Why Financial Services Must Move From Secure By Default To Secure By Design

Article Insights

Grant Thornton Malta are most popular:

within Insolvency/Bankruptcy/Re-Structuring and Tax topic(s)

For decades, digital trust has relied on a foundational assumption: that the cryptographic systems securing financial infrastructure are effectively unbreakable within any realistic business horizon. That assumption is now being re‑examined.

Recent research developed with contributions from Google Quantum AI, the Ethereum ecosystem and leading academic institutions challenges long‑held expectations around cryptographic resilience. While the findings do not point to an immediate failure of existing cryptography, they do signal that the timeline for risk has shifted.

Advances in quantum algorithms and computer architectures are reducing the margin between theoretical vulnerability and practical exposure. For financial institutions, this is not a distant technical concern, it is a question of long‑term governance, resilience and trust.

Quantum Risk Is Not a Technology Curiosity

Importantly, quantum computing does not render today’s cryptography unsafe overnight. Nor does it imply that quantum‑capable attacks are imminent.

What it does suggest is that confidence based purely on time is no longer sufficient.

Historically, organisations relied on the idea that by the time cryptographic schemes became vulnerable, systems would naturally have evolved. Quantum developments compress that buffer. The more realistic risk is not a sudden “quantum moment”, but a compressed transition window, a period during which institutions must upgrade cryptographic foundations faster than legacy environments typically allow.

For financial services, where systems are intentionally designed for longevity, this shift matters.

Why Quantum Risk Matters Beyond Crypto‑Assets

Although much public discussion focuses on cryptocurrencies and blockchain, quantum risk is not a crypto‑specific issue.

Cryptography underpins core elements of the financial system, including:

Payment authorisation and settlement
Digital identity and access management
Secure financial messaging
Custody and key management frameworks
Long‑term data confidentiality and retention

If underlying cryptographic assumptions weaken, the impact is systemic rather than isolated. The challenge is therefore not whether institutions should respond, but how deliberately and how early they do so.

What the Research Actually Changes

Elliptic‑curve cryptography (ECC) supports a significant portion of modern digital infrastructure, from secure communications to distributed ledger systems. The latest quantum research suggests that the resources required to compromise ECC using quantum techniques may be lower than previously assumed.

This does not change security realities today. It changes planning assumptions for tomorrow. Security strategies built solely on the expectation of long lead times may no longer be sufficient. Institutions must assume that migration, governance and dependency mapping will need to happen under tighter time constraints.

Ethereum’s Response: A Signal of Scale and Complexity

The Ethereum ecosystem’s response offers a useful reference point. Recognising that cryptographic upgrades in a global, decentralised network require years of coordination, Ethereum developers have already begun work on post‑quantum readiness, well ahead of any immediate existential threat.

For regulated financial institutions, the lesson is clear: the hardest systems to change are the ones that must be addressed first. Waiting for certainty reduces optionality.

From Security as a Feature to Security as a Design Discipline

Quantum computing challenges the traditional view of security as something embedded in standards, algorithms or tools.

In an environment of accelerating technological change, security becomes a design discipline, raising questions such as:

How easily can systems evolve when assumptions change?
How are trust models governed and revisited over time?
How is recovery managed if long‑standing controls weaken?
This is the distinction between being secure by default and becoming secure by design.

A Board‑Level Conversation, Not a Technical One

Quantum risk should not sit solely within technical roadmaps or innovation teams. It intersects directly with:

Operational resilience
Data governance and retention obligations
Regulatory compliance
Long‑term institutional trust

These are board‑level responsibilities. Organisations that engage early preserve strategic flexibility. Those that wait for clear timelines may find that choices, and safe transition paths, are already constrained.

How We Can Support You

Quantum risk is not just a technology consideration, it sits at the intersection of governance, risk management and long‑term resilience.

We support organisations in understanding quantum‑related implications through a holistic GRC lens, spanning:

IT and cyber risk
Enterprise and financial risk
Data governance and regulatory alignment
Operational resilience and long‑term system sustainability

Our approach helps leadership teams assess where emerging technology risks intersect with existing control frameworks, governance structures and resilience obligations, enabling informed decisions that protect digital trust without disrupting today’s operations.

Contact us today to see how we can support your business.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.