“A quantum computer makes it possible to open everything”
How a future quantum breakthrough could retroactively expose today’s banking, medical and state secrets, and why regulators say banks must act now.
On January 7, 2025, the Bank of Israel’s Banking Supervision Department sent an unusual letter to banking corporations and supervised financial entities. Unlike routine regulatory communications, this was not a technical clarification or a narrow compliance directive, but a principled demand: within a year, by January 7, 2026, banks must submit a plan for preparing for cyber threats arising from quantum computing capabilities. The message was clear: even if an operational quantum computer does not yet exist, the financial system cannot afford to wait for the day the encryption on which it relies is broken.
The quantum threat, long treated as an academic debate or the stuff of science fiction, crossed a threshold with this letter, from a distant future risk to a present regulatory problem.
Uzi Yaari, director of the digital division at Elad, describes the move as a necessary response to a widening gap between the pace of technological progress and the state of banking infrastructure. “Quantum computing is no longer just another threat in the cyber landscape,” he says. “It is a technology that changes all the rules of the game.”
“As soon as quantum capabilities become relevant,” Yaari adds, “the entire defensive world that exists today will simply stop being relevant. Completely different sets of code and encryption will be required.” But the challenge, he argues, does not begin with encryption itself, it begins with the systems beneath it. Banks’ core systems, he explains, are often built on legacy code: mainframes, outdated programming languages, and business processes layered over decades.
From this reality follows what Yaari sees as the central conclusion: regulatory compliance alone is not enough. “There are two axes that must move at the same time,” he says. “The first is regulatory, responding to supervision and submitting a plan. The second, and far heavier one, is modernization of the core systems. That means either focused treatment of risk points or a full rewrite of systems. Both are extremely difficult. There are no shortcuts.”
Waiting for future quantum-safe solutions, he warns, is not a strategy. “In two years, the systems won’t be protected. We can’t wait. We should have started yesterday.”
If Yaari locates the risk primarily at the level of code and infrastructure, Moshe Karako, a senior adviser on cyber and communications to financial institutions and governments, widens the lens. For him, the quantum threat is first and foremost a systemic public risk.
Karako notes that some banks still treat the quantum debate as a new version of Y2K, lots of hype, little substance. “This is exactly where the legislator steps in,” he says, “because this is a risk whose return on investment is not immediate, but whose potential damage is enormous.”
The nightmare scenario, he explains, is not a single hack or a specific theft. “A quantum computer makes it possible to open everything,” he says. “Bank accounts, SWIFT traffic between banks, conversations between merchants ahead of transactions. All of our financial information becomes visible.” But the real danger, he emphasizes, is psychological rather than technical. “The value of money in a bank is trust. If even 30% of the public shows up and asks for cash, that alone is enough to collapse the Israeli economy. The publicity creates panic. The Bank of Israel is afraid of that scenario.”
In this sense, the regulator’s letter is not merely about cyber defense, but about safeguarding systemic stability. A collapse of public trust, whether triggered by a real breach or by fear alone, could be just as destructive.
Who, then, has the ability to threaten an entire financial system in this way? Karako dismisses the image of a lone hacker. “There are already researchers, companies, and private entities with access to early quantum computing capabilities,” he says. “Two places from which a quantum computer could emerge tomorrow morning are China and the United States. And once one side gets there, the other will too.”
The implication, he says, is geopolitical. “It doesn’t have to be a criminal organization. It could be the wrong side of a state, one that takes Western money and redirects it to itself. And that’s already happening today.”
Banks, however, are only part of the picture. The quantum threat extends far beyond the financial system. “The most dramatic consequence is the loss of privacy,” Karako says. “All personal information, ID numbers, passports, credit cards, becomes exposed.”
Communications systems are equally vulnerable. “WhatsApp, phones, everything we believe is encrypted,” he says. “Anyone who wants to listen in real time will be able to. It’s a return to an analog world.”
The encryption Karako refers to, RSA, is the same foundation used by banks, e-commerce sites, governments, and communications platforms. “It’s all one chain of trust,” he says.
The timelines, he warns, are shorter than many assume. While today’s quantum computers cannot yet break strong encryption, complacency is dangerous. “The race is on,” he says. “There are very few fields in the world with this much money being poured into them. The Americans are talking about readiness by 2035. That’s not far away.”
One of the most troubling aspects of the quantum threat, Karako adds, is that it may arrive without a dramatic moment. “This isn’t a scenario where you wake up one morning to a headline saying, ‘The quantum computer has been activated,’” he says. “There’s a much quieter and more dangerous scenario, ‘harvest now, decrypt later.’ Today, enormous amounts of encrypted data, banking, medical, security, are being stolen and stored. The day quantum capability matures, everything is unlocked retroactively.”
That means the damage does not begin when encryption finally breaks, but years earlier. “Information stolen today, which we think is worthless because it’s encrypted, may suddenly become extremely valuable,” he says.
Karako also warns against a false sense of control. “People think that if there’s no operational quantum computer today, then there’s no threat today. That’s a mistake. Every financial system and every country needs to ask not only whether it’s protected, but whether it even knows what it has, where encryption exists, in which processes, and with which third-party providers. Many organizations simply don’t know.”
From this perspective, the Banking Supervision Department’s demand for mapping and preparedness is not primarily a technological requirement, but a basic exercise in risk management. “It’s not ‘let’s solve quantum,’” Karako says. “It’s ‘let’s understand what we’re sitting on.’”
The Banking Supervision Department said in response that “banking corporations are currently submitting their responses to the supervisory letter, including references to initial assessments. The department will review the responses, comparing them with requirements and emerging trends in this area.”
