasks including:

1. Following the completion o Establishing an inventory of existing cryptographic technologies.
2. Conducting business impact and risk assessments.
3. Strengthening professional technical training.
4. Assessing the readiness of major vendors.
5. Enhancing crypto-agility.
6. Incorporating PQC support capabilities into procurement evaluation criteria.

following the pilot program’s overall readiness assessment for the financial sector and the consolidation of related findings, the FSC will formulate and publish the “Post- Quantum Cryptography Migration Reference Guidelines” for the financial sector to guide institutions in planning and implementing PQC migration.

TDCC’s Participation

TDCC is a member of the FSC’s “Financial Sector Post-Quantum Cryptography Migration Pilot Program working group and collaborates with peer institutions and related organizations to explore relevant preparatory work. Internally, a cross-departmental task force has been established within the IT division. The task force participates in biweekly pilot program group meetings and continues to engage in discussions on PQC-related topics.

Currently, a comprehensive inventory of cryptographic technologies across systems under different information security levels has been completed, providing a foundation for understanding the current state and supporting subsequent evaluations.

Future Work Plan

In the future, a risk-based and phased approach will be adopted to advance follow-up actions, with key focus areas including:

1. Continuously improving the inventory of cryptographic assets.
2. Assessing quantum risks for highly sensitive and long-retained data.
3. Strengthening the modular design of system cryptography.
4. Assessing the supply chain’s readiness to support PQC.
5. Reviewing and enhancing the existing cryptographic strength.

Conclusion

PQC migration is not merely a technical upgrade, but a critical initiative for maintaining the long-term security and trust of financial market infrastructure. The advancement of quantum computing poses potential challenges to existing asymmetric cryptographic mechanisms. The financial sector is advised to assess potential impacts at an early stage and prudently develop appropriate response strategies to ensure transaction security and systemic stability.

Through participation in the FSC’s PQC migration pilot program working group, TDCC has initiated cryptographic technology inventory efforts and is gradually gaining a comprehensive understanding of cryptographic applications across existing systems, laying the foundation for future evaluation and planning.