The board conversation about quantum computing has been stuck in the wrong decade. When quantum comes up in enterprise strategy sessions, the question is almost always about compute - about whether quantum processors will one day accelerate drug discovery, optimize logistics, or model financial risk faster than classical machines. That conversation is real, but it is a 2035 problem. The quantum problem your organization needs to solve right now is not about compute at all. It is about the encryption protecting every sensitive communication, contract, health record, and trade secret your organization has transmitted over the past ten years - and the fact that adversaries are storing it today to decrypt it when the compute arrives.
The attack is called "harvest now, decrypt later." It does not require a quantum computer to exist today. It requires only that an adversary believes one will exist within the useful lifetime of the data they are collecting. Intelligence agencies, nation-state cyber units, and sophisticated criminal organizations have been harvesting encrypted enterprise traffic at scale since at least 2020. The NSA's PRISM program, China's persistent infrastructure implants documented in the Volt Typhoon disclosures, and the data exfiltration patterns identified in dozens of major breach investigations all point to the same operational logic: collect now, decrypt when the capability exists.
For most encrypted data, this is a theoretical risk. For some classes of enterprise data, it is an urgent operational problem - and the distinction is one that most boards have not been asked to make.
Why Encryption Breaks
The encryption algorithms protecting most enterprise communications - RSA, elliptic curve cryptography (ECC), and Diffie-Hellman key exchange - derive their security from mathematical problems that are computationally hard for classical computers. Specifically, they rely on the difficulty of factoring large numbers (RSA) or solving the discrete logarithm problem (ECC). A classical computer factoring a 2048-bit RSA key would take longer than the age of the universe. A sufficiently powerful quantum computer running Shor's algorithm could factor the same key in hours.
Shor's algorithm has been known since 1994. What has changed in the past three years is the credibility of the timeline for quantum hardware that could run it at scale. Google's Willow chip, announced in December 2024, demonstrated error correction at a scale that resolved a long-standing barrier in quantum computing research. Microsoft's announcement of topological qubits in early 2025 opened a different path to fault-tolerant quantum computation. IBM's published roadmap projects systems capable of running Shor's algorithm on RSA-2048 keys between 2029 and 2033, with a median analyst estimate of 2031 as the earliest credible date for what cryptographers call a "cryptographically relevant quantum computer" - one powerful enough to break current encryption in practical time.
"The adversary does not need a quantum computer today. They need your data today and a quantum computer eventually. One of those they already have."
Seven years sounds like a long time. It is not, relative to enterprise cryptography migration cycles. A global financial institution migrating its core banking cryptography, a pharmaceutical company updating encryption across its clinical trial data infrastructure, or a defense contractor rotating cryptographic protocols across classified and unclassified systems is looking at a 5-to-10-year program involving thousands of systems, dozens of vendors, and multiple regulatory approval cycles. Organizations that begin migration in 2027 or 2028 will be finishing in the early 2030s - which is precisely when the threat materializes.
What NIST Actually Did in 2024
In August 2024, the National Institute of Standards and Technology finalized three post-quantum cryptography standards: FIPS 203 (ML-KEM, based on CRYSTALS-Kyber), FIPS 204 (ML-DSA, based on CRYSTALS-Dilithium), and FIPS 205 (SLH-DSA, based on SPHINCS+). These are the algorithms that will replace RSA and ECC for key encapsulation and digital signatures in federal systems - and, by regulatory extension, in any enterprise operating in regulated industries or as a federal contractor.
The finalization of NIST standards is the starting gun for enterprise migration, not a distant signal. Federal contractors are required to begin implementing these standards in new systems immediately and to publish migration roadmaps for existing systems. Financial institutions regulated by the OCC, FDIC, and Federal Reserve have received guidance making post-quantum readiness an explicit examination area beginning in 2026. Healthcare organizations subject to HIPAA are facing similar signals from HHS. The regulatory pressure is not hypothetical - it is present and accelerating.
The Data That Is Already at Risk
Not all encrypted data carries the same harvest risk. The relevant question is not "is my data encrypted" but "does my data retain value to an adversary in 7 to 10 years." Most enterprise data does not. A TLS-encrypted session downloading a product catalog has no long-term value to a nation-state adversary. A TLS-encrypted session transmitting merger negotiation documents, clinical trial results, proprietary algorithm parameters, or diplomatic communications is exactly the data that harvest-now-decrypt-later programs are designed to capture.
The categories that require immediate assessment are:
- Long-lived secrets: cryptographic keys, authentication credentials, and certificates that are reused across years rather than rotated frequently
- Regulatory data with multi-decade retention requirements: health records, financial records, and legal documents that must be protected for 10 to 30 years
- Intellectual property with extended commercial value: drug formulations, manufacturing processes, proprietary algorithms, and source code for products not yet released
- Government and defense contractor data: any data subject to export control regulations or classified adjacent handling requirements
- Merger, acquisition, and financing communications: transaction data with value to competitors and nation-states that may not be public for years
For organizations in pharmaceuticals, defense, finance, and healthcare, the overlap between these categories and their core operational data is near-total. For organizations in retail, consumer goods, and media, the overlap is more limited - but the IP and M&A categories still represent material exposure.
What the Migration Actually Involves
Post-quantum cryptography migration is not a software update. It is a protocol replacement program that touches every system, application, and vendor integration that performs encryption, authentication, or key exchange. The scope is larger than most enterprise security teams have modeled.
A typical Fortune 500 enterprise runs between 800 and 2,000 applications with some cryptographic dependency. Of these, roughly 60% use TLS for transport security - which will need to be updated to TLS configurations supporting post-quantum algorithms. Roughly 30% use public key infrastructure for authentication, code signing, or certificate management - requiring root certificate rotation and PKI rebuild programs. The remaining 10% use application-layer encryption for data at rest - requiring algorithm replacement in the application code itself, not just at the transport layer.
Each of these categories requires vendor support. A TLS configuration change is only possible when the underlying library (OpenSSL, BoringSSL, Schannel) supports the new algorithms - which most do following 2024 updates, but which requires version upgrades across the fleet. A PKI rebuild requires the enterprise's certificate authority vendor to support post-quantum certificate profiles. Application-layer encryption changes require coordination with software vendors, or internal development work on applications built in-house.
"Most enterprises have mapped their visible attack surface. Almost none have mapped their cryptographic surface. They are not the same thing."
The first step - and the one that takes longer than security teams expect - is cryptographic inventory. Before an enterprise can migrate, it needs to know what it has: every algorithm in use, every system performing cryptographic operations, every vendor providing cryptographic services, and every certificate in the PKI. Most enterprises do not have this inventory. Building it requires a combination of network scanning, application security tooling, and manual assessment of legacy systems that do not respond to automated discovery. Enterprises that have not started the inventory by 2027 will not finish migration before the threat window opens.
The Board Question Most Audit Committees Are Not Asking
Post-quantum cryptography risk has the same structural profile as climate risk did in 2015: the science is clear, the timeline is uncertain, the cost of early action is known, and the cost of late action is not bounded. The governance parallel is instructive. Boards that engaged with climate risk early developed frameworks, hired expertise, and built disclosure processes before regulatory mandates forced the issue. Boards that waited are now scrambling to retrofit governance onto operational reality under regulatory scrutiny.
The question an audit committee should be asking today is not "when will quantum computing be ready" - that is a technology question with an uncertain answer. The question is "what data are we transmitting today that we would need to protect for the next 10 years, and what is our plan for ensuring that data remains protected when the cryptography protecting it can be broken." That is a risk management question with a definite answer, and the answer starts with the cryptographic inventory described above.
Three governance actions change the risk profile materially:
Commission a cryptographic inventory by end of 2026. This is the minimum viable action. Without inventory, migration planning is guesswork. The inventory should cover all applications, all network infrastructure, all certificate authorities, and all vendor-managed cryptographic services. Expect the process to take 4 to 6 months for a mid-size enterprise and 12 to 18 months for a global organization with significant legacy infrastructure.
Identify your highest-risk data categories and begin migration planning for those first. Not all systems need to migrate on the same timeline. Cryptographic infrastructure protecting long-lived secrets, health records, and core IP should migrate first. Internal productivity tooling can follow. Sequencing the migration reduces the program cost and ensures that the highest-risk exposure is addressed before the threat window opens.
Add post-quantum readiness to vendor security assessments. A significant fraction of enterprise cryptographic exposure sits in vendor-managed systems: cloud infrastructure, SaaS applications, and managed security services. The major cloud providers (AWS, Azure, Google Cloud) are actively implementing post-quantum TLS and publishing timelines for full support. Mid-tier SaaS vendors are less consistent. Adding post-quantum readiness as a procurement requirement now creates pressure on the vendor ecosystem and ensures that migration timelines are not blocked by vendor lag when the program accelerates.
The Competitive Angle Boards Are Overlooking
Post-quantum migration is not only a risk mitigation program. It is also a competitive differentiation opportunity in regulated industries. The first pharmaceutical company to achieve post-quantum certification on clinical trial data infrastructure will be better positioned for regulatory approval in markets - particularly in the EU and in federal procurement - where post-quantum requirements are becoming explicit. The first financial institution to publish a post-quantum readiness disclosure will be ahead of a regulatory disclosure requirement that is coming within three years.
The organizations that treat this as a compliance deadline will spend the most money moving the fastest at the end. The organizations that treat it as a strategic program starting now will have lower migration costs, better vendor leverage, and first-mover advantage on the regulatory certifications that will be required in their industries by 2030. The cryptography migration that feels like overhead today is the security posture that becomes a procurement requirement tomorrow.
The Insurance Industry Is Already Pricing This
One useful signal for where a risk sits on the spectrum from theoretical to operational is how the insurance industry prices it. Cyber insurers have been underwriting quantum risk explicitly since 2023. Lloyd's of London syndicates offering cyber coverage now include "quantum decryption event" as a named peril in premium-tier policies, with coverage contingent on the policyholder maintaining a documented post-quantum migration roadmap. Zurich and AIG have introduced endorsements that exclude harvest-now-decrypt-later losses for organizations that cannot demonstrate they have begun cryptographic inventory.
This is not a speculative future underwriting posture. It is present policy language affecting renewal negotiations happening right now. CISOs whose organizations are up for cyber insurance renewal in 2026 or 2027 are being asked directly about post-quantum readiness. Organizations that cannot answer the question coherently are facing either coverage exclusions or premium increases that dwarf the cost of beginning the migration program. The insurance market has already made the risk pricing decision. Enterprise risk committees that have not engaged with the same evidence as underwriters are operating with a gap they cannot justify to their boards.
The supply chain dimension compounds this. A financial institution may have excellent internal cryptographic hygiene and still carry quantum exposure through its vendor ecosystem. Payment processors, custodians, clearing houses, and data providers that transmit sensitive data over RSA-encrypted channels are points of exposure even if the institution itself has migrated. The same logic applies to healthcare systems dependent on medical device manufacturers, and to manufacturers dependent on component suppliers with long-lived quality certifications transmitted over legacy encrypted channels. Post-quantum migration is not complete when the enterprise has migrated. It is complete when the enterprise and every vendor in its critical data path has migrated.
This supply chain dimension is why early action has compounding value. The enterprises that engage with post-quantum requirements first will be in a position to set contractual expectations for their vendors - to include post-quantum readiness as a condition of renewal in supplier contracts, to give vendors the runway to respond, and to avoid the situation where migration is delayed not by internal inertia but by a critical vendor that has not started. The enterprises that begin this conversation in 2026 and 2027 will have material leverage over the vendors they depend on. The enterprises that begin in 2029 will be waiting in a queue behind everyone else who also left it too late.
The competitive dynamic is already visible in federal procurement. Defense contractors with post-quantum certification in their encryption stack are winning contracts that competitors without it are losing. The DoD's Cybersecurity Maturity Model Certification (CMMC) 2.0 framework includes post-quantum readiness indicators that are expected to become mandatory evaluation criteria by 2028. A defense-adjacent enterprise that has not started migration will be out of contention for a meaningful segment of federal business within three years. That is not a technology planning problem. It is a revenue planning problem.
Quantum computing will eventually change how enterprises process certain classes of problems. That story is real, and it will be worth telling when the hardware is ready. The story that is worth telling right now is simpler and more urgent: the encryption protecting your most sensitive data has a known expiration date, the standards to replace it have been finalized, and the migration timeline is shorter than the threat timeline for most organizations that have not started. The board that asks the cryptographic inventory question in 2026 is the board that avoids the crisis briefing in 2031.
References
- NIST FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard (August 2024)
- NIST FIPS 204: Module-Lattice-Based Digital Signature Standard (August 2024)
- Google Research: Making Quantum Error Correction Work - Willow Chip (December 2024)
- NSA: Quantum Key Distribution and Post-Quantum Cryptography Guidance
- CISA: Post-Quantum Cryptography Initiative - Enterprise Migration Guidance
- Shor, P.W.: Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms (1994, arXiv)
- IBM Quantum Development Roadmap 2025-2033
Want to assess your organization's post-quantum cryptography exposure?
Schedule a 15-minute intro call →