Simon Pamplin, CTO of Certes
Banks and financial institutions are custodians of some of the most valuable data in the world. Transaction histories, customer identities, credit records and trading information must remain secure not for months or years, but for decades. Yet the cryptography protecting much of this information today was never designed with quantum computing in mind.
Recent guidance from the G7 Cyber Group and the UK’s National Cyber Security Centre makes that clear. Financial organisations are being urged to prepare for a full transition to post-quantum cryptography by 2035. That may sound distant, but for institutions running complex systems and large technology estates, it is alarmingly close.
The uncomfortable truth is that the financial sector is facing a widening gap between the pace of cryptographic research and the speed at which production systems can realistically be updated.
The Risk Already Exists
It is tempting to treat quantum computing as a future concern. After all, a machine capable of breaking modern encryption at scale has not yet arrived. But that perspective overlooks a critical point: attackers do not need a quantum computer today to create damage tomorrow.
A strategy known as “harvest now, decrypt later” is already being used by adversaries. The idea is simple. Encrypted data is collected and stored now, with the expectation that it will become readable once quantum computing reaches the required level of capability.
For the financial sector, this creates a hidden risk. Data that appears secure today could be exposed years from now. Customer identities, transaction histories and sensitive commercial information may suddenly become accessible.
Given the long lifespan of financial data, this is not a hypothetical scenario. It is a real liability quietly building in the background.
The Pace of Change
The cryptographic foundations of the modern financial system rely heavily on algorithms such as RSA and elliptic curve cryptography. These methods are considered secure because the underlying mathematical problems are extremely difficult for classical computers to solve. Quantum computing changes that assumption, with the potential to solve those problems far more quickly.
At the same time, updating financial systems is far from straightforward. Many core banking platforms were built decades ago, with cryptography embedded deep within application code, firmware, or proprietary vendor software. In some cases, it is even built into hardware such as ATMs or payment terminals. Changing it can involve rewriting applications, recertifying devices, or replacing entire systems.
Financial institutions are well aware of the issue, but navigating environments that have evolved over twenty, thirty, or even forty years while maintaining uninterrupted services makes progress slow and complex.
Evolving Strategies
Security strategies are also evolving. Traditional perimeter defences such as firewalls and virtual private networks have repeatedly proved insufficient when attackers gain access using legitimate credentials. Increasingly, organisations are shifting towards models that focus on protecting the data itself rather than relying solely on network boundaries.
A data-centric approach allows stronger protection to be applied directly to information as it moves between systems. This means sensitive data can remain protected even within legacy environments while longer-term upgrades take place.
Crypto agility is also essential. Cryptographic standards inevitably change, and organisations need the ability to update algorithms and rotate keys without rebuilding entire systems.
The financial sector has adapted to technological change before, but the quantum challenge cannot be addressed overnight. Attackers are already collecting encrypted data and updating complex banking environments takes years.
The Cost of Waiting
The financial sector has a strong history of adapting to technological disruption. But quantum computing presents a challenge that cannot be addressed overnight.
Regulators are setting expectations. Attackers are already collecting encrypted data. And updating complex financial systems takes years, not months.
Preparation does not require panic or wholesale replacement of technology. It requires understanding where sensitive data resides, identifying information that must remain confidential for decades, and introducing protections that can evolve as threats change.
The institutions that act early will not only reduce their exposure to quantum risk. They will strengthen resilience and maintain trust with customers, regulators and partners.
Quantum computing will eventually change the foundations of modern encryption. The real question is whether the financial sector will be ready before that happens.
