Section IV: Regulatory Considerations for Quantum Computing
As with any new technology, quantum computing brings with it both opportunities as well as risks. Quantum computing may have a profound impact on the securities industry, whether for larger and more well-resourced firms seeking to leverage quantum advantage or for firms of all sizes preparing to defend against attacks on present-day cryptography. In this context, market participants must consider that quantum computing can not only change the way firms do business but may also have various regulatory implications. Specifically, firms considering whether to incorporate quantum computers into their internal systems and processes as well as firms contemplating the potential threat quantum computing poses may wish to consider the following regulatory issues: cybersecurity, third-party vendor outsourcing, data governance and supervisory controls. This section provides an overview of each of these areas.
While this section underscores broad areas of regulatory importance, it does not provide an exhaustive or cumulative list of all factors and regulatory issues associated with the use of quantum computing. Moreover, this report does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws and regulations. Member firms may consider the information in this report in developing new, or modifying existing, practices that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. In addition, broker-dealers should conduct their own risk assessments regarding the potential regulatory implications of quantum computing as it pertains to their unique use cases and business models.
- Cybersecurity. Quantum computers may eventually have the capacity to break certain encryption standards broker-dealers and other members of the financial services industry currently use.93 As a result, developments related to quantum computers may impact common applications, such as securing private communications (containing sensitive financial and account information) over the internet and verifying digital signatures. This report is in part designed to help firms become more aware and knowledgeable about the potential future opportunities and risks related to quantum. Firms that seek to move towards post-quantum readiness may also wish to consider taking inventory of their encrypted data, prioritizing the different levels of importance of such data, analyzing procedures to manage digital identity (including securing digital signatures) and migrating over time to quantum-resistant encryption methods. Firms may wish to engage NIST in their efforts to support post-quantum cryptography migration efforts.94 In addition, if any quantum anticipatory changes relate to how firms maintain and secure customer records and information, firms should consider rules pertaining to safeguarding such data, including obligations under SEC Regulation S-P, SEC Regulation S-ID, FINRA’s Regulatory Notice 21-18 and Notice to Members 05-49. For additional resources, including applicable rules and guidance, firms may refer to FINRA’s various reports and alerts on cybersecurity.
- Outsourcing and Third-Party Vendor Management. Some firms have already begun to explore quantum computing to enhance various systems and processes by accessing quantum computers through a cloud environment, in part due to the high costs and level of resources required to individually acquire, build or maintain a quantum computer. When working with third parties, including those providing services related to quantum computing, firms should be mindful of relevant FINRA guidance on outsourcing.95 Firms that use cloud service providers to access quantum computing capabilities retain ultimate responsibility to ensure they comply with securities regulations relating to securing data. As such, depending on the type of cloud service model and the level of service, firms may consider developing controls regarding the types of software and hardware systems that the cloud service provider or the firm manages and controls. Firms may also wish to consider whether their systems are appropriately configured for the cloud and quantum computing environment, if they have proper data governance systems in place (e.g., establishing data access protocols to determine which parties have access to data in the cloud) and if rollouts of the quantum related initiatives are targeted and effective. In addition, firms may refer to FINRA’s Cloud Computing in the Securities Industry report for a comprehensive review of key regulatory considerations related to cloud computing, including those pertaining to recordkeeping.
- Data Governance. Quantum technology offers the possibility to process more data at far greater speeds, which has the potential to lead to a proliferation of data inputs. The enhanced use of different types of data enabled by quantum computing may potentially become a source of the following risks: data source verification and quality, questions around the purpose and use cases of data, and data security. As such, the importance and benefits of developing appropriate governing principles around the use and safeguarding of data may increase with the future adoption of quantum computing.96 As a result, in the future, firms may desire to consider data quality benchmarks and metrics to assess the data inputs that they supply to quantum systems as well as how data will be stored, protected and properly used. Firms should also consider how they meet data protection requirements for safeguarding customer records and information, which are addressed in SEC Regulation S-P, SEC Regulation S-ID as well as in Regulatory Notice 21-18 and to Notice to Members 05-49.
- Supervision and Controls. Developments in quantum computing that facilitate enhanced operations by firms or result in potential threats to current encryption techniques may pose unique and complex challenges. As noted in FINRA’s 2020 Risk Monitoring and Exam Priorities Letter, “[f]irms’ increasing reliance on technology for many aspects of their customer-facing activities, trading, operations, back-office, and compliance programs creates a variety of potential benefits, but also exposes firms to technology-related compliance and other risks.” Accordingly, based on the nature of any future developments in quantum computing, firms may wish to consider the potential impacts to their existing supervisory procedures and business continuity plans.
- Supervisory Procedures. Quantum computers are likely to have the ability to process far greater volumes of data at far greater speeds than today’s classical computers through an increasingly complex set of algorithms. The more complex the model and the application, the more vulnerable it may be to potential sources of error that could go undetected without the appropriate risk management models and supervisory controls (including enhanced testing). FINRA rules require firms to establish, maintain and enforce written procedures to supervise the types of business in which they engage and the activities of their associated persons that are reasonably designed to achieve compliance with applicable securities law and regulations, and with applicable FINRA rules. In addition, FINRA rules require firms to establish, maintain and enforce reasonable supervisory policies and procedures related to supervisory control systems that, among other things, require firms to test and verify such policies and procedures (i.e., FINRA Rules 3110 and 3120). Moreover, in the algorithmic trading context, FINRA has previously stated in the trading context that:
As the use of algorithmic strategies has increased, the potential of such strategies to adversely impact market and firm stability has likewise grown. When assessing the risk that the use of algorithmic strategies creates, firms should undertake a holistic review of their trading activity and consider implementing a cross-disciplinary committee to assess and react to the evolving risks associated with algorithmic strategies.97
Similarly, with regard to algorithms used for quantum computers, firms may wish to consider potentials impact to the firm or market’s stability as part of their supervisory procedures.
- Business Continuity Plans (BCPs). Firms may also wish to consider how the use of quantum computing may impact their obligations under FINRA Rule 4370, which requires firms to create and maintain a written BCP identifying policies and procedures for emergencies or other significant business disruption. The rule stipulates that such policies and procedures must be reasonably designed to enable the firm to meet its existing obligations to customers, counterparties and other broker-dealers. Developments in quantum computing may pose risks to existing methods of encryption. Accordingly, based on the nature of any future developments in quantum computing, firms may wish to consider appropriate BCP-related safeguards or contingency plans, with a particular emphasis on mission critical functions.
- Supervisory Procedures. Quantum computers are likely to have the ability to process far greater volumes of data at far greater speeds than today’s classical computers through an increasingly complex set of algorithms. The more complex the model and the application, the more vulnerable it may be to potential sources of error that could go undetected without the appropriate risk management models and supervisory controls (including enhanced testing). FINRA rules require firms to establish, maintain and enforce written procedures to supervise the types of business in which they engage and the activities of their associated persons that are reasonably designed to achieve compliance with applicable securities law and regulations, and with applicable FINRA rules. In addition, FINRA rules require firms to establish, maintain and enforce reasonable supervisory policies and procedures related to supervisory control systems that, among other things, require firms to test and verify such policies and procedures (i.e., FINRA Rules 3110 and 3120). Moreover, in the algorithmic trading context, FINRA has previously stated in the trading context that: