Summary

Situation Overview: Technology risks constantly evolve.  Effective IT Risk Management Programs can identify, address and, as needed, adapt to emerging risks. This analysis illustrates how an effective IT Risk Management Framework can identify an emerging risk, such as quantum computing, and modify risk management practices to manage and mitigate those risks.

Quantum computers capable of defeating today’s most widely used encryption tools are approaching reality. Upgrading to quantum-safe cryptography requires coordinated efforts across government, financial firms, their customers, and technology providers. In January 2026, the G7’s Cyber Expert Group (CEG) released a finance industry roadmap for the transition to post-quantum cryptography.

What: Financial institutions’ IT Risk Management programs must be able to effectively identify, manage, and mitigate emerging risks.

Who: All financial institutions.

When: Now. Quantum risk is just one example of an emerging risk that an IT Risk Management Framework should identify, assess, and mitigate. Further, industry-wide migration efforts require long lead times. The CEG and other official bodies are advocating 2035 as a completion target for migration to quantum-resistant technology, which, if achieved, would be a decade or so faster than previous industry transitions of encryption technology.  Firms should take a fresh look now at their IT Risk Management Frameworks and objectively assess whether they are sufficiently forward-looking in today’s environment.

In Depth

The recent CEG publication highlights the complexity of upgrading encryption mechanisms across the range of hardware, networks, and software that modern finance relies on, and doing this in a way that allows for a long period of forward and backward compatibility to accommodate differing timelines across the large number of participants.

What is quantum computing and post-quantum cryptography?

The National Institute of Standards and Technology (NIST) defines a quantum computer as one that works by “harnessing quantum physics…to rapidly crunch through certain problems that would take current computers years.”[1]

Post-quantum cryptography algorithms are designed to withstand attacks from both conventional and quantum computers. A number of these have already been developed.

Why does quantum computing create risks to current cryptography?

Much of today’s encryption, including the public key infrastructure (PKI) that underlies nearly all e-commerce, relies on mathematical algorithms that are known to be decipherable by quantum machines that are foreseeable but not yet available. The CEG and other security experts highlight “harvest now decrypt later” scenarios in which bad actors steal encrypted data now to decrypt in the future, once quantum computing capabilities advance.  This means that long-lived identity data, such as social security numbers, are especially vulnerable and may already be in the wrong hands.

How can the Financial Services industry begin to prepare now?

Effective IT Risk Management Frameworks build in regular updates to identified risks, the assessment of those risks, and required risk mitigation actions at certain trigger points.

Effective frameworks also demonstrate first line of defense identification and ownership of risks, second line of defense review and challenge of those risks, and third line of defense independent assessment.

A fully functioning three lines of defense operating model, with qualified personnel in each line, is necessary to respond to the risks posed not only by quantum computing, but by the myriads of evolving and emerging technology risks impacting the financial services industry.

Applying those principles to quantum computing risks specifically, an effective IT Risk Management Framework might call for the following:

1. Identify risks – create a comprehensive inventory of cryptology assets, communication protocols, and relevant third-party dependencies
2. Assess risks – integrate post-quantum cryptology risk assessment into the firm’s existing IT risk assessment processes
3. Identify, implement, and monitor risk mitigants, e.g.,
   1. Establish encryption-agile architectures
   2. Upgrade end-of-life software and hardware
   3. Enhance Vendor Management due diligence
   4. Migrate to quantum resistant cryptology solutions as they become available
   5. Monitor the performance of cryptology risk mitigants
4. Review and refresh governance, as needed
   1. Build Board and Executive level awareness of quantum computing risks and opportunities
   2. Assess talent across the three lines of defense, to help ensure an effective risk management operating model
5. Stay current – regularly engage with industry groups and the public sector to maintain awareness of post-quantum cryptography developments and best practices

Put Patomak’s Expertise to Work

As information technology risks continue to evolve, Patomak is well positioned to advise firms on driving enhancements in their Information Technology Risk Management Frameworks. Patomak’s suite of services can provide the support you need to enhance your risk management capabilities. If you would like to learn more about how Patomak can partner with you, please reach out Heather Espinosa at hespinosa@patomak.com or Ray Strecker at rstrecker@patomak.com

 

---

Want to learn more about Post-Quantum Cryptography? Below are some helpful references:

G7 Cyber Expert Group Releases Roadmap for Coordinating the Transition to Post-Quantum Cryptography in the Financial Sector | U.S. Department of the Treasury (Jan 2026 release)

G7-CYBER-EXPERT-GROUP-STATEMENT-PLANNING-OPPORTUNITIES-RISKS-QUANTUM-COMPUTING.pdf (Sept 2024 release)

What Is Post-Quantum Cryptography? | NIST

---

[1] Quantum Computing Explained.  | NIST