Try to solve the Traveling Salesperson Problem: a salesperson must visit 100 cities, and he must find the shortest route that visits every city. He must calculate the length of all the routes and then pick the shortest, and as the number of cities grows, the possible routes increase at a rate that depends on the number of cities. So, for the salesperson to calculate the shortest route through 100 cities, that brings the number of possible solutions to 9 x 10^157. Apparently, even the most powerful conventional computers can’t solve for 100 cities, but quantum computers will be able to — and quickly.Quantum computing is expected to evolve over the next decade, with the potential to surpass today’s computational limits, and challenge conventional encryption. While the risk is not immediate, financial institutions (FIs) should begin incorporating it into their cyber risk management approach.What is quantum computing? It’s different than conventional computing because it relies on “qubits” — quantum states of matter such as atoms, photons, or superconducting circuits — to perform calculations. While classical computing uses bits with a binary computation of 0 and 1 to derive exact yes or no answers, qubits behave differently under the principles of quantum mechanics and can be in a combination of both 0 and 1 states at the same time.The output is a probability distribution that fits well with complex problems, particularly in medical and scientific fields. The super-fast computers to determine the most probable answers would be augmented by conventional computers for more deterministic outputs. They might also be useful for optimization and risk modeling, if applied in the banking sector. What are quantum cyberattacks? One complex problem that hackers are anxious to solve is cracking encryption data whose algorithms rely on public-key cryptography to secure communications, data, and authentication — including those that underpin online banking, interbank messaging, and other systems that financial institutions rely on.Cracking encryption data is what cybersecurity experts are most worried about, and they have even dubbed the time when such cyberattacks could occur: Q-day. Quantum experts surveyed by the Global Risk Institute say there is a 19% to 34% chance that Q-Day will arrive by 2034, increasing to a 60% to 82% chance by 2044.When that time arrives, a quantum cyberattack on a large money center bank to gain access to a system like the Fedwire Funds Service payment system could result in a “cascading financial failure” across the US economy to the tune of up to $3.3T. This would mean a decline in real GDP of 10% to 17%, according to a report by Citi Global Perspectives & Solutions.However, cybersecurity experts are sounding the alarm now because they believe that hackers today can steal encrypted data and just store it until they can crack it on Q-day. Experts are calling them “harvest now, decrypt later” attacks.How can FIs protect themselves? For community financial institutions, “quantum cyber readiness” is less about predicting Q day and more about building the governance, visibility, and agility to adapt before attackers — or regulators — make those changes an urgent matter.
- Start with governance and risk insight. Assign executive ownership (typically the CISO or CTO) and stand up a cross functional quantum readiness workgroup spanning security, IT, risk, legal, and vendor management. Charge this group with assessing your current cryptographic posture, identifying where you use public key cryptography today (TLS, VPNs, payments interfaces, digital banking, APIs), and benchmarking maturity against emerging industry guidance.
- Begin factoring quantum risk into your cyber and compliance programs. To make sure you have a foundational risk framework in place for quantum computing, you might add quantum risk as an extension of your existing cyber and operational risk frameworks. You could include it in your enterprise risk assessment, board reporting, and GLBA/FFIEC information security program, and map activities to supervisory expectations around encryption, key management, third party oversight, and change management.
- Design for crypto agility and plan migration to PQC. Rather than hard coding today’s algorithms, you can update standards and architectures so that critical systems can support multiple cryptographic schemes and be upgraded over time. As the National Institute of Standards and Technology (NIST) and other regulatory and technology standards bodies finalize post quantum cryptography (PQC) standards, prioritize pilots on high value, high longevity data flows and critical payment connections, and start to work with core and fintech vendors to align their roadmaps with your own.
- Mitigate “harvest now, decrypt later” exposure now. Even before you deploy PQC, you can reduce long term risk by tightening key management and certificate lifetimes, preferring strong symmetric cryptography for stored data, and limiting how long especially sensitive data remains encrypted under vulnerable public key schemes.
For C-suite leaders, the objective is to ensure your institution has governance, inventories, and migration plans in place well before quantum capable adversaries — or new regulations — arrive, so you can protect customers and maintain trust without scrambling under duress. Although quantum computing that’s scalable enough for hackers to acquire and harness is at least a decade away, the risk is large enough that early preparation and familiarity with the topic will be key to navigating new standards and regulations when they are announced.
