Preparing for Q‑Day: why organisations must act now on post‑quantum security

June 2026  |  SPOTLIGHT | RISK MANAGEMENT

Financier Worldwide Magazine

June 2026 Issue

Advances in quantum computing will soon yield computers that can do in mere minutes tasks that would take today’s supercomputers millions of years. It will bring major change to the technology, security and business communities. Many of these changes will be positive, such as exponentially faster medical discoveries and scientific innovation. But, cyber security practitioners are also warning of an impending ‘quantum apocalypse’, and almost nobody, including in boardrooms and C-suites around the world, is paying attention.

One reason is artificial intelligence, the brilliantly shiny object that makes it nearly impossible to focus on other technological developments. But, the quantum apocalypse also fails to attract attention for other reasons: it presents an unwieldy problem with an unspecified deadline, it involves deeply technical underpinnings that can make the most engaged audience’s eyes glaze over, and the people who really ‘get it’ are often not terribly good at communicating about it.

So, what is the quantum apocalypse really about, and what is to be done?

Our digital world depends in large part on a form of cryptography called ‘public key cryptography’, which encodes information in a way that is impossible for even the best classical (non-quantum) supercomputers to decode in a reasonable or useful timeframe. We use public key cryptography to encrypt sensitive data including health information, bank records and intellectual property (IP), but public key cryptography’s uses go far beyond encrypting data: public key cryptography is at the heart of secure web browsing, digital signatures, virtual private networks, cryptocurrency transactions, corporate IT networks, and more. Public key cryptography is a big deal in economic, security and societal terms.

Quantum computing could break public key cryptography. A cryptographically relevant quantum computer, as it is called, could easily decrypt today’s public key cryptography, unravelling secrets and making private transactions public. Avoiding this reality requires migrating from classical encryption to ‘quantum resistant’ or ‘post-quantum’ encryption standards, a few of which have been established by the US National Institute of Standards and Technologies. When does this have to happen?

The date on which quantum computers reach a cryptographically relevant threshold and can break modern encryption is called ‘Q-Day’. Estimates for Q-Day vary but have recently centred around the early 2030s. The UK government has called for a national transition to post-quantum cryptography no later than 2035, and sooner for certain systems. The US National Security Agency notified owners, operators and vendors of National Security Systems to adopt quantum-resistant algorithms by 2025-33 (depending on the system) – and that notification was in 2022, before the pace of technological discovery quickened.

In recent months, Google sparked urgency when it said it plans to transition to post-quantum cryptography by 2029. It also published research estimating that breaking the underpinnings of elliptic curve cryptography, a widespread form of public key cryptography, might require 20 times fewer of certain quantum computing resources that originally estimated.

If the 2030s, or even 2029, seem far away, consider three points. First, migrating an organisation to post-quantum cryptography is an immensely complex feat that will require whole-of-enterprise coordination, skilled staff and budget, all of which are currently unplanned for in most organisations. It takes years. The UK’s National Cyber Security Centre identified three milestones to complete migration by 2035, and the first, notionally due seven years earlier by 2028, was to “define your migration goals… carry out a full discovery exercise [of all services and infrastructure that need to be migrated]… [and] build out an initial plan for migration”. If Google is right and the 2035 deadline should be more like 2029, then all that work should have been completed four years ago.

Second, the quantum apocalypse problem actually begins before Q-day due to a phenomenon called ‘harvest now, decrypt later’. This refers to the idea that governments (and others) that expect to have access to cryptographically relevant quantum computers are scooping up data today that, while encrypted and currently unreadable, will be something they can decrypt and read later. Thus, when it comes to protecting information that will remain sensitive for years, such as the names of confidential informants or IP with a long shelf-life, time is of the essence to migrate now.

Third, Q-Day may arrive without us knowing it. If a government develops (or has control over) a master key that can unlock all data and transactions protected by contemporary encryption, it has little incentive to broadcast this information. Thus, organisations’ data may be vulnerable before they know it. It is conceivable that Q-Day has already happened.

In fairness, there is an important countervailing point to set against these three facts: when Q-Day finally arrives because one party, say the US or Chinese government, has developed a cryptographically relevant quantum computer, this does not mean that party will have an unlimited ability to decrypt data, nor does it mean that many other nefarious parties will have access to that computing power. Q-Day marks the beginning, not the end, of The Great Decryption. Still, on balance, moving forward with urgency is the only reasonable course of action, especially for any enterprise handling sensitive data or transactions. The history of cyber security is littered with hacked companies that thought they were not a priority for the bad guys.

So, what is an enterprise to do?

The starting point is to raise awareness and establish governance. Post‑quantum migration is necessarily technical, but it will not be the work of IT or cyber security alone. Every part of the business will be involved, or at least affected, and must understand at some level what is coming. Building awareness on this technical issue will require thoughtful communications. Establishing whole‑of‑enterprise governance will accelerate work and help avoid expensive mishaps. This may be done through a committee co‑chaired by the leads for IT and security, to give one example, but the exact right approach to governance will vary for each organisation.

Enterprises must also engage leadership, including the board. Post‑quantum migration has a familiar ‘chicken and egg’ problem: it is poorly understood by leadership and therefore not well scrutinised or resourced. As a result, it is not prioritised for discussion by management or technical staff who do understand it – contributing in turn to its continued lack of visibility at the top. Put simply, few leaders direct resources at problems they do not know about or understand, and few managers want to volunteer to own large, unfunded challenges. Yet the Q‑Day conversation is coming to C‑suites and boardrooms one way or another; addressing it sooner, and on favourable terms, is far preferable.

Beyond awareness and leadership engagement, organisations need to develop a clear picture of their cryptographic environment. This includes creating an inventory of encryption and authentication mechanisms across the enterprise, as well as an inventory of suppliers and other partners, in order to understand how prepared – or unprepared – they are for Q‑Day. That information should feed into a post‑quantum risk assessment spanning both internal systems and third parties. Particular attention should be paid to data that would be ‘high consequence’ if exposed through ‘harvest now, decrypt later’ campaigns, with mitigation efforts prioritised accordingly.

At the same time, enterprises should monitor the regulatory and technology landscape for emerging obligations and warning signs. Major thefts of cryptocurrency from wallet providers, for example, may serve as one ‘canary in the coalmine’ indicator that Q‑Day has arrived. On the basis of these signals and assessments, organisations should develop a post‑quantum migration roadmap that accounts for regulatory and contractual obligations and deadlines, identifies migration partners, and clarifies when new requirements will be imposed on suppliers. Most importantly, this work should be guided by a principle of ‘crypto‑agility’ rather than treating post‑quantum migration as a one‑time exercise. Quantum‑resistant algorithms are likely to evolve, potentially requiring multiple migrations. Mastering one’s cryptographic environment offers benefits well beyond merely surviving Q‑Day.

Finally, organisations should prepare for the possibility that Q‑Day arrives suddenly. This means developing an emergency Q‑Day plan that allows teams to ‘break glass’ and mitigate risks to certain high‑value data or transactions if needed. Preparedness should be tested through crisis simulations for executives and operational drills for technical teams that may be required to migrate systems – or take them offline – at speed.

Taken together, this represents a substantial amount of work, and preparing for Q‑Day is not, for most people, enjoyable. But it is unavoidable. The messy, boring work will happen regardless, and the sooner it begins, the better.

 

Emilian Papadopoulos is president of Good Harbor Security Risk Management LLC. He can be contacted on +1 (202) 212 6688 or by email: emilian@goodharbor.net.

© Financier Worldwide

BY

Emilian Papadopoulos

Good Harbor Security Risk Management LLC

©2001-2026 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.