Quantum Heist? Not So Fast — How Financial Institutions Can Fight Back

Do you have a bank account, cryptocurrency, and/or any assets managed by a financial institution or bank? I bet you want the financial institutions that handle them for you to keep those assets safe from any threat, including, a Cryptographically Relevant Quantum Computer (CRQC) which is on the horizon. To help with this the SEC has released their Post-Quantum Financial Infrastructure Framework (PQFIF), which provides a roadmap for the quantum-safe transition of the global financial infrastructure in order to protect trillions of dollars’ worth of assets. The focus of this roadmap is for cryptocurrency, however, this framework can be used by financial institutions to manage all types of assets and money. Let’s take a deeper dive into this impressive 74-page roadmap and see how these financial institutions can implement this roadmap at their organization.

Expert Perspective on the PQFIF

This framework starts strong with a scenario on page 9 to be presented to the cybersecurity leaders, CIOs, CISOs, regulators, and other decision makers about the level of effort and tentative timeline for a high-level critical migration plan for a financial institution. It walks through the different phases and the final results which may lead to cost efficiencies and performance increases. This information can be used as a guide to plead the case to stakeholders and decision makers for the need for a quantum readiness plan and the funding required in the execution of that plan.

Another impactful narrative in this roadmap is section 2.2 which speaks to the accelerated threat timeline of Quantum Computers. Though the timeline of a CRQC is a hot topic amongst the Quantum Computing ecosystem with varying degrees of consensus on when we may see one; the general consensus remains that it is not far away as compared to the readiness level of most organizations and the time required for them to be prepared for the threat posed. Combine that with the importance of financial institutions to the stability of a nation and you have a mix that can’t be ignored for much longer.

This roadmap outlines a timeline as early as 2034 for a CRQC that is capable of breaking RSA 2048 in 24 hours. With the probability of a CRQC becoming a reality significantly increasing from 17%-34% in 2034 to 79% a mere 10 years later in 2044. The best part about this roadmap is that recent accelerating factors are also outlined and the timeline reset to as early as 2028 by Europol’s Quantum Safe Financial forum. This implies that if the financial institution hasn’t already started, it may already be too late. Some experts are even quoted as saying that with the compressed timeline, that "our last chance to start migration to post-quantum cryptography before being undone by cryptographically relevant quantum computers" may have already passed. This may sound like a strong statement, however, as someone who is in alignment with the 2030 timeline or sooner to see a CRQC, I have to agree with the statement. We are approaching a timeline where it may become irrelevant for an organization to start their Post-Quantum Cryptography (PQC) journey if they choose not to start immediately.

How to Use the PQFIF and Your Next Steps

This framework provides a strong foundation financial organizations can use to start their post-quantum cryptography (PQC) journey with full roadmaps, statistics, and scenarios already provided. If the cryptography of a financial institution fails, the reputational damage and loss of customer confidence in the institution is likely to be irreplaceable. Additionally, not only will financial institutions be impacted by their own inaction, but the greater financial ecosystem and supporting industries including insurance, payment processing, asset management, and banking and lending will be collateral damage. When considering not to start their journey, financial institutions need to consider the wider implications to society and financial services as a whole.

Besides using section 2 mentioned above to highlight the accelerated threat timeline of a CRQC, financial institutions can use section 5 to gather important statistics from FS-ISAC which will give the organization the insights they require to move forward quickly. Here’s a direct quote below that makes quite an impact:

“Recent industry analysis (e.g., FS-ISAC 2025 survey) reveals significant challenges:

• 51% of organizations report lack of clear PQC ownership. These figures are indicative and may vary by sector; organizations should conduct their own assessments
• 43% cite insufficient specialized skills
• Performance trade-offs and integration complexities remain primary barriers
• Many organizations are prioritizing AI initiatives over quantum readiness”

These alarming numbers and statements are being reported by FS-ISAC, a leader in the industry for reducing cyber risk for global financial systems. This is a wake-up call for financial organizations to prioritize quantum readiness and implement plans to move forward rather than be caught off-guard when the quantum threat materializes and it’s too late. Organizations can use the rest of section 5 to investigate solutions and the benefits of regulatory compliance and global interoperability.

Section 7 can be used to identify the scenarios that can be aligned with the needs of the financial institution and supporting industries mentioned previously. Keep in mind that these are high level roadmaps that will need more details added to them tailored for each individual organization. Financial institutions need to ensure that they identify the right personnel and skillsets within the organization or are bringing them in from external sources to help with their PQC journey. Having the right personnel along with an Executive level champion at the organization is crucial to the success of this type of project.

If asked about cost optimization and other use cases, each section includes this information in addition to the scenarios that can be used to baseline the roadmap. If more specific numbers are required or requested, organizations can focus on section 11.4 which outlines the economic impact and value creation of implementing a PQC program. This includes monetizing items like cyber-attack prevention valued at greater than $1 billion, and the security of different financial sectors. Section 9 goes further to pinpoint the different solutions, programs, and government directives that are already released. One of the solutions outlined can be found in my previously released article which explains what FIPS 203, 204, 205 are and how they can be utilized. If financial institutions require mappings to existing frameworks, a focus on section 10 will help with that. The organization’s PQC journey can be aligned to address requirements already on the books that they need to comply with including NIST CSF, NSA CNSA 2.0, NSM-10, ISO/IEC, amongst others.

Bringing It All Together

If financial institutions that handle money and assets don’t prepare, we all will need to get ready for a heist bigger than any heist that’s been seen before. If not a heist that sees all of our assets drained from our accounts, then a wiping of financial data that will lead to financial systems collapsing at the hands of nation states and threat actors. In a world of quarterly reporting with a narrow lens on shareholder profit, it can be difficult for financial institutions to see past the next 3 months. However, without an industry level push and companies taking personal responsibility to prepare with long term plans, we may all have nothing left when a CRQC becomes a reality. And it WILL become a reality.

Consider PQC readiness with Y2K preparation outlined in section 12.1. I often mention this ability for industries to work together on a global scale to make required updates as a part of my presentations along with being personally compared to a Y2K prepper. I take it as a compliment since those Y2K preppers pushed the world to conserve and advance our way of life as it is today.

The warning signs are there and those of us in the quantum-safe industry have been raising red flags and ringing bells for years if not decades. Consider the Quantum-Readiness: Migration to Post Quantum Cryptography which was a joint effort by CISA, the NSA, and NIST to help organizations get started on their post-quantum readiness journey released several years ago. The PQFIF expands upon this information greatly and provides the details the financial industry can use. There is no longer any excuse for them not to get started.

Remember, all of our money is at stake. Financial institutions need to be ready to answer when their customers (i.e. all of us reading this thought leadership right now) come asking what they’re doing to prepare to keep our money safe now and with the emergence of a CRQC. Financial institutions will need to have a quantum-readiness plan with a strategic timeline for implementation for when the regulators come asking for it. If financial institutions don’t have one and can’t even answer what they’re doing to prepare, we will have a bigger catastrophe coming our way than we can imagine. It is the responsibility of financial institutions to start their post-quantum journey now before disaster strikes.  

Helpful Links:

If you’d like to learn more about what NIST is planning for post-quantum as well as other related topics, you can refer to the NIST Computer Security Resource Center (CSRC) site. Additionally, you can refer to the various publications of the Cloud Security Alliance (CSA) Quantum-Safe Security working group which can be found on the CSA website and on our LinkedIn page.