Mumbai: The Securities and Exchange Board of India (Sebi) is bracing India’s markets for a future where ultra-powerful quantum computers could crack today’s passwords in seconds—a threat its chief likened to the Y2K scare of the 1990s. The regulator said preparation for a combat plan is underway.
Also called the ‘Millennium Bug,’ the Y2K problem had threatened to crash computers worldwide at the turn of the year 2000, but the impact was not too severe mostly on account of proactive actions globally.
Speaking at the Global Fintech Fest, Sebi chairman Tuhin Kanta Pandey on Wednesday warned that the arrival of quantum computers could render current encryption standards obsolete, potentially breaking passwords and compromising security across the financial sector.
“It is being said that if computers come the normal cryptography will break,” Pandey said. “The traditional cryptography that we do now, with which we make passwords, whether it is 128 encrypted, will break with quantum computing. If it breaks, there will be no security and crypto will go first.”
The markets regulator is engaged in preparing the system to be safe ahead of the technology’s widespread adoption, the chairman said adding that is charting a course for quantum-safe computing, with a target timeline of 2028 or 2029.
Quantum solution
The solution involves transitioning to new standards like post-quantum cryptography (PQC) or quantum key distribution (QKD). “We will have to prepare for that now,” Pandey said, outlining a multi-year plan. “Gradually, in all the systems, we will have to look at where the passwords have been used. And then we will have to replace them.”
Pandey was speaking in a panel discussion moderated by Uday Kotak, founder of Mahindra Bank, on leveraging technology while mitigating risk. The panel included Tuang Lee Lim, assistant managing director of the Monetary Authority of Singapore (MAS) and Marlene Amstad, chairperson of the Swiss Financial Market Supervisory Authority (FINMA).
Lim highlighted the need to regulate financial activities consistently, regardless of the underlying technology. He referenced Singapore’s “duck test” for regulation: “If it works like a duck, looks like a duck, sounds like a duck, you have to regulate it like a duck. So regardless of whether it comes in whatever form, digital form or in traditional form, you have to make sure that you look at what’s the underlying risk… and you tackle them appropriately.”
Echoing the focus on risk, FINMA’s Amstad noted that new technologies such as artificial intelligence (AI) don’t create entirely new risk categories; they only amplify the existing ones.
During the discussion, spoke on how the industry could go for a quantum-safe cryptography based on an action plan from its own discovery, and prepares and then acts within the next two to four years.
This initiative is part of a broader strategy that balances innovation with security. Responding to a question from Kotak about maintaining technology neutrality, Pandey argued that complete neutrality is impractical once a technology becomes widespread. He stressed the need for common standards to ensure a level playing field and interoperability.
“You can have neutrality only to an extent, where there are multiple technologies, which are similar, and which can connect,” Pandey explained. “We would say a sensible, responsible use of technology. But as a regulator, I would say that we should adopt and embrace technology, both for our own good and for the good of the entire community.”
This forward-looking security overhaul builds on Sebi’s comprehensive cybersecurity and cyber resilience framework issued in August 2024.
Pandey said that collaboration between regulators, market participants and technology providers is crucial for success. “As we enter the next phase of this transformative journey, the collaboration between fintech innovations and regulatory foresight will determine not just how fast we grow, but how safely we grow,” the chairman said, concluding his address.