Most cybersecurity threats demand action because something is happening today. The quantum threat is different. It asks financial institutions to act now against a danger that fully arrives years from now, because the damage is already being set in motion. Attackers don’t need a working quantum computer to start stealing from you. They only need somewhere to store what they take.
Singapore’s Monetary Authority of Singapore (MAS) has issued a formal advisory requiring all regulated financial institutions to begin preparing for quantum computing risks today. Under MAS TRM expectations, institutions must inventory their cryptographic assets, prioritise long-lived sensitive data, build crypto-agility, and engage vendors on post-quantum cryptography readiness because the “harvest now, decrypt later” attack pattern means data stolen today can be decrypted once quantum computers mature.
Singapore’s financial regulator saw this coming and moved early. The Monetary Authority of Singapore has issued clear guidance urging financial institutions to prepare for quantum risks, and is already running live testbeds with major banks.
For any institution that falls under MAS technology risk management expectations, the message is that quantum preparation is no longer a someday project. This guide explains the threat, what MAS TRM expects, and how to start, in plain terms.
What Is MAS TRM?
MAS TRM refers to the Monetary Authority of Singapore’s approach to Technology Risk Management, the framework that governs how financial institutions in Singapore manage the risks in their technology and systems.
It has two main parts. The MAS Notice on Technology Risk Management is legally binding and sets firm requirements, and the MAS Technology Risk Management Guidelines provide best-practice guidance on how to meet them.
According to compliance analysis from Fortra, the TRM Notice took effect on 10 May 2024 and sets requirements around identifying critical systems, keeping them highly available, recovering quickly after disruption, and protecting customer information. It applies to all financial institutions regulated by MAS.
In short, MAS TRM is the rulebook for how Singapore’s financial institutions keep their technology secure and resilient. And one of the emerging risks that framework now has to account for is quantum.
Who does MAS TRM apply to? Every financial institution regulated by MAS, including banks, insurers, capital markets intermediaries, and payment service providers operating in Singapore, falls under MAS TRM obligations. The quantum-risk advisory issued in February 2024 was addressed directly to the CEOs of all such institutions, making clear this is an institution-wide governance matter, not just a technical one.
The Quantum Threat, Explained
Here’s a plain picture of what quantum computing does to security.
Almost all the encryption protecting financial data today relies on maths that ordinary computers can’t crack in any useful amount of time. A powerful quantum computer changes that. It could solve maths far faster, unlocking data and faking digital signatures that are completely safe from today’s machines.
A quantum computer that is powerful doesn’t exist yet, at least not publicly. But the financial cybersecurity Singapore sector can’t just wait for one to show up, and here’s the uncomfortable reason why.
Harvest Now, Decrypt Later
This is why the threat is real today, even without a working quantum computer.
Attackers can steal your encrypted data now and simply store it, waiting until quantum computers are strong enough to unlock it later. The data is useless to them today, but they keep it, betting they’ll crack it open in a few years. Security researchers call this “harvest now, decrypt later.”
For a bank, that’s alarming, because so much of what you protect stays sensitive for decades. Long-term contracts, proprietary records, and customer financial histories don’t stop being valuable in ten years. If an attacker harvests that data today, a future quantum computer could expose all of it. The clock is already running, even though the decryption is still years away.
What MAS Expects Financial Institutions to Do
MAS TRM hasn’t left this as a vague warning. On 20 February 2024, it issued a specific advisory to the CEOs of all financial institutions. According to the Monetary Authority of Singapore’s advisory, the guidance outlines the cybersecurity risks from quantum computing and the steps institutions should take to address them.
As legal analysis from Allen & Gledhill lays out, the advisory’s expectations include several practical actions.
- Know what cryptography you use. Maintain an inventory of your cryptographic assets, so you can see exactly which systems rely on encryption that quantum could one day break.
- Prioritise what to protect first. Classify your IT and data assets by importance, so the most critical and longest-lived data can be migrated first.
- Build crypto-agility. Develop the ability to switch to new, quantum-safe cryptography without tearing your systems apart, since rigid systems make migration painful.
- Bring in your vendors. Make sure senior management and third-party IT vendors understand the threat, and ask vendors to provide quantum-resistant solutions as they become available.
- Stay informed and share. Track quantum developments and exchange information with industry groups to mitigate the risk collectively.
The two big ideas underneath all of this are post-quantum cryptography (PQC), new encryption designed to resist quantum attacks, and crypto-agility, the flexibility to adopt it smoothly. MAS technology risk management also points institutions toward quantum key distribution (QKD) as a complementary technology.
Singapore Is Already Testing the Solutions
According to reporting from Charltons Quantum, MAS signed an agreement in August 2024 with major banks including DBS, HSBC, OCBC, and UOB, along with technology partners, to run a proof-of-concept sandbox testing quantum key distribution in financial services.
That sandbox ran across two windows between September 2024 and March 2025, with the institutions testing quantum-safe communications at their own secure data centres. Singapore also completed a separate post-quantum cryptography experiment with Banque de France in November 2024.
The takeaway for any financial institution is simple. The country’s leading banks and its regulator are already putting time and money into quantum-safe security. This is the direction the sector is moving, and the testbeds show it’s moving now, not in some distant future.
How to Start Preparing for Quantum Risk
The scale of an eventual migration can feel overwhelming, so the key is to start with the steps that matter most and build from there. Here’s a sensible order.
1. Build your cryptographic inventory
You can’t protect or migrate what you haven’t catalogued. The essential first step, and the one MAS names first, is a complete inventory of where and how your institution uses cryptography. Which systems, which algorithms, which data they protect. Most institutions don’t have this clearly mapped, and it’s the foundation everything else builds on.
2. Identify your long-lived sensitive data
Because “harvest now, decrypt later” targets data that stays valuable for years, find that data first. Records that must stay confidential for a decade or more are the most exposed to the quantum threat, and the strongest candidates for early protection. Prioritise them.
3. Assess whether your systems can adapt
Quantum-safe cryptography is only achievable if your systems can actually accommodate new algorithms. Check whether your current infrastructure could support a switch to quantum-resistant standards, and note where rigid, outdated systems would make that hard. Those are the places to begin upgrading.
4. Bring your vendors into the conversation
Much of your cryptography lives in systems and services from third parties. Start asking your vendors now about their own quantum-readiness and their plans to offer post-quantum cryptography solutions, the same supply-chain scrutiny that strong financial cybersecurity Singapore demands across the board.
5. Build the skills and the plan
Quantum migration is unfamiliar territory for most teams. Invest in your people’s understanding, update your internal policies to reflect quantum risk, and build a roadmap for migration rather than treating it as a single future event. Starting the capability now is what makes the eventual transition manageable.
Why Early Preparation Matters
MAS TRM has made quantum risk preparation a present obligation, not a future one. Through its February 2024 advisory and active sandbox testing with Singapore’s major banks, MAS has signalled that post-quantum cryptography readiness and quantum-safe cryptography adoption are expected features of a well-managed financial institution, not optional upgrades.
For any organisation subject to MAS technology risk management requirements, the time to act is now, while data can still be protected before it is harvested.
The quantum threat is unusual because its deadline is both far away and already here. The computers that could break today’s encryption may be years off, but the harvesting of data to decrypt later is happening now. For a bank holding decades of sensitive records, that’s exactly why MAS is urging action today.
The institutions that handle this well won’t wait for a quantum computer to make headlines. They’ll be the ones that quietly built their cryptographic inventory, protected their long-lived data, and made their systems flexible enough to adapt, all before the threat fully arrived.
Notice that almost every step starts in the same place, knowing what you actually have. You can’t protect data you haven’t mapped or defend against harvesting you can’t see.
That visibility is what Zentara provides. Our VAPT and security assessments map your cryptographic and data assets and surface the weak points, while our Managed SOC watches for the quiet data theft the quantum threat relies on.
Book a free 30-min strategy session with our specialists and we’ll help you map your exposure and turn it into a plan you can start now.


