Security

How Should Financial Institutions Prepare for Quantum Risk?

Quantum decryption may be a decade or more away, but banks, insurers and investment firms must act now to protect sensitive financial data.

Matt McLaughlin

Twitter

Matt is an associate editorial director and award-winning content creation leader. He is a regular contributor to the CDW Tech Magazines and frequently writes about data analytics, software, storage and cloud topics.

It could take a supercomputer 149 million years to decrypt data that has been encrypted with the RSA-2048 public-key encryption system. A sufficiently powerful quantum computer, however, could potentially crack that same encryption in as little as eight hours.

While quantum computers with this capability do not yet exist, experts predict they may become available within the next decade. For financial institutions — including banks, credit unions, insurance companies and investment firms — the implications of quantum computing demand immediate attention.

“Cryptographers have known for a few decades that if we are able to build a big enough quantum computer, it will threaten all of the public key crypto systems that we use today,” says Dustin Moody, a mathematician with the National Institute of Standards and Technology (NIST), in an HPCwire article. “So, it’s a serious threat.”

Although quantum computers capable of breaking today’s encryption are still years away, the threat they pose is already relevant to financial services organizations. Institutions can take proactive steps now to protect sensitive customer data, financial records and transaction systems before quantum decryption becomes a reality.

Click the banner below to read the 2024 CDW Cybersecurity Research Report.

x_security_q325_animated_click_desktop_01

x_security_q325_animated_click_mobile_01

The Risk Posed by “Harvest Now, Decrypt Later”

Encryption has long been foundational to financial services security, protecting customers’ personally identifiable information (PII), account information, payment transactions and proprietary business data. Historically, even if attackers gained access to encrypted data, it remained unusable.

That assumption is changing due to the threat of “harvest now, decrypt later” (HNDL) attacks. Cybercriminals are already stealing encrypted data today with the expectation that it can be decrypted in the future using quantum computers.

This threat is particularly acute for financial institutions because of the long-term value of financial data. Customer account histories, loan records, insurance policies, investment data and transaction logs may remain valuable for decades. Once stolen, there is no way to retroactively protect that data from future decryption.

To mitigate this risk, financial institutions must begin preparing now to ensure that data stolen today cannot be decrypted tomorrow.

Solution: The Arrival of Post-Quantum Cryptography

In May 2022, National Security Memorandum 10 directed federal agencies to prepare for the threat of quantum decryption by migrating vulnerable systems to quantum-resistant cryptography. While the directive applies to government agencies, it signals broader expectations for regulated industries such as financial services.

“Post-quantum cryptography is about proactively developing and building capabilities to secure critical information and systems from being compromised through the use of quantum computers,” said Rob Joyce, then director of cybersecurity for the National Security Agency, in an August 2023 statement.

In August 2024, NIST published three post-quantum cryptographic standards — ML-KEM, ML-DSA and SLH-DSA — designed to withstand quantum attacks. These standards are intended to secure data across systems such as digital banking platforms, payment processing environments, email and e-commerce. NIST has encouraged organizations to begin implementation as soon as possible.

Technology vendors such as Cisco Systems, Check Point and Palo Alto Networks have introduced security products that support post-quantum cryptography. Firewalls, network switches and other infrastructure components with PQC capabilities can help financial institutions protect data both in transit and at rest.

“It is imperative for all organizations, especially critical infrastructure, to begin preparing now for migration to post-quantum cryptography,” said Jen Easterly, then director of the Cybersecurity and Infrastructure Security Agency, in an August 2023 statement.

The transition to a secured quantum computing era is a long-term intensive community effort that will require extensive collaboration between government and industry.”

Rob Joyce Former Director of Cybersecurity, National Security Agency

How Financial Institutions Should Assess Their Quantum Risk

As financial institutions begin addressing quantum risk, guidance from NIST and other industry bodies can help shape early planning efforts. In September 2025, NIST’s National Cybersecurity Center of Excellence published a draft white paper on migrating to post-quantum cryptography, emphasizing that migration efforts often take years to complete.

A critical first step is conducting an assessment of which systems and data assets are most at risk. The ISACA IT security organization recommends building a comprehensive inventory of systems vulnerable to quantum attacks and classifying data based on sensitivity, regulatory requirements and business impact.

For financial institutions, this assessment should prioritize customer PII, transaction data, long-term financial records and proprietary business information. Understanding where the greatest financial, reputational and regulatory exposure exists enables IT leaders to focus mitigation efforts where they matter most.

Institutions should also conduct executive briefings, staff training and tabletop exercises to build awareness. Establishing a quantum readiness task force and assigning a dedicated quantum risk lead can further strengthen governance and accountability.

Take Action: Starting Your Quantum Readiness Journey

Industry experts advise financial institutions to begin preparing now. Full migration to post-quantum cryptography will take time, as organizations work through discovery, testing and vendor coordination.

As part of a quantum readiness strategy, IT leaders should align efforts with established security guidance such as NIST’s Risk Management Framework and ensure close collaboration between security, risk and compliance teams. Partnering with trusted vendors can help institutions adopt agile, standards-based solutions while minimizing disruption.

Ultimately, achieving quantum readiness will require collaboration across industries and regulators. There is no better time for financial institutions to begin the journey than now.

PREPARE: How can CDW help your organization achieve its security goals?

cokada/Getty Images