The boardroom gap: why quantum risk is becoming a governance problem in Financial Services.

January 13, 2026

Most boards are already stretched.

AI is reshaping operating models. Ransomware is routine. Regulators are asking tougher questions about resilience, third-party exposure and systemic risk. Against that backdrop, it is tempting to treat quantum security as something to worry about later.

That assumption is becoming dangerous.

Quantum risk does not behave like a future problem. It behaves like a slow-burn governance issue.

This is not about physics. It is about longevity.

When boards hear the word quantum, they often think academic research or experimental technology. Something abstract and comfortably distant from enterprise risk. That framing is wrong.

Post-quantum cryptography is not about quantum computers suddenly breaking everything overnight. It is about whether the data being protected today will still be protected when it still matters.

Financial institutions hold data that must remain confidential for decades. Client and transaction records. Trading strategies. Proprietary models. Long-term contracts. Adversaries understand this. That is why the threat model has already shifted to ‘steal now, decrypt later’.

Data is being harvested today on the assumption that future computing power will make current encryption obsolete. From a governance perspective, the question is no longer when quantum arrives. It is whether today’s controls will still hold in the long term.

A familiar pattern for Financial Services

This pattern is well known in banking and insurance.

Technical teams see emerging risks early. They understand the mechanics and the timelines. Boards tend to engage later, often when regulators, auditors or peers start asking uncomfortable questions.

We have seen this before. With cloud adoption. With ransomware. With artificial intelligence.

Quantum is following the same curve, with one crucial difference. By the time the risk becomes obvious at board level, the ability to respond cleanly may already be gone.

You cannot rotate decades of cryptography overnight. You cannot easily replace certificates embedded across complex estates. And you cannot do either calmly once regulatory scrutiny has begun.

Regulation is already moving

Quantum risk is no longer hypothetical because regulation is no longer neutral.

Frameworks such as DORA, NIS2 and PCI DSS 4 may not always name post-quantum cryptography explicitly, but the direction of travel is clear. Regulators are signalling expectations around long-term confidentiality, crypto-agility and preparedness for next-generation threats.

For regulated institutions, waiting for certainty is not a strategy. It is a postponement.

The real gap is governance, not capability

In most organisations, this is not a technical blind spot.

Security teams are already assessing exposure. Architects know where cryptography lives. CISOs understand the risks around certificate sprawl and algorithm longevity.

The problem is how quantum risk is framed at board level. It is often treated as a technical footnote rather than a business risk.

That creates a governance gap:

No clear ownership. No agreed time horizon. No decision point for when ‘not urgent’ becomes ‘too late’.

Because nothing breaks immediately, the risk slips quietly down the agenda. Until it does not.

We have solved problems like this before

Boards do not need to understand quantum in technical depth. But they do need to own it. That ownership starts with practical questions:

• Which data must remain secure for the next 20 or 30 years?
• Where does encryption sit across the estate?
• How quickly could the organisation adapt if standards change?

For many institutions, answering those questions reveals something uncomfortable. Cryptography is often deeply embedded, poorly inventoried and hard to change quickly.
This is where early, pragmatic intervention matters. Introducing crypto-agility, particularly at the network layer, creates optionality. It buys time. It reduces disruption.

It is not about betting on one algorithm or one future standard. It is about ensuring the organisation can move when it needs to.

A quiet test of stewardship

For boards, quantum risk is ultimately about stewardship.

Protecting value over time. Avoiding avoidable disruption. Staying ahead of regulatory expectation rather than reacting under pressure.
Quantum risk may not be loud yet. But it is persistent.

And like most governance failures, it only becomes obvious once ignoring it becomes far more expensive than acting early.

 

To find out more, email info@sitehop.com

Or call us: +44 (0)114 478 2366

Sitehop.

Engineered for speed. Built for the future.