Why the Finance Sector Must Lead the Shift to Post-Quantum Cryptography

Quantum computing is not some far-off theory anymore, and the threat to today’s encryption is real with the clock running for organizations to be resilient. And for banks and finance organizations sitting on mountains of sensitive data, the urgency to prepare for post-quantum cryptography (PQC) is growing.

With Q-day (the day a powerful quantum computer breaks today’s RSA and ECC algorithms) possibly arriving as early as 2028, today’s encryption won’t hold for much longer. That puts financial institutions—prime targets with high-value customer data, transactions, and proprietary models—at risk of cyberattacks targeting broken encryption.

If any industry should be leading the charge on post-quantum cryptography, it is financial services. Not just because the risks are high—but because the fallout from a cyberattack would be catastrophic. Around the world, regulators and industry groups are sounding the alarm and laying out roadmaps to guide financial institutions toward PQC readiness. In this blog, let’s dive into what that really means and why now is the time to start preparing.

The Fast Approaching Quantum Threat

Quantum computing threats are accelerating beyond early predictions. While today’s quantum computers can’t yet break our strongest encryption, the hardware required will close the gap rapidly. What felt like a 2030s problem now threatens to arrive earlier. This means today’s widely used asymmetric algorithms like RSA and ECC are at high risk of being cracked by then, putting critical financial systems and data at serious risk.

Moreover, “Harvest Now, Decrypt Later” attacks are underway. Threat actors are capturing encrypted data today so they can decrypt it in the future using powerful quantum computers. That means sensitive financial records, customer data, intellectual property, and internal communications could all be exposed down the line—even if they’re presumed to be secure right now.

For financial organizations handling high-value data that needs to be stored and protected for years to come, the message is clear: don’t wait—begin your preparation for PQC migration today. Waiting until quantum threats are visible or until the threat becomes imminent could lead to data breaches, hefty financial losses, and lasting reputational damage.

Why PQC?

Think of the NIST approved PQC encryption algorithms as the new vault for your most critical assets—built on mathematical problems so tough that neither today’s supercomputers nor tomorrow’s quantum computers can crack them. By swapping in PQC algorithms, you can lock down customer data, preserve transaction integrity, and ensure long-term privacy against quantum‑powered attacks.

But there is an even bigger win: retroactive protection. When PQC algorithms are in place, any encrypted data an attacker harvests today stays unreadable tomorrow—even by the most powerful quantum computers. In short, PQC protects both your future communications and everything you’re securing now.

Key Roadblocks to Post-Quantum Cryptography Adoption

Post-quantum cryptography promises unparalleled security, but rolling it out isn’t straightforward. Previous migrations—like SHA-1 to SHA-2—spanned over a decade; transitioning to quantum-secure algorithms is even more complex—and will demand significantly more time and resources.

• Lack of Cryptographic Asset Visibility

There is no centralized view of keys and certificates scattered across on-prem servers, cloud environments, endpoints, and third-party services. Security teams are unaware of where sensitive encryption lives or how it’s used. That insight gap makes it significantly harder to assess quantum-risk exposure or prioritize migration efforts.

• Integration and Performance Hurdles

Quantum-safe algorithms behave very differently from today’s classical algorithms: they use larger keys, produce bulkier signatures, and demand more compute power. As a result, applications, protocols, and hardware modules often require substantial code rewrites, deep testing, and workflow overhauls—yet real-world PQC expertise remains scarce, making staffing these projects a struggle.

• Operational Burden Without Disruption

It all must happen without disrupting critical services or breaching data-retention and compliance mandates. That means extracting legacy encryption from software and hardware, modernizing infrastructure, updating policies, and coordinating cross-team migrations flawlessly—because any slip-up could stall trading platforms, payment systems, or customer portals.

Without a clear, step‑by‑step roadmap, financial institutions risk falling behind as quantum threats materialize. To stay ahead, organizations must start planning, testing, and laying the groundwork for a smooth and secure transition to PQC.

Global Momentum for PQC Adoption

PQC is now a global priority. In the United States, the National Institute of Standards and Technology (NIST) is leading the charge with formal efforts to standardize PQC algorithms that can withstand quantum-level threats.

Over the last two years, NIST has finalized and published three official standards:

1. FIPS 203 (ML-KEM) – The primary standard for general encryption
2. FIPS 204 (ML-DSA) – The primary choice for digital signatures
3. FIPS 205 (SLH-DSA) – A digital signature algorithm designed as a fallback option in case vulnerabilities are discovered in ML-DSA.

NIST’s roadmap also includes consideration for two additional algorithms: Falcon and HQC (Hamming Quasi-Cyclic). Once standardized, HQC will provide another option for key encapsulation mechanisms (KEM), while Falcon will support quantum-resistant digital signatures.

Global Guidance on PQC Migration for Financial Organizations

Several countries across the world have released roadmaps for PQC readiness and transition to spur real progress on post-quantum cryptography, especially in the finance sector.

1. NIST’s Deadline

NIST has laid out two critical deadlines: by 2030, classical cryptographic algorithms will be deprecated, and by 2035, they’ll be fully phased out. That’s not as far off as it sounds, especially for financial institutions managing complex infrastructures and long-lived data.

2. Europol’s Call to Action (QSFF – Feb 2025)

In February 2025, Europol’s Quantum Safe Financial Forum (QSFF) issued a clear call to action for financial institutions, vendors, and policymakers to jump into PQC migration without delay, recommending that they:

• Prioritize PQC adoption – Make the transition to quantum‑safe cryptography a top strategic objective.
• Coordinate roadmaps – Align goals planning and implementation of PQC across stakeholders.
• Use a voluntary framework – Leverage regulator‑industry partnerships instead of new laws.
• Modernize crypto governance – Treat this as an opportunity to enhance key and certificate management practices.
• Foster global collaboration – Run joint pilots and share insights across private and public sector actors on quantum-safe initiatives.

3. The UK’s NCSC Milestones

The United Kingdom’s National Cyber Security Centre (NCSC) is also urging the banking and financial services sector to act early on PQC. To help organizations stay on track, the NCSC has outlined three key milestones:

• 2028 – Complete discovery of all cryptographic assets
• 2031 – Migrate critical systems to PQC
• 2035 – Achieve full migration across all systems, services, and products

4. Switzerland’s Seven‑Step Roadmap (FIND)

Switzerland, too, is echoing the urgency. The Swiss Financial Innovation Desk (FIND) recently released its Action Plan to a Quantum-Safe Financial Future, providing a clear, seven-step roadmap to help financial institutions take the lead in preparing for quantum risk:

1. Establish quantum risk governance
2. Assess impacted business and technology components
3. Minimize new legacy through quantum-safe procurement
4. Address immediate “Harvest Now/Decrypt Later” risks
5. Implement a structured PQC migration plan
6. Align with industry standards and regulatory expectations
7. Continuously review and refine your quantum strategy

For financial institutions worldwide, this action plan offers a practical playbook to stay ahead of the curve and build long-term resilience against quantum threats.

Get PQC-Ready Today to Power Quantum-Safe Innovation Tomorrow

As financial services race to deliver faster and smarter experiences, post‑quantum cryptography is more than a security upgrade—it’s a strategic advantage. Leading global banks, including JPMorgan, HSBC and Intesa Sanpaolo, are already investing in quantum computing to achieve breakthroughs in credit scoring, fraud detection, and pricing models. But without weaving PQC into your long‑term roadmap, those quantum investments won’t pay off. Transitioning to PQC and building true quantum resilience is the only way to lock out tomorrow’s threats, safeguard customer trust, and fully capitalize on quantum’s promise for the finance sector.

To help get your PKI and certificate infrastructure ready for the PQC shift, AppViewX AVX ONE CLM accelerates your PQC readiness with end-to-end certificate lifecycle management and crypto-agility, giving you comprehensive visibility, closed-loop automation, and complete policy control of your certificates—all in one powerful solution.

Additional AppViewX Solutions for PQC Readiness

• PQC Assessment Tool – A purpose-built solution designed to help organizations prepare for the PQC migration by generating a Cryptographic Bill of Materials (CBOM), delivering a PQC readiness score, and providing remediation steps by scanning code, dependencies, configurations and certificates in enterprise environments.
• PQC Test Center – A dedicated free online resource built to help you assess your organization’s PQC readiness by generating and testing quantum-safe private trust certificates prior to their integration into existing systems, applications, workloads, and machines.
• PQC-Ready PKI – A modern, agile, and secure private PKI solution, designed to support PQC-enabled certificate issuance.

Explore AVX ONE CLM or talk to one of our experts today to get started!