In September, the Financial Services and Information Sharing and Analysis Center (FS-ISAC) released “The Timeline for Post Quantum Cryptographic Migration.” The white paper warns of “crypto-procrastination,” and urges the industry to appropriately develop and implement the post-quantum cryptography (PQC) that will be needed to protect systems and data in a quantum world. “The time to prepare for quantum computing is arguably growing shorter, and the risks to security and resilience are clear,” the paper says, calling for global coordination and a common timeline for PQC.
We recently interviewed Dean Yoost, author of the RMA by ProSight book “Exponential Technologies Require Critical Thinking in the Boardroom,” for his perspectives on quantum’s risks and opportunities for banks, and how financial industry leaders are addressing it. Among other roles, Yoost is a past board member for Pacific Life Insurance Company and MUFG Union Bank and currently serves as an advisory board member of the American Honda Finance Corporation.
Q: Is there a danger that, with so much technology focus on AI, quantum computing could be overlooked? Are you seeing any evidence of this now?
A: Generative AI is dominating boardroom agendas today. There is a growing risk that the near-term focus on AI could crowd out attention to quantum computing. That would be a mistake. Quantum brings two simultaneous realities: (1) a strategic opportunity for advantage in industries including financial services and (2) a systemic risk to today’s public key cryptography and long migration timelines. Multiple regulators and standards bodies are publishing quantum-safe road maps and deadlines. Boards that only address AI will be late to the quantum opportunities and unprepared for the risks.
Almost all board and CEO surveys rank generative AI at or near the top of strategic priorities, signaling potential crowd-out for quantum readiness. In contrast, according to a 2025 survey by the quantum computing firm QuEra Computing, over 65% of businesses report being prepared or very prepared to adopt quantum computing within the next 2-3 years. Directors and management should consider benchmarking against peers to avoid being late to the quantum computing opportunities or unprepared for the emerging risks.
Q: What is the level of concern and attention in C-suites and boardrooms regarding quantum right now?
A: C-suites and boardrooms are showing rising but uneven attention toward quantum, balancing growing opportunities about its transformative potential with concern over the emergent risks. Most organizations remain in early awareness or pilot phases. The greatest area of boardroom concern is quantum-related cryptographic risk, especially the threat of “harvest now, decrypt later” attacks that could expose sensitive data once quantum computers achieve cryptographically relevant capability. Global regulators and industry bodies are urging businesses to begin quantum readiness planning, including migration to post-quantum cryptography and scenario analysis. Meanwhile, directors and management recognize potential competitive advantages in optimization and risk modeling. The boardroom discourse is shifting from speculative curiosity to strategic vigilance, as those in the boardroom increasingly demand risk mapping, vendor diligence, and quantum-safe transition roadmaps to ensure resilience and future readiness.
Q: The FS-ISAC paper talks about the need for cooperation among financial institutions and the regulators. What can individual banks do to prepare?
A: Banks need to begin developing a quantum readiness plan that aligns with their longer-term digital and cybersecurity goals. This includes establishing an internal task force to monitor advances in quantum technologies and their implications for encryption, data protection, and financial modeling. Banks should inventory which parts of their infrastructure rely on cryptographic protocols that could be rendered vulnerable by quantum attacks and start transitioning toward quantum-resistant algorithms. Investing in relationships and partnerships with quantum research institutes and technology providers can help banks recognize the emerging opportunities in quantum-enhanced risk modeling, portfolio optimization, and fraud detection. Education and training programs for directors, management, and IT and risk management staff are essential to build organizational awareness and capability. Banks could also engage with the regulators to ensure compliance and contribute to the development of industry-wide standards for quantum.
Q: Can you discuss, to the extent possible in layman’s terms, how quantum might enable fraud and financial crime?
A: Quantum computing could make it easier for bad actors to commit financial fraud by breaking the encryptions that currently protect sensitive banking data and online transactions. Most of today’s security systems rely on mathematical puzzles that even powerful legacy computers could take centuries to solve. A quantum computer, however, could solve these puzzles in seconds or minutes, allowing hackers to access confidential customer information, manipulate digital records, or impersonate authorized users. This means that without quantum-safe encryptions, banks could see their defenses suddenly become obsolete, opening the door to large-scale theft, fraud, and financial crimes.
Q: What can banks do now regarding their cryptography processes to start preparing for quantum?
A: Few, if any, financial services companies develop their own cryptographic tools. The vast majority are dependent on third parties. As such, emphasizing third-party risk management with the appropriate inventory of cryptographic use across the business and vendor due diligence is essential.
Banks can begin preparing their cryptography processes for quantum by conducting a comprehensive inventory of all cryptographic systems currently in use, including data-in-transit and data-at-rest. They can identify which systems rely on public-key algorithms that are most vulnerable to quantum attacks, and prioritize these for transition planning. Banks should start testing and piloting post-quantum cryptography algorithms recommended by the National Institute of Standards and Technology (NIST), ensuring interoperability and performance under real operational conditions. Banks can also develop governance frameworks, staff training, and vendor requirements that embed quantum readiness into their longer-term cybersecurity strategies. The readiness of vendor requirements should begin immediately as current contracts are renegotiated. The guidelines in preparing for post-quantum cryptography created by the Department of Homeland Security and NIST in 2021 provide useful steps to start preparing for quantum.
Q: Who are likely to be the bad actors? Will quantum computing require infrastructure and hardware that would only be available to big companies and nation-states? Would exploits in the early days of quantum likely be by terrorist groups/nation-states?
A: In the early days of quantum computing, the most likely bad actors will be state-sponsored groups, cybercriminal organizations, and advanced hacking collectives seeking to exploit the transitional period before quantum-resistant encryptions are widely implemented. Nation-states with significant resources are likely to target banks, government systems, and critical infrastructure to gain advantages through data decryption and espionage. Sophisticated cybercriminal networks could focus on harvesting encrypted data today to be exploited once quantum machines become capable of breaking the current cryptographic defenses. The combination of geopolitical ambition and criminal profit incentives seems to make these bad actors the most dangerous in the transition to quantum.
Q: What kind of timeline are we looking at in terms of when quantum will be developed enough to be put into use?
A: Most experts agree that broadly useful quantum systems remain some years away. They generally place practical quantum advantage—the point when quantum computers exceed the capabilities of supercomputers—in the 2030s, while Google’s leadership recently claimed that commercial quantum applications may surface within five years. But the future could arrive sooner than expected, so board members and management need to evaluate the potential impact of quantum on the industry and their business—and prepare for it.
This interview has been edited for length and clarity.
