By Daryl Flack, Partner at Avella Security
Lloyds Banking Group’s recent quantum computing trial with IBM highlights the growing opportunities quantum technologies could unlock across financial services. From tackling increasingly sophisticated financial crime to enhancing fraud detection, risk modelling and portfolio optimisation, quantum computing has the potential to transform banking operations over the coming decades.
There is no doubt that quantum computing will unlock significant opportunities for the banking sector. However, those benefits are only one side of the quantum coin and there is an impending cyber risk that sits at the heart of quantum readiness: protecting the cryptographic foundations that underpin modern financial services through post-quantum cryptography (PQC).
Financial services are arguably starting earlier than most sectors in post-quantum planning. Driven by regulatory scrutiny, operational complexity and the need to protect long-lived, high-value data, many institutions have already begun PQC discovery migration planning. However, being ahead of other sectors does not mean the industry is ready.
Why quantum risk is already a board-level issue
Quantum computing is accelerating a transformation that will affect every part of a financial institution, from technology platforms and critical infrastructure to suppliers, governance structures and investment decisions. This is not about replacing a few encryption algorithms. It is an upgrade of the entire system.
The urgency stems from three converging factors: regulatory migration timelines, the long lifespan of financial data, and the advent of the “harvest now, decrypt later” threat.
Awareness is growing, but preparedness is not keeping pace. Research from ISACA found that 67% of European IT professionals believe quantum computing could increase or reshape cybersecurity risks, yet only 4% say their organisation has a defined strategy, and just 5% report a strong understanding of NIST post-quantum standards. The gap between concern and execution is significant.
Crucially, adversaries do not need quantum computers today to create future risk. Encrypted data can already be harvested and stored, with the intention of decrypting it once quantum capability matures. For financial institutions holding decades of customer records, payments data and regulatory information, the exposure is long-term and systemic.
The hidden cryptographic challenge
Cryptography is deeply embedded across banking environments: payment systems, customer platforms, identity systems, cloud infrastructure, trading engines, ATMs and third-party services. Many organisations lack full visibility of where or how cryptography is used, making migration significantly more complex than often assumed.
The UK National Cyber Security Centre (NCSC) has set a clear direction: organisations should complete discovery and migration planning by 2028, begin priority system transitions by 2031, and complete full migration by 2035.
While these timelines may appear distant, the scale of large legacy estates and the complexity of supply chain dependencies mean the effective implementation window is already narrowing. With only around 18 months remaining before the 2028 complete discovery and migration planning milestone, many organisations still have significant ground to cover. For most financial institutions, this work alone will take several years to complete safely and at scale.
The supply chain blind spot
Modern financial services depend on complex supply chains of software vendors, cloud providers, payment processors, infrastructure partners and managed service providers. Each of which may introduce cryptographic dependencies that must be discovered, assessed and eventually migrated.
This creates one of the sector’s biggest risks: supply chain readiness.
Work by the Bank for International Settlements (BIS), Swift and European central banks, including Project Leap Phase 2, demonstrated that post-quantum migration is technically feasible in live payment environments. However, it exposed significant challenges around performance, interoperability and system-wide coordination.
Vendor dependencies, contractual constraints and inconsistent readiness levels across suppliers could become major blockers unless addressed early.
What should finance industry leaders be doing now? The six key priorities:
- Establish executive ownership – Assign a single migration lead and form a cross-functional programme team.
- Conduct cryptographic discovery – Identify where cryptography exists across systems, applications, networks and third parties.
- Prioritise long-lived data – Focus initial protection on assets most exposed to future “harvest now, decrypt later” risk.
- Build a phased migration roadmap – Start with low-risk pilots, then move to critical systems and legacy environments, aligned to refresh cycles.
- Engage suppliers early – Assess vendor readiness and build PQC requirements into procurement and contracts.
- Design for crypto-agility – Ensure systems can adapt to new algorithms without major redesign.
Starting small is essential. Early pilots help organisations build capability, test assumptions and reduce risk before scaling across complex estates.
Ongoing monitoring is also critical. Dashboards, audits and software bills of materials (SBOMs) will be key tools for tracking cryptographic dependencies and ensuring long-term visibility.
The financial services opportunity to lead
Financial services are already among the most active sectors in PQC readiness, driven by regulatory pressure, operational complexity, and the highly sensitive nature of the data they manage.
Acting and evolving PQC migration strategies now will enable financial institutions to set the gold standard for other industries, while also positioning them to fully capitalise on the wider opportunities that quantum computing will unlock.