Using a Risk-Mindset Approach to Unlock the Potential of Quantum Computing

Solving Previously Unsolvable Problems

Due to their ability to solve problems that traditional computers have been incapable of solving, quantum computers have the potential to spark revolutionary advancements across many industries, including the ability to develop new materials, diagnose diseases earlier, and enable more accurate financial models. Within the financial services industry, for instance, quantum computing can enhance the speed and accuracy of fraud detection programs, risk analysis calculations, market trading data analysis, pricing models, and financial forecasting. Algorithms that will only be able to be run on quantum computers should be able to unlock vast capabilities, so that financial institutions can be more profitable and better protected against fraud.

Altering Cybersecurity Protocols

With their new processing capabilities, quantum computers could eventually break through encryption protocols such as RSA—a prospect that has sparked national security concerns, and is likely to alter how organisations protect communications. Currently, encryption methods safeguard personally protected information and other sensitive or confidential data from exposure. However, quantum computing tools may soon be capable of breaching these encryption tools, putting the data at risk and organisations should be aware of the potential risks associated with it. The quantum industry is moving towards post-quantum cryptography (PQC) with the expectation that quantum computers will soon be able to run the requisite algorithms to break public-key encryption. Organisations looking to prepare themselves should explore how PQC may be able to protect their most valuable information.

Creating New Legal Compliance Challenges

Quantum computing is also creating new legal compliance challenges, most notably around export controls. On September 6, 2024, the US Department of Commerce’s Bureau of Industry and Security (BIS) issued new export controls on quantum computing, semiconductors, and other advanced technologies. The scope of the controls is vast and covers exports to countries without national security and regional security concerns, including Canada, the United Kingdom, and Australia. However, the BIS interim final rule creates a new license exception for countries that have implemented comparable controls on an item subject to the controls.

Additionally, on October 28, 2024, the US Department of the Treasury (“Treasury”) issued a Final Rule requiring notification or prohibition of certain outbound investments and other transactions by US persons involving persons of countries of concern who are engaged in activities involving quantum information technologies, semiconductors and microelectronics, and certain artificial intelligence systems. The Final Rule’s requirements took effect on January 2, 2025.

With these new requirements, financial institutions and other organisations that historically have not considered export controls to be a significant issue for their businesses may need to reassess the risks of non-compliance. Organisations that create or use quantum computing technologies (or collaborate with others to do so) or extend financing to organisations engaged in quantum computing must now be aware of various export control requirements, not only in the US but in other countries as well. Organisations must understand whether and how export controls apply to their business activities so they can take the necessary steps to ensure compliance. Not only can non-compliance result in substantial fines and other legal consequences, it also poses national security and technology transfer risks which can thwart plans to utilize the technology itself.

Protecting Technology Assets and Contributions to Quantum Computing Innovations

Many organisations are in the exploration phase as they assess how to integrate quantum computing into their business operations. Because the technology is rapidly evolving, questions remain about the value of contributions to quantum computing innovations and its potential future use-cases. As organisations develop quantum computing technologies—which includes developing intellectual property in those solutions by themselves and by collaborating with key third-party providers in the market—a risk-mindset will enable them to adopt a meticulously constructed, forward-thinking approach to protecting their rights in these innovations that encompasses a wide range of considerations, including which party should own intellectual property rights in the contributions that are made as part of any project licensing options and the user rights of each party.  The decisions that organisations make about the position they want to take on these key issues will have a long-term impact on the organisation's position on these issues and its place in the quantum computing ecosystem in the future.

Keeping an Eye on Possibilities – Both Opportunities and Risks

As with any emerging technology, quantum computing presents numerous, rapidly evolving opportunities, and risks. Because the technology itself is changing so quickly, so too are the associated opportunities and risks.

As far as opportunities, the evolution from the current Noisy Intermediate-Scale Quantum (NISQ) reality to the beginnings of fault-tolerant quantum computing will bring vast potential for organisations to explore in the years ahead. But just as the recent AI boom demonstrated that organisations without a plan for integration of AI into their business model were already a step behind in 2023, organisations without a quantum plan will find themselves a step behind once fault-tolerant quantum computing  begins to be utilized. Organisations should take a forward-looking approach to accurately evaluate options for leveraging quantum computing capabilities so they are prepared when those possibilities become a reality.

One key example of these risks is that quantum computing will render current encryption tools less effective in securing communications. Banks possess massive amounts of data, including proprietary information about their strategies and business plans, as well as customers’ personally identifiable information. Cyber criminals could use “harvest now, decrypt later” tactics to access protected information. With a new risk-mindset, organisations can consider ways to become quantum computing-ready, protecting their communications and data when this future capability becomes a reality.

Educate and Assess

The first critical step in assembling a risk-mindset toolkit is to cultivate expertise regarding quantum computing, including its current and potential opportunities, risks, and challenges. This expertise can be gathered in-house or in conjunction with outside advisors, but the key is to have a designated person or team focused on the ins and outs of the technology and its implications. Multinational financial institutions and other global organisations must have a clear understanding of the relationship between quantum computing—and the rights the organisation must hold—in order to exploit the benefits of developing and using the technology balanced against its obligations under export control regulations. Quantum computing is subject to much hype in the media, and it’s important to maintain an accurate sense of the varied timeline of the development of diverse quantum technologies—and the risks associated with each. Risk assessment under such laws requires knowledge of the technology itself, as well as the apparent and potential end-uses and end-users, each of which could trigger export and reexport prohibitions.  

Determine How to Effectively Manage and Control Risks

Once the organisation has a clear understanding of the opportunities and risks, it can assess various ways to mitigate the risks and capitalize on the opportunities. There are several options for doing so, including owning the technology, collaborating with a service provider to explore potential use cases, or a combination of both. Organisations should establish a process to conduct cost-benefit analyses for opportunities before the need arises. For instance, when considering whether to enter a financing arrangement involving quantum computing, financial institutions should have a step-by-step guide to provide assurance that the investing company understands export control requirements and can comply with them.

Similarly, organisations should document their decision-making process related to the development and use of quantum computing technology. Such approaches may need to be different for adoption and integration of third-party quantum solutions versus development of new capabilities through quantum technologies, but each needs to be thought out. Important protocols may include predetermined criteria regarding whether the organisation will undertake a quantum computing project independently or collaborate with a third party, and if so, how it will assess the suitability of third-party collaborators and service providers. Similarly, organisations should have predetermined criteria that recommend which contractual terms to use for collaborations, protecting rights in these projects, and leveraging standards such as the PQC standards set forth by the US National Institute of Standards and Technology in 2024.

Develop a Third-Party Onboarding Program

By developing a third-party onboarding program, organisations can quickly and proactively identify high-risk vendors and collaborations. A risk-mindset approach considers several criteria, including levels of spending, countries of operation, and types of technology. If an organisation relies on only one criterion, such as a monetary threshold, high-risk projects could potentially slip through the cracks and not be adequately evaluated with quantum computing-risk considerations in mind. For instance, a start-up company might not seek high-value financing, but it could have a high-risk impact if it involves quantum computing-related technology which is going to be used on key projects in the future.

Provide Robust Training Programs and Protocols

Awareness within organisations of opportunities and risks of quantum technologies is essential. Just as with other transformational technologies, a tailored approach should be taken depending on the needs and exposure of each organisation. At a minimum, leadership needs to have a clear-eyed view of the technology, the IT team must be prepared to address quantum threats, product-development teams need to understand the opportunities of quantum computing, and a legal team should be closely involved throughout for both regulatory and IP purposes.

Stay Mindful of the Opportunities and Risks

Because quantum computing is a dynamic and rapidly changing technology, none of the best practices mentioned above are a one-and-done task to cross off a to-do list. Organisations must stay attuned to the evolving nature of the technology and its impact on their business. Even sophisticated organisations like banks and financial institutions that are well-versed on sanctions and money-laundering issues now face new challenges associated with stringent export control obligations. New risks—and opportunities—will continue to arise as the technology matures, and teams of advisors with focused expertise in areas such as IT, finance, human resources, cybersecurity, intellectual property, regulatory compliance, and corporate transactions can help organisations climb an otherwise steep learning curve and adjust their approach as necessary.