Prepare Now for Quantum Cyber Risk

Quantum computing capabilities have made the vulnerability of current encryption standards into an immediate concern for board oversight.

For decades, quantum computing has been “five years away” from reality, a disruptive technology brimming with potential yet always just out of reach. Recent quantum breakthroughs, however, are changing the game and rapidly accelerating the timeline of when quantum computers could upend current encryption standards.

As these advancements reshape the quantum cyber-threat landscape, the urgency to implement post-quantum cryptography (PQC)—to secure data files against quantum computing’s powerful code-breaking ability, when it becomes viable—has never been greater.

An important role for the board is to help ensure that quantum computing is explicitly integrated into its oversight of cyber risk and enterprise risk management, including scenario analysis around encryption failure.

The Quantum Cyber Threat Is Already Active

Companies should prepare now for quantum cyber risk because the threat is active, the transition is slow and complex, and regulatory and investor expectations have effectively started the clock on the race against “Q-day.”

The board should consider the key factors below when assessing the company’s planning.

The “harvest now, decrypt later” threat exists today. Adversaries can already intercept and store encrypted traffic and files with the intention of decrypting them once quantum computers are strong enough to break today’s public‑key cryptography, or the two-key method used to lock and unlock digital information. Any data with a long sensitivity window—trade secrets, health records, national security-related data, or mergers and acquisitions and legal files—may be compromised years from now based on theft that occurs today.

Migration to PQC takes time. Large organizations are deeply dependent on public-key cryptography. Discovering where those algorithms are used, identifying long-lived and critical data flows, redesigning systems for cryptographic agility, testing new algorithms, and then migrating at scale is a multiyear transformation. Waiting until a cryptographically relevant quantum computer is clearly imminent will not provide companies with enough time to migrate to PQC safely.

Timelines for quantum computing are uncertain but trending toward greater urgency. With expert assessments increasingly pointing to the arrival of cryptographically relevant quantum computers in the early 2030s, and potentially late 2020s, companies and boards must plan against earlier timelines. The relevant planning horizon is already overlapping with credible quantum timelines, as the data and systems companies deploy today may still be in use 10 to 20 years from now.

Regulators, standard-setting bodies, and governments are already working on migration. Governments and standard-setting bodies have started to standardize post‑quantum algorithms and issue mandates and road maps for PQC migration across the public sector and critical infrastructure. That creates de facto expectations for companies in the private sector, especially in highly regulated industries, to understand their exposure and have credible transition plans. Organizations that wait to transition will face compressed regulatory timelines, higher compliance costs, and potential scrutiny for failing to act on widely signaled risk.

Expectations are mounting that companies will be prepared. Customers, investors, and regulators are increasingly asking whether companies are prepared for quantum-era threats. To reassure stakeholders, companies should be able to demonstrate that they have a concrete road map for migration to post-quantum cryptography.

Focusing on Quantum Resilience

Given the scope and complexity of preparing for quantum cyber risk and resilience, directors should recognize that this is a multiyear transition that requires active board and committee oversight, comparable in scale to year 2000 preparations. Therefore, it calls for early strategic planning, cross-functional coordination, and sustained capital investment.

Below are a few key areas the board and its committees should focus on:

A quantum risk baseline and cryptographic inventory. The inventory should identify where quantum-vulnerable encryption is used to protect critical assets, which the National Institute of Standards and Technology calls a “crypto-agility” assessment.

The transition road map to post-quantum cryptography. Transitioning to PQC will be complex and staged, requiring planning over several years. Boards should expect a documented road map from management that aligns with emerging standards. This should be a highly structured program, similar to those that manage other mission-critical risks.

Third-party and supply chain quantum readiness. Quantum risks extend to cloud providers, software vendors, and other service partners whose cryptography underpins the company’s resilience.

Governance structure, expertise, and escalation. Consider whether risk oversight responsibilities across the board and its committees are clearly delineated and aligned with evolving cyber and quantum threats. Boards may require more external briefings so they can probe management credibly on quantum risk.

Integration of quantum risk into cyber risk, resilience, and disclosure. Quantum risk should be incorporated into the company’s broader cyber-risk assessment, incident-response planning, and resilience exercises. Investors and regulators will expect reassurance regarding management’s quantum preparations in the company’s disclosures.

There will be no clear signal that it is “the right time” to adopt quantum‑safe cryptography. Now is the opportune moment for business leaders to prepare for post-quantum cyber risk and, more broadly, a post‑quantum future.

The views expressed in this article are the authors’ own and do not represent the perspective of NACD.

KPMG LLP is a NACD strategic content partner, providing directors with critical and timely information, and perspectives. KPMG LLP is a financial supporter of the NACD.