Every time you check your balance, tap your card, or buy insurance online, an invisible lock protects the information moving across the internet. That lock is encryption and for decades it has been effectively unbreakable. The math behind it would take today’s fastest computers billions of years to crack.
A quantum computer changes that arithmetic entirely. The same lock that would take an ordinary computer billions of years to pick, a powerful enough quantum machine could open in a matter of hours.
That machine doesn’t exist yet. But the financial system can’t afford to wait until it does and the reason why is uncomfortable.
The theft that’s already happening
There’s a tactic in cybersecurity with a deceptively gentle name: “harvest now, decrypt later.” Attackers — criminal groups and nation-states alike — are quietly copying encrypted data today and storing it away. They can’t read it yet. They’re betting that within a few years, a quantum computer will let them.
For most industries, that’s a manageable risk. For finance, it’s existential. The data a bank handles — mortgage records, life-insurance policies, investment portfolios, trading positions — often has to stay confidential for years, sometimes decades. A loan record stolen and stockpiled in 2026 could be unlocked and exposed in 2036 and still do enormous damage. Put plainly: the data you encrypt today is already being stolen for a future in which that encryption no longer holds.
So when does the clock run out?
Honestly, nobody knows the exact date. The machine capable of breaking today’s encryption — cryptographers call it a cryptographically relevant quantum computer, or CRQC — hasn’t been built. But the expert odds are climbing.
The Global Risk Institute, which surveys leading quantum scientists each year, estimated in its 2024 report a 17 to 34 percent chance that such a machine could break RSA-2048 — the gold-standard encryption behind much of online banking — within 24 hours by 2034, rising to 79 percent by 2044. Its 2025 update pushed the ten-year odds higher still. Some industry leaders now argue the moment could arrive within just a few years.
The takeaway isn’t a precise date. It’s the direction of travel: the estimates keep moving closer, not further away.
Why banks have the hardest job of all
Here’s the part that should concern every financial institution: even once quantum-safe encryption is ready and it is swapping it in is far harder for banks than for almost anyone else.
Consider what’s actually involved. A typical bank runs encryption in thousands of places at once: the systems that move payments, the specialized hardware that guards digital keys, the connections between applications, the app on your phone, and the decades-old “core” systems quietly humming in the background. Every one of them is a lock that eventually needs replacing.
The trouble is that most institutions don’t even have a map of where all those locks are. In one industry survey, only 38 percent of organizations said they had a complete inventory of the encryption running across their systems. You cannot replace what you don’t know you have.
It gets harder. Many of the most critical banking systems were built in the 1990s, with their encryption wired directly into the architecture — not something you can simply update with a patch. Banks also depend on dozens of outside vendors; if those vendors aren’t ready, neither is the bank. And during the years-long switchover, old and new encryption have to run side by side, which — done carelessly — opens a door of its own: attackers can try to force a connection back down to the weaker, older encryption, a trick known as a downgrade attack.
None of this is cause for panic. It’s cause to start early because the work itself takes years.
Regulators have stopped waiting
If the threat alone weren’t motivation enough, the rulebook is catching up fast.
In the United States, a national directive known as NSM-10 sets 2035 as the deadline for federal systems to move to quantum-safe encryption — and that pressure flows straight to the banks and insurers that work with, or are regulated alongside, the government. In early 2026, the G7’s cybersecurity group published a coordinated roadmap aimed squarely at the financial sector. And in Europe, regulators are tightening expectations around how institutions manage and document the cryptography they rely on.
There’s also new paperwork on the horizon: a Cryptographic Bill of Materials, or CBOM — essentially an itemized list of every piece of encryption a system uses, much like an ingredients label. Regulators increasingly expect institutions to be able to produce one. If you can’t, that isn’t just an operational gap; it’s a compliance problem.
The message across all of it is the same: post-quantum migration is no longer optional, and the institutions that haven’t begun are already behind.
The good news and the one mistake to avoid
First, the reassuring part: the replacement locks already exist. In 2024, the U.S. National Institute of Standards and Technology (NIST) finalized the first official quantum-safe encryption standards. And the Bank for International Settlements proved, through a project called Leap, that upgrading real payment systems to quantum-safe encryption is technically achievable. The tools are on the shelf.
So why is hardly anyone ready? In that same industry survey, only about 9 percent of organizations had an actual plan for the transition.
The most common mistake is rushing to install new encryption before knowing where the old encryption lives — the equivalent of re-keying a building before you’ve found all the doors. You cannot migrate what you cannot see, which is why every credible roadmap begins in the same place: discovery.
Five things to do first
A full migration is a multi-year program. But there are five concrete steps any institution can take now — enough to reduce risk, show the board real progress, and build the paper trail regulators will ask for.
1. Put someone in charge. Appoint a single owner for the quantum-readiness program.
2. Start discovery. Build a complete map of where cryptography lives across your systems.
3. Know your exposure. Identify which data and systems carry the longest confidentiality obligations — those come first.
4. Check your vendors. Find out which suppliers are quantum-ready and which are holding you back.
5. Stop making it worse. Don’t buy any new system that can’t support quantum-safe encryption.
Ready, set, discovery
The quantum threat can feel abstract — a problem for a machine that doesn’t exist yet. But the data being harvested is real, the regulatory deadlines are real, and the migration genuinely takes years. The institutions that come through this smoothly will be the ones that started with a clear-eyed look at what they actually have.
That first step — discovery — is where QuantumGate works with banks, insurers, and financial institutions: producing a complete inventory of your cryptographic assets, a risk-scored list of what to fix first, and a phased roadmap aligned to your regulatory deadlines.
The clock is ticking. The best time to start was yesterday. The second-best time is now.