Post-Quantum Cryptography: What Financial Firms Need to Know Now

Quantum computing is not a present-day threat to your encryption. No quantum computer today can break the RSA or elliptic curve cryptography that protects your financial transactions, client communications, and stored data. But the threat is real, it is approaching, and the time to prepare is now — not when quantum computers become capable, but years before.

Here is why, and what financial firms should be doing about it.

The Harvest Now, Decrypt Later Problem

This is the concept that makes quantum computing an urgent concern rather than a future one. Nation-state actors and sophisticated adversaries are already intercepting and storing encrypted communications and data today, with the intention of decrypting them once quantum computers become sufficiently powerful.

For financial services firms, consider the sensitivity timeline of your data:

• Client personal data must be protected for the lifetime of the relationship and beyond (GDPR has no expiry)
• Trading strategies and proprietary research may remain commercially sensitive for 5-10 years
• M&A communications and deal data retain sensitivity for years after completion
• Regulatory correspondence may be relevant indefinitely

If your encrypted data is intercepted today and a cryptographically relevant quantum computer (CRQC) arrives within 10-15 years — which is within the range of credible expert estimates — then data that is sensitive today will be exposed during its sensitivity window.

The National Cyber Security Centre (NCSC) issued guidance in November 2024 explicitly recommending that organisations begin planning their migration to post-quantum cryptography, with a target of completing the transition by 2035.

What Is Post-Quantum Cryptography?

Post-quantum cryptography (PQC) refers to cryptographic algorithms that are resistant to attacks by both classical and quantum computers. In August 2024, the US National Institute of Standards and Technology (NIST) published its first three PQC standards:

• ML-KEM (FIPS 203) — based on the CRYSTALS-Kyber algorithm, for key encapsulation (used in establishing encrypted connections)
• ML-DSA (FIPS 204) — based on the CRYSTALS-Dilithium algorithm, for digital signatures
• SLH-DSA (FIPS 205) — based on the SPHINCS+ algorithm, a hash-based digital signature scheme

A fourth standard, based on the FALCON algorithm, is expected in 2026.

These standards are designed to be “drop-in” replacements for current cryptographic algorithms, though in practice the transition involves significant testing and validation across your technology stack.

What Financial Firms Should Do Now

1. Conduct a Cryptographic Inventory

You cannot migrate what you do not understand. The first step is to catalogue where cryptography is used across your organisation:

• Data in transit: TLS/SSL connections for web traffic, email, APIs, VPN tunnels, and internal service communication
• Data at rest: Disk encryption, database encryption, backup encryption, and encrypted archives
• Authentication: Digital certificates, code signing, secure boot processes
• Third-party integrations: Cryptographic dependencies in connections to prime brokers, fund administrators, market data providers, and cloud services

This inventory will reveal the scope of your eventual migration and identify the systems where quantum-vulnerable cryptography protects your most sensitive data.

2. Classify Data by Sensitivity Lifetime

Not all data requires the same urgency of protection. Prioritise based on how long the data will remain sensitive:

• High priority: Data that will remain sensitive for 10+ years (client PII, proprietary strategies, regulatory records)
• Medium priority: Data with 3-10 year sensitivity windows (financial reports, internal communications, operational data)
• Lower priority: Data with short sensitivity windows (publicly available information, marketing materials)

This classification helps you prioritise migration efforts and allocate resources proportionally.

3. Engage Your Technology Vendors

The heavy lifting of PQC migration will be done by your technology vendors — Microsoft, Google, your VPN provider, your backup vendor, your trading platform provider. Start asking them:

• What is your PQC migration roadmap?
• Which of your products already support PQC algorithms?
• When will PQC be available in the products we use?
• Will migration require any changes on our side?

Microsoft has already begun integrating PQC support into Windows, Azure, and Microsoft 365. Google Chrome has supported hybrid PQC key exchange since version 124. Signal has used PQC-protected messaging since late 2023. The ecosystem is moving, but vendor timelines vary significantly.

4. Implement Crypto-Agility

Crypto-agility is the ability to switch cryptographic algorithms without rebuilding your entire infrastructure. In practice, this means:

• Avoiding hard-coded cryptographic parameters in custom applications
• Using cryptographic libraries and frameworks that support algorithm negotiation
• Implementing certificate management systems that can handle PQC certificate formats
• Testing hybrid configurations that use both classical and PQC algorithms simultaneously

Crypto-agility is valuable regardless of quantum computing. It also protects against the discovery of weaknesses in current classical algorithms.

5. Monitor Regulatory Developments

Financial regulators are beginning to incorporate quantum risk into their frameworks:

• The NCSC recommends PQC migration planning begin immediately, with completion by 2035
• The ECB has identified quantum computing as a risk to the financial system’s cryptographic infrastructure
• DORA requires financial entities to maintain awareness of emerging ICT risks, which explicitly includes quantum computing
• The FCA expects firms to consider quantum risk as part of their operational resilience planning

Regulatory expectations will tighten as PQC standards mature and vendor support broadens.

6. Protect High-Value Data Now

For your most sensitive data — the data most likely to be targeted by harvest-now-decrypt-later attacks — consider additional protections today:

• Use the strongest currently available encryption (AES-256 for symmetric encryption)
• Implement hybrid TLS configurations where supported (combining classical and PQC algorithms)
• Minimise unnecessary data retention to reduce the volume of harvestable material
• Review network security to reduce the likelihood of data interception in the first place

A Realistic Timeline

For a typical London financial services firm, a pragmatic PQC preparation timeline looks like this:

2025-2026: Conduct cryptographic inventory. Classify data by sensitivity. Begin vendor engagement. Implement crypto-agility principles in any new development.

2027-2028: Begin testing PQC-enabled products and configurations in non-production environments. Update procurement requirements to include PQC readiness.

2029-2032: Migrate production systems to hybrid (classical + PQC) configurations as vendor support matures.

2033-2035: Complete migration to PQC-only configurations for the highest-risk systems. Retire quantum-vulnerable algorithms.

This timeline aligns with NCSC guidance and accounts for the reality that vendor support and interoperability testing will take time.

How Nerdster Can Help

We help financial services firms in London understand and prepare for the PQC transition. From conducting cryptographic inventories to engaging vendors and implementing crypto-agile architectures, we provide practical guidance that matches your firm’s risk profile and timeline.

If you want to understand where your organisation stands on quantum readiness, book a free IT assessment with Nerdster. We will give you an honest evaluation and a pragmatic roadmap.