HSBC dives deeper into QC to boost banking software security

Philip Intallura, Global Head of Quantum Technologies at HSBC
Philip Intallura, Global Head of Quantum Technologies at HSBC

In order to improve the resilience and security of its digital infrastructure, British banking giant HSBC is increasingly looking at quantum computing.

The international banking multinational first started testing the application of quantum computing to securities clearing and settlement in 2019, and has since moved on to further experiments in other areas of its business.

Quantum security capabilities are seen as perhaps the most powerful weapon in keeping software systems, online data sets and other vital digital infrastructure safe, particularly since software systems become increasingly complex and intertwined.

Late last year, UK Finance, the UK banking industry association, warned its members that quantum computing could unravel the security used to protect the country’s entire payment system.

For that reason, “you have to make your new software platforms crypto agile so you can rotate between different algorithms,” according to Philip Intallura, who is the global head of quantum technologies at HSBC. He stressed the bank is ramping up its QC efforts.

“We have deployed quantum key distribution links in our headquarters in Canary Wharf and a data centre in Berkshire. This allows us to exchange quantum keys between the two sites to test the stability of the system and apply those quantum keys to applications like audio, video and data files. Therefore, it’s a way of encrypting data with this kind of quantum resistant future technology,” Intallura explained.

He singled out an experiment the bank ran at the end of 2023 which used the system to connect to HSBC’s AI Markets platform and simulate a €30 million Euro to US Dollar foreign exchange trade.

“The front end connected out of Canary Wharf headquarters and the information was retrieved from the back end in Berkshire through this quantum network,” Intallura recently said in an IS interview.

“Effectively, the information exchange and the simulated trade were encrypted with quantum keys and sent between the two sites,” he added.

He called the trial “a demonstration of the world’s first FX trade on a commercial QKD network and gives you a flavour of the sorts of things we’re doing to test how this technology may apply to our critical applications and what impact it has on performance and anything else that may aid our learning as we transition to being quantum safe.”

Global efforts

HSBC is not the only financial institution to actively turn to quantum security capabilities. In Singapore, for example, the country’s financial services regulator, the Monetary Authority of Singapore (MAS), said earlier this year it had teamed up with banking giants DBS, HSBC, OCBC and UOB to develop and roll out quantum security capabilities in Singapore.

The regulator said a memorandum of understanding, which the different entities have signed, included plans to study and test the application of quantum key distribution in the micro-state’s financial services sector via a range of sandbox projects.

“As quantum technology advances, it is vital for the financial sector to safeguard against potential cybersecurity threats that may be brought about by the technology,” stressed Vincent Loy, assistant managing director for technology at MAS.

“This will help MAS and financial institutions better understand QKD’s potential impact on operations and address challenges early.”

Loy added that “these technology trials can also inform and shape technology and cyber risk management policies towards quantum-proofing our financial systems.”


“It’s important not to be fooled into thinking that because cryptographically relevant quantum computers are still some years away, you should take a wait and see approach.”

– Philip Intallura

Intallura largely echoed these sentiments. Zooming in on security issues, he called quantum computing “an interesting field because on one hand it offers tremendous commercial opportunity, particularly for financial services.”

He explained that is because the problems that a quantum computer can solve are “very well matched to approaches we use in banks and financial services, whether that’s machine learning optimization or financial simulation.”

However, Intallura did say that, on the other hand, it brings a lot of risk when it comes to the potential to break public key cryptography.

“That is a serious concern for us because HSBC serves 41 million customers, and processes around 4.5 billion transactions a year,” he noted.

He warned that this threat to cryptography is going to impact every industry.

“Given the criticality of services that financial organizations provide and the fact that financial services are always a target for cybercriminals, this sector does need to take the emerging threat of vulnerable computers very seriously,” Intallura pointed out.

This is one of the reasons HSBC started its quantum program and been running it for a couple of years now. “It’s already looking at how these new technologies pose a threat and what we need to do to mitigate against these emerging threats,” he said.

On board’s agenda

In recent years, quantum computing technology has been developing rapidly and has demonstrated the potential to break commonly used cryptography and encryption algorithms, which is increasingly posing a major cybersecurity concern for banks and other financial services firms.

In February 2024, MAS issued an advisory to Singapore’s country’s finance sector on the cybersecurity risks associated with quantum technology.

Intallura argues that, going forward, quantum security should be much higher on the priority list of many banks than it currently is.

“The single most important step is to make sure your board are having conversations about quantum computing and the emerging threats that they pose,” he said.

He elaborated that “the reason for that is transforming cybersecurity in a financial services organization is going to be long, complex and expensive. It’s important not to be fooled into thinking that because cryptographically relevant quantum computers are still some years away, you should take a wait and see approach.”

He disclosed that HSBC was involved in discussions last year with Britain’s financial services watchdog, the Financial Conduct Authority (FCA) and the World Economic Forum (WEF), which identified four broad steps to follow when it comes to being quantum secure.

“Step one is around preparing and raising awareness. Understanding the current state of cryptographic infrastructure and building internal capabilities, including having the right technical skills, is vital for laying the groundwork for any transition,” Intallura said.

“Step two is about clarifying what you are going to do. It’s about gathering the evidence and identifying the gaps in your network, mapping different regulations across different regions that your organization operates in, and getting a good understanding what a transition will mean,” he continued.

Step three is creating a transition strategy, it’s moving beyond preparation and clarification to shaping and guiding what a transition will look at.

“Which applications are you going to prioritize first, how are you going to ensure that you are developing protocols that meet industry and regulatory best practices,” Intallura said. “This is the point where you need to start working with vendors to understand and implement these new standards.”

Finally, step four is your transition and monitoring. This is about effectively modernizing your cryptographic ecosystem.

“If someone works out how to break a new algorithm, you don’t want to re-engineer your ecosystem. Therefore, you have to make your new software platforms crypto agile so you can rotate between different algorithms,” Intallura concluded.


THIS WEEK


QA FINANCIAL FORUM LONDON: RECAP

Last month, on September 11, QA Financial held the London conference of the QA Financial Forum, a global series of conference and networking meetings for software risk managers.

The agenda was designed to meet the needs of software testers working for banks and other financial firms working in regulated, complex markets.

Please check our special post-conference flipbook by clicking here.


READ MORE


Become a QA Financial subscriber – for FREE

* Receive our weekly newsletter * Priority invitations to our Forum events

REGISTER HERE TODAY