Following Financial Services Faculty’s recent webinar on quantum computing threats to financial services, presenter Derya Kali details actionable next steps in this article.
Here's your practical roadmap for building quantum resilience across your organisation.
Phase 1: Technology Assessment (3-6 Months)
The foundation of quantum preparedness begins with understanding exactly what you're protecting. Most financial institutions underestimate their cryptographic dependencies, creating blind spots that become critical vulnerabilities when quantum computers arrive.
Start by conducting a comprehensive audit of your cryptographic infrastructure across all systems. This means examining not just obvious security implementations, but also embedded encryption in hardware security modules, network appliances, and Internet of Things (IoT) devices that often contain outdated cryptographic protocols. Your legacy systems particularly core banking platforms and SWIFT connections require special attention as these often rely on cryptographic standards that will be among the first to fall to quantum attacks.
Don't overlook your software dependencies. Modern applications rely heavily on OpenSSL libraries, API frameworks, and third-party security tools that each implement their own cryptographic choices.
A single outdated library can create a quantum vulnerability that compromises your entire security posture.
Complete this vulnerability mapping within 3-6 months, prioritising systems that handle the most sensitive data or critical operations.
Phase 2: Critical Data Inventory (2-4 Months)
While conducting your technology assessment, simultaneously catalogue the data that quantum computing could expose. This inventory should extend beyond traditional financial records to include the full spectrum of sensitive information your institution handles.
Customer data represents your highest-value target for quantum attackers. Personal information, account details, Know Your Client (KYC) documentation, and biometric data all require quantum-safe protection. Financial transaction records, audit trails, and compliance documentation must be classified by their long-term sensitivity, information that remains valuable to attackers years from now needs immediate quantum-resistant protection.
Internal credentials deserve special focus. API keys, certificates, and administrative passwords are often overlooked in risk assessments, yet these provide the keys to your kingdom. Classify each data category by quantum threat exposure, recognising that some information may be harvested now and decrypted later when quantum computers become available.
Prioritise highest-value data first, completing this inventory within 2-4 months to inform your protection strategy.
Phase 3: Cryptography Mapping (4-6 Months)
With your technology and data inventories complete, map how cryptography currently protects your operations. This technical mapping reveals the specific protocols that need quantum-resistant replacements and helps prioritise your migration efforts.
Network-level encryption forms your first line of defence. Document your current TLS/SSL implementations, VPN configurations, and IPSec deployments. Many organisations discover they're running outdated protocols that already represent security risks, making the quantum transition an opportunity to modernize their entire security architecture.
Application-level cryptography requires deeper analysis. Digital signatures, authentication tokens, and API security each rely on different cryptographic standards. Storage encryption for databases, backups, and cloud deployments often uses different algorithms than network communications, creating a complex web of dependencies that must be systematically addressed.
Document the interconnections between different cryptographic implementations. Modern financial systems often chain multiple encryption layers together, meaning a weakness in one component can compromise the entire security model.
Map all cryptographic implementations within 4-6 months, prioritizing external-facing systems that attackers can most easily access. If your IT team does not specialise in cryptography consider hiring experts for internal audit.
Phase 4: Hybrid Encryption Strategy (12-18 Months)
Rather than waiting for perfect quantum-resistant solutions, implement a hybrid approach that combines classical and quantum-resistant cryptography. This strategy provides immediate protection while maintaining compatibility with existing systems and partners.
The NIST Post-Quantum Cryptography standards offer proven algorithms like Kyber for key exchange, Dilithium for digital signatures, and FALCON for certificate-based authentication. Begin implementing these algorithms in dual-layer configurations alongside your existing encryption, providing quantum resistance without breaking current operations.
Pilot programs allow you to test quantum-resistant protocols in controlled environments before full deployment. Start with internal systems where you control both endpoints, then gradually extend to customer-facing applications as your confidence and expertise grow. This gradual rollout approach minimises operational risk while building organisational capability.
Stress testing becomes critical during this phase. Quantum-resistant algorithms often have different performance characteristics than classical encryption, potentially affecting system response times and resource usage. Plan for infrastructure adjustments that may be needed to maintain service levels.
Implement hybrid encryption over 12-18 months, prioritising highest-risk systems first.
Phase 5: Vendor Coordination (Ongoing)
Your quantum security is only as strong as your weakest vendor partner. Core banking systems from providers like Temenos, FIS, and Oracle require coordinated upgrade paths that align with your internal migration timeline. Security vendors including HSM providers, certificate authorities, and cyber security partners need clear quantum readiness roadmaps.
Cloud infrastructure providers like AWS, Azure, and Google Cloud Platform are actively developing quantum-safe services, but their rollout schedules may not align with your risk timeline. Establish regular communication channels to stay informed about their quantum-resistant offerings and plan your migration accordingly.
Joint testing and upgrade schedules prevent the chaos of uncoordinated migrations. Work with your key vendors to establish shared timelines that ensure compatibility throughout the transition period. This coordination is particularly critical for systems that span multiple vendor platforms.
Begin vendor coordination immediately and maintain ongoing dialogue throughout your quantum transition.
Phase 6: Regulatory Collaboration (Continuous)
Quantum risk management increasingly intersects with regulatory compliance, making proactive engagement with regulators essential for staying ahead of evolving requirements. European authorities including the EBA and ECB are developing quantum-specific guidance that will affect all financial institutions operating in EU markets.
International standards bodies like BIS, NIST, and ISO are establishing quantum-resistant frameworks that will likely become mandatory requirements. Industry associations and banking groups provide forums for sharing best practices and coordinating industry-wide responses to quantum threats.
Proactive participation in regulatory guidance development ensures your institution's voice is heard in shaping requirements that you'll eventually need to meet. This engagement also provides early insight into regulatory expectations, allowing you to prepare before requirements become mandatory.
Maintain continuous regulatory engagement, prioritising staying ahead of requirements rather than scrambling to meet them after they're finalised.
Making It Actionable: Your Next Steps
This roadmap transforms quantum risk from an abstract future concern into concrete actions you can take today. Start with Phase 1's technology assessment, you can't protect what you don't understand.
Run Phases 2 and 3 simultaneously to build comprehensive visibility into your quantum exposure.
The key to success lies in treating quantum preparedness as a strategic transformation rather than a technical upgrade. This means involving business leaders in planning, allocating appropriate resources, and integrating quantum considerations into your broader risk management framework.
Most importantly, don't wait for perfect solutions. The quantum threat timeline means that organisations starting their preparation today will have significant advantages over those who delay. Begin with the assessment phases immediately, they require minimal investment but provide the foundation for all subsequent quantum resilience efforts.
Your quantum journey starts with understanding where you are today. The roadmap provides the path forward, but only action will get you there.
Derya Karli, Founder of Sirius Quantum Solutions.
