Quantum computing may sound futuristic, but for investment firms, it is at the doorstep. The rapid pace of innovation in quantum computing combined with the threat level posed by a lack of comparable security measures demands swift industry action.
Investment in quantum computing technologies reached new highs in 2025, with more than $1.25 billion raised in Q1,[1] and research emphasizes transitioning from development to deployment.[2] While the practical capabilities of quantum are still emerging, investment firms must take seriously not just the opportunities but also the risks. This post outlines immediate steps investment firms can take to strengthen data security and prepare for the quantum era.
As quantum capabilities advance, cybersecurity specialists warn that existing encryption standards could soon be at risk. Security experts use the term “Q-Day” to describe the point when quantum computers become powerful enough to break today’s encryption, effectively rendering current protections obsolete. While that threshold has not yet been reached, a related and more immediate danger is already emerging. Malicious actors can “harvest now, decrypt later,” intercepting and storing encrypted data today with the intention of unlocking it once quantum capabilities mature.
Why Modern Encryption Methods Fall Short
To contextualize the risks posed by quantum computing, it is necessary to first review the mechanisms underpinning modern cryptographic systems. Digital information, be it text, numbers or visuals, is universally represented in binary format. The sequences of zeros and ones allow for interoperability across global computing networks.
Encryption protects digital communications by converting original binary sequences into unintelligible forms through mathematical transformations. This safeguards client records, trading data, internal communications, and other proprietary data. It also underlies the digital signature algorithms and hash functions used to ensure security and privacy in blockchains.
Encryption can be divided into two general types:
Private-key encryption, which requires secure key exchange between parties.
Public-key encryption, also known as asymmetric encryption which employs distinct public and private keys.
The RSA algorithm, widely used in financial systems, illustrates public-key encryption. Its security is derived not from the secrecy of the method, as used by private-key encryption, but from the computational infeasibility of factoring large prime numbers with classical computers. However, this reliance on mathematical intractability renders the system vulnerable to advances in computational capability, particularly quantum computing.
In the 1990s, computer scientist Peter Shor introduced a quantum algorithm capable of efficiently factoring large integers, thereby undermining the security of RSA and other widely adopted encryption schemes. Although originally of theoretical interest, given the immaturity of quantum hardware at the time, this algorithm is now of profound significance as quantum technologies advance.
What once seemed purely theoretical is now moving closer to practical reality, thanks to rapid technological progress. The estimated resources required to break RSA encryption have steadily decreased, from about 20 million qubits[3] in 2019 to fewer than 1 million qubits in 2025 (current quantum computers run 100 to 200 qubits).[4] To put this in perspective, Google estimates their 105-qubit quantum processor can compute in just five minutes what would take today’s fastest non-quantum supercomputers around 10 septillion (10²⁵) years.[5]
Shor’s algorithm demonstrates that, once sufficiently powerful quantum computers are realized, many current cryptographic systems will become obsolete. The consequences extend across domains such as financial transactions, government data, and private communications. Unlike conventional cyberattacks, such a breach could occur undetected, presenting a systemic risk of unprecedented scale.
The Harvest Now, Decrypt Later Threat
Malicious actors may already be intercepting and archiving encrypted data with the intention of decrypting it retroactively once quantum computational resources become available. Once they possess the data, there is little a firm can do to prevent decryption using future advanced computing power.
The threat to financial institutions is particularly severe.
“Harvest now, decrypt later” highlights the urgent necessity of proactive security measures. Reactive strategies will be ineffective once Q-Day occurs; data compromised in the past and present will become accessible. Therefore, anticipatory adoption of quantum-resistant cryptographic techniques is essential.
Why Current Post-Quantum Cryptography Methods Won’t Hold
As firms look for ways to defend against future quantum breaches, two main approaches have emerged. The first, Post-Quantum Cryptography (PQC), strengthens existing digital systems by using new mathematical algorithms designed to withstand quantum attacks. The second, Quantum Key Distribution (QKD), uses principles of quantum physics to create inherently secure communication channels.
Post-Quantum Cryptography (PQC) refers to classical cryptographic algorithms designed to withstand quantum computational attacks. Unlike quantum cryptography, PQC does not utilize quantum phenomena but instead relies on mathematical problems believed to be resistant to quantum attacks.
The implementation of PQC represents an interim safeguard, as it strengthens resilience against near-term quantum advancements. However, PQC is not a definitive solution. As quantum hardware evolves, algorithms presently considered secure may eventually be compromised. Consequently, PQC should be regarded as a transitional measure within a broader, dynamic framework of cybersecurity.
While PQC provides interim protection, Quantum Key Distribution (QKD) leverages the principles of quantum mechanics to enable secure communication channels. Specifically, QKD exploits long-distance quantum phenomena to guarantee that any attempt at interception can be detected.
For example, if entangled photons are employed in key distribution, eavesdropping introduces observable disturbances, thereby alerting legitimate parties. Unlike classical methods, QKD offers theoretical security guaranteed by physical law rather than computational difficulty.
Although pilot applications exist, including land-based fiber optics and satellite-based quantum networks, current limitations in scalability and infrastructure hinder widespread adoption. Nonetheless, QKD represents a critical avenue for long-term secure communication in the quantum era.
Firms Should Act Now
The impending disruption posed by quantum computing necessitates coordinated governance. Yet while governments are only beginning to grapple with the scale of quantum threats, many financial institutions remain hesitant to act. A recent survey shows that firms are waiting for regulatory mandates before addressing quantum risk in their risk management frameworks, a delay that could prove costly.[6]
At the same time, migration to quantum-resistant systems presents formidable challenges for financial institutions. The process involves substantial cost, technical complexity, and extended timelines for implementation, including system upgrades and workforce retraining.
Compounding these challenges is the uncertainty of future technological developments. A newly adopted post-quantum algorithm could itself become vulnerable within a decade, jeopardizing substantial sunk-cost investments.
One of the most significant initiatives to collectively address this challenge is led by the National Institute of Standards and Technology (NIST) in the United States. In 2016, NIST launched an international competition to identify cryptographic algorithms capable of withstanding quantum attacks. Following rigorous testing and evaluation, NIST announced four selected algorithms in December 2024, establishing the foundation for global post-quantum cryptographic standards.
This milestone represents the formal onset of the Post-Quantum Cryptography Era, underscoring the role of international collaboration and adaptive regulatory frameworks in shaping secure data infrastructures.
Given the risks of waiting for policy guidance combined with the challenges of full quantum migration, experts recommend a layered strategy:
Phase One: Transition to a hybrid model that combines today’s well-tested encryption methods with NIST’s recently adopted PQC standards, thereby significantly raising the threshold for potential attackers.
Phase Two: Build long-term resilience by preparing for the integration of quantum encryption and quantum networks, which provide security grounded in the physical principles of quantum mechanics.
This approach emphasizes agility and adaptability, recognizing that cybersecurity in the quantum era will require continuous evolution rather than reliance on a single definitive solution.
A Phase One Checklist for Investment Firms
Engage and Educate Stakeholders
Educate leadership and staff on the risks of quantum technologies and encourage further learning and participation.
Board oversight: add quantum readiness to risk dashboards.
Take Inventory
Map every system, vendor, and process dependent on cryptographic methods.
CBOMs (Cryptographic Bill of Materials) can be produced that identify cryptographic assets and their properties and dependencies.
Prioritize Based on Risk
Identify high-value data at the greatest risk.
Outline a quantum-secure roadmap with milestones and KPIs.
Conduct Vendor Due Diligence
Ensure custodians, OMS/EMS providers, and data vendors have quantum transition plans.
Dialogue with vendors about quantum threats and risk management strategies.
Pilot and Test New Algorithms
Begin piloting NIST-approved PQC algorithms.
Continue to monitor and update based on revised PQC standards and demonstrate cryptographic agility as cyber threats evolve.
Conclusion
If market participants lose confidence in the ability of the investment management industry to keep their data safe and secure, overall trust may decline. But more than that, retail and institutional investors could experience financial harm. Early and agile adoption of quantum strategies and processes is integral to mitigating these risks.
[1] Swayne, 2025
[2] Soller, 2025
[3] Qubits refer to “quantum bits” and are the fundamental unit of quantum information.
[4] Gidney, C. (2025). How to factor 2048 bit RSA integers with less than a million noisy qubits. arXiv preprint arXiv:2505.15917.
[5] Neven, H. (2024). Meet Willow, our state-of-the-art quantum chip. Google. https://blog.google/technology/research/google-willow-quantum-chip/
[6] evolutionQ (2025). “Quantum Threat Timeline 2025: Executive Perspectives on Barriers to Action.” Global Risk Institute in Financial Services (GRI). https://globalriskinstitute.org/publication/quantum-threat-timeline-2025-executive-perspectives-on-barriers-to-action/
