FINMA Releases Guidance to Help Institutions Mitigate Quantum Computing Risks
The Swiss Financial Market Supervisory Authority (FINMA), the country’s financial regulator, has released guidance for financial institutions to proactively address the risks posed by quantum computing, emphasizing the importance of early engagement in risk mitigation.
Though cryptographically relevant quantum computers do not yet exist, technological progress are gaining momentum, and such computers can be expected to emerge in the coming years, FINMA says.
Given the complexity and time required for the migration to quantum-safe encryption technologies, the interdependencies between service providers and financial institutions, and the already very real risk of “harvest now, decrypt later” attacks, institutions must take action promptly, it warns.
FINMA recommends financial institutions to establish a clear roadmap to transition to post-quantum cryptography (PQC). This roadmap should be finalized by mid-2027 at the latest, and should encompass sufficient forward-looking planning for the migration to quantum-safe encryption.
First, institutions should conduct a comprehensive risk analysis, thoroughly examining all business processes to identify the encryption, signature, and authentication technologies employed. This analysis should take into account all information and communication technology (ICT) systems, applications, infrastructure, and new technologies such as distributed ledger technology (DLT) that are operated in-house, outsourced, or procured as a service.
By creating an inventory of these technologies, institutions will be able to determine whether the algorithms used are quantum-vulnerable and need to be replaced accordingly. For vulnerable systems, institutions should develop a migration plan that aligns with the associated risk.
As part of the risk analysis, institutions should also identify the protection requirements for critical data. FINMA advises considering the risk of harvest now, decrypt later attacks where data that is encrypted today may be stolen with the intention of decrypting it at a later date using powerful quantum computers.
Therefore, data that needs to remain protected in the long term should be given priority and protected accordingly. To secure these data, FINMA recommends a hybrid solution, combining a traditional algorithm with a PQC algorithm. This approach enhances security and ensures data remain intact even if one of the algorithms used becomes insecure.
FINMA also warns that PQC algorithms currently regarded as secure might unexpectedly prove ineffective in the future, PQC algorithms currently regarded as secure might unexpectedly prove ineffective. Hence, the regulator recommends that institutions ensure the crypto-agility of their ICT systems and applications.
Crypto-agility refers to the ability of an ICT system or application to flexibly swap out cryptographic algorithms, ensuring that ICT systems can be adapted to new encryption algorithms without requiring major changes to the software architecture.
FINMA also advises institutions to remain cautious of external service providers. Financial institutions should make sure that their providers are also transitioning to quantum-safe cryptography in their systems. They should also ensure that crypto-agility is a prerequisite for all new outsourcing arrangements in the software and data sectors, and that, in the case of existing outsourcing arrangements, this be incorporated into the requirements at the earliest opportunity.
FINMA recommends financial institutions to engage in long-term planning with third-party providers to address emerging requirements. By anticipating future risks like those posed by powerful quantum computers, institutions can proactively set out contractual measures with their external service providers.
Quantum computing risks
FINMA’s recommendations follow the release of a study conducted between November 2025 and January 2026. The survey polled 60 authorized banks, insurance company managers of collective assets, and financial market infrastructures to understand their perceptions of the opportunities and risks associated with quantum computing.
Findings show that most of Swiss institutions are aware of the cyber risks posed by quantum computing. However, only a few organizations have developed a roadmap for implementing quantum-safe encryption. Of the organizations surveyed, 72% have not yet planned or implemented any measures relating to quantum-safe encryption. Only 8% have a specific roadmap in place for quantum-safe encryption.

Almost two-thirds of those surveyed do not expect to start using quantum computer applications for another eight years or more. They foresee the greatest business value of the technology in risk and portfolio analysis, as well as in transaction monitoring, algorithmic trading, and the generation of better random numbers.
McKinsey estimates that quantum computing has the potential to generate up to US$2.7 trillion in global economic value by 2035. This growth is expected to be driven by the enhancement of existing industry applications and the discovery of new ones.
The financial industry stands to benefit significantly from this potential, with the value at stake from quantum computing by 2035 reaching up to US$600 billion.

Featured image: Edited by Fintech News Switzerland, based on image by arslantanoli via Magnific
The post FINMA Releases Guidance to Help Institutions Mitigate Quantum Computing Risks appeared first on Fintech Schweiz Digital Finance News - FintechNewsCH.
Tomas Kauer - News Moderator



















