Taiwan Financial Services Commission has released a Post-Quantum Cryptography migration reference guide for the financial industry to help financial institutions prepare for cyber risks linked to advances in quantum computing. The guide is framed as a planning and preparedness tool rather than a binding migration mandate, and sets out a risk-based, phased approach covering governance, cryptographic inventories, crypto-agility, ecosystem coordination, risk prioritization, supply chain management, and testing and transition. The guide builds on the commission's Financial Operational Resilience on Cybersecurity Ecosystem Blueprint, which identified PQC migration as a key sector initiative. It highlights risks to existing public-key cryptography used in identity authentication, transaction signing, interinstitutional connectivity and data protection, including "Harvest Now, Decrypt Later" and "Trust Now, Forge Later" threats. For implementation, it recommends board-level treatment of quantum-related risk, cross-functional migration task forces, creation of a Cryptographic Bill of Materials, removal of cryptographic anti-patterns, and procurement and outsourcing requirements that incorporate PQC readiness and crypto-agility. It also calls for hub organizations and key institutions to coordinate ecosystem-level roadmaps and common risk profiles, and proposes a twin scoring framework based on quantum risk and migration timelines to prioritize systems. The suggested migration path is split into short-term steps in 2026 to 2027 focused on governance, inventory and foundational crypto-agility, medium-term work in 2027 to 2029 on pilots, infrastructure upgrades and joint testing, and broader migration of high-risk and critical systems through 2035. The commission said its next focus will be ecosystem alignment, supply chain governance, and pilot implementation and validation, while the guide and timeline will be updated as technology, standards and industry practice evolve.

Original source Back to tracker