The Board’s First Five Questions About Post-Quantum Risk

Post-quantum risk is easy to misclassify.

It sounds technical. It sounds distant. It sounds like something for cryptographers, cybersecurity teams or infrastructure vendors to handle when the time comes.

That is the wrong framing.

Post-quantum risk is a board-level issue because it affects long-term confidentiality, customer trust, digital continuity, supplier assurance and the organisation’s ability to protect sensitive data over time.

The board does not need to debate cryptographic algorithms. But it does need to ask the right questions.

Here are the first five.

1. What sensitive data do we hold that must remain confidential for years?

The first board-level question is not about systems. It is about data.

Which information would still be damaging if exposed five, ten or twenty years from now?

That may include client files, legal records, health information, identity documents, financial records, intellectual property, commercial contracts, privileged communications, strategic plans, authentication data or archived customer records.

This matters because of the “harvest now, decrypt later” problem. Encrypted data can be stolen or collected today, stored, and potentially decrypted in the future if the cryptography protecting it becomes vulnerable.

For organisations with long-life sensitive data, quantum risk is not only a future technology risk. It is a current confidentiality-planning risk.

A credible answer should tell the board:

  • what long-life sensitive data the organisation holds;
  • where that data is stored, transmitted and archived;
  • how long it must remain confidential;
  • which systems and vendors protect it;
  • what the consequences would be if it were exposed later.

If management cannot answer this clearly, the organisation is not yet ready to discuss transition priorities.

If the organisation holds information that must remain confidential for years, the next question is timing: how long do we have to understand the exposure and plan the transition?

2. What is our transition timeline?

Waiting for quantum computers to become operationally threatening is not a strategy.

 

Transition takes time because organisations need to locate dependencies, assess risk, engage vendors, plan budgets, update systems, test interoperability, avoid disruption and maintain evidence for governance and assurance.

NIST finalised its first three post-quantum cryptography standards in August 2024: FIPS 203 for ML-KEM key establishment, FIPS 204 for ML-DSA digital signatures and FIPS 205 for SLH-DSA digital signatures.

 

For Australian organisations, the planning window is now concrete. The Australian Signals Directorate recommends that organisations have a refined PQC transition plan by the end of 2026, commence transition for critical systems and data by the end of 2028, and complete the transition by the end of 2030.

A credible answer should tell the board:

  • whether the organisation has a PQC transition owner;
  • whether a cryptographic inventory has started;
  • whether critical systems have been prioritised;
  • whether vendor discussions have begun;
  • whether budget and governance requirements are understood;
  • whether the organisation can meet relevant milestones.

The board does not need a detailed migration plan on day one. But it should expect a disciplined pathway from awareness to inventory, from inventory to prioritisation, and from prioritisation to implementation.

3. Where do we rely on public-key cryptography today?

Most organisations use public-key cryptography constantly, even if the board never sees it.

It may be present in customer portals, APIs, VPNs, cloud services, identity systems, certificates, secure email, digital signatures, software updates, payment flows, remote access tools, document platforms and vendor integrations.

The risk is that public-key cryptography is often embedded deep inside systems and supplier products. It is not always visible from a normal asset register.

That is why post-quantum preparation begins with inventory.

CISA, NIST and NSA have recommended that organisations begin preparing by creating quantum-readiness roadmaps, conducting cryptographic inventories, applying risk assessments and engaging vendors.

A credible answer should tell the board:

  • which critical systems use RSA, DH, ECDH, ECDSA or related traditional public-key cryptography;
  • which certificates, keys, protocols and digital-signature processes are in use;
  • which systems are internally controlled;
  • which dependencies are controlled by cloud, SaaS, software or infrastructure vendors;
  • where the organisation lacks visibility.

The point is not to replace everything immediately. The point is to know where the dependencies are before they become urgent.

4. Which systems would be hardest to change?

The board should assume that post-quantum transition will not be a single upgrade.

Some vendor-managed systems may be updated as part of normal product roadmaps. Others may require configuration, procurement decisions or replacement. Bespoke and legacy systems may require deeper redevelopment.

This is where PQC becomes a business continuity issue.

 

The most difficult systems to transition are often the ones that matter most: identity platforms, access-control workflows, customer portals, APIs, operational systems, secure document repositories, certificate infrastructure, integrations and long-running legacy applications.

A credible answer should tell the board:

  • which systems are business-critical;
  • which systems handle long-life sensitive data;
  • which systems are bespoke, legacy or difficult to update;
  • which vendor dependencies are unclear;
  • which systems would create operational disruption if changed poorly;
  • which systems should be prioritised first.

This is also where access control matters. If a system controls who can access sensitive information, approve transactions, exchange documents or administer customer workflows, then cryptographic transition cannot be separated from security architecture.

5. What evidence will customers, partners, insurers or regulators expect from us?

Post-quantum readiness will become part of the broader trust conversation.

 

Customers may not ask about ML-KEM, digital signatures or key exchange. But they may ask whether their data remains protected, whether critical systems can be updated safely, and whether suppliers have a credible transition plan.

For technology providers, professional firms and privacy-sensitive organisations, PQC readiness may influence procurement, due diligence, cyber insurance, audit conversations, customer assurance and board reporting.

 

 

A credible answer should tell the board:

  • what evidence the organisation could provide today;
  • whether suppliers can explain their own PQC roadmaps;
  • whether customer-facing systems are included in transition planning;
  • whether sensitive data is mapped by confidentiality life;
  • whether governance reporting is ready;
  • whether the organisation can explain its posture in plain English.

The board should not wait until a major customer, regulator or partner asks the question first.

What a mature board response looks like

A mature board response to post-quantum risk is not panic. It is structured preparation.

The first objective is not to deploy new cryptography everywhere. It is to create visibility and control.

That means:

  • identifying long-life sensitive data;
  • locating public-key cryptography across critical systems;
  • mapping vendor and software dependencies;
  • prioritising systems by risk, sensitivity and operational importance;
  • creating a transition roadmap;
  • modernising systems where required;
  • maintaining evidence for governance, customers and future assurance.

Post-quantum transition is not only a cryptography project. It is a business continuity, data protection and digital-trust program.

The board’s role is to make sure the organisation starts early enough, asks the right questions and treats the issue with the seriousness it deserves.

The practical first step

For most organisations, the right starting point is a PQC readiness assessment.

Not because every system needs immediate replacement.

But because leadership needs to know:

  • where exposure may exist;
  • which data and systems matter most;
  • which dependencies are controlled by vendors;
  • which systems may require redevelopment;
  • what decisions need to be made before transition pressure increases.
 

The organisations that prepare early will be better positioned to protect trust, manage cost and avoid rushed technical decisions later.

Post-quantum risk may sound like a future cryptography issue.

For the board, it is already a governance question.