Preparing for Quantum Computing to impact encryption: What should boards do now?

Q-Day is the point at which quantum computers become capable of breaking much of the public-key cryptography that currently secures our communications, transactions and data. Waiting for a clearly identifiable Q-Day is risky. Quantum capability will advance incrementally, and not every actor will announce a breakthrough. More importantly, adversaries can collect encrypted information today in the expectation of decrypting it later, a strategy known as “harvest now, decrypt later.”

Post-quantum resistant cryptography (PQC) is no longer theoretical. In August 2024, the US National Institute of Standards (NIST) and Technology published post-quantum cryptography (PQC) standards[1]. NIST encourages organisations to begin transitioning now. The UK National Cyber Security Centre has also published a migration roadmap[2]. It describes PQC migration as a global, multi-year change to IT and operational technology.

I often hear that boards should begin by requesting an inventory of cryptographic assets. But an inventory alone may not be the smartest starting point. Cryptography is embedded across applications, connections, infrastructure, operational technology and supplier relationships. An inventory that is not connected to business context risks becoming a lengthy technical exercise.

Instead, discovery should map cryptographic assets against:

  • business criticality and data sensitivity

  • how long information must remain confidential

  • systems that may be difficult or slow to change

  • supplier readiness and PQC roadmaps and

  • the organisation’s risk appetite and investment priorities

Your transition to PQC should also build crypto-agility: the ability to identify, update and replace cryptography as standards, technologies and threats evolve.

This requires business and technology leaders to work together from the outset. Outdated cryptography is security debt; we simply do not know when it will fall due. Addressing it early strengthens resilience and demonstrates to customers, regulators and partners that their trust is taken seriously.

PQC migration and the wider challenge of governing security debt will be among the topics explored in our international AI & Cyber Governance Summer School, running from 17 to 20 August. Across four two-hour morning sessions, participants will examine how boards can govern AI, Cyber and the increasingly important intersection between them. Learn more and register here: https://www.cyber4directors.com/c4d-academy.

[1] US National Institute of Standards and Technology (NIST), Post-Quantum Cryptography, 2024, https://csrc.nist.gov/projects/post-quantum-cryptography

[2] UK National Cyber Security Centre, Timelines for migration to post-quantum cryptography, 2025, https://www.ncsc.gov.uk/guidance/pqc-migration-timelines

Next
Next

Cyber Third-Party Risk, Part 1: Aligning Suppliers, Strategy and Risk Appetite