VIENNA, Va.–The threat from quantum computing is coming—and faster than many in credit unions realize–two people are warning, stressing that even the most deeply encrypted data today will be easily unencrypted in the coming years at great cost to credit unions and their members.
By Edward B. Cody and Elle Westbrook
In 1999, I (Ed Cody) was part of a Defense Agency team scrambling to secure funding to counter the Y2K threat. Everyone knew the exact moment the risk would arrive: midnight, Jan. 1, 2000. What we didn’t know was the scale of disruption. The cost of preparation was high, but the cost of failure would have been incalculable. That experience taught me a lesson that echoes loudly today: proactive investment in preparation is always less costly than crisis-driven repair.
Now, a similar but more complex challenge is on the horizon – quantum computing and its impact on cybersecurity. Unlike Y2K, there is no fixed date circled on the calendar. But the fuse is lit. Data stolen today can be stored and decrypted tomorrow once quantum machines reach maturity. Credit union boards must recognize this looming risk, provide oversight, and ensure their CEOs have the requisite plans and resources to safely guide their institutions into a post-quantum world.
Why Quantum Computing Matters for Credit Unions
Why now? Because quantum computing has been perceived as a post-2030s event, some may have the “What, me worry?” short-term approach. But, its impact may be upon us sooner, and it will have significant financial impacts. At a basic understanding, quantum computing is not just faster computing, it is much more powerful and changes the game. Essentially, it threatens to undo the current security framework that keeps financial data safe.
At the core of every transaction, loan record, and member account lies encryption. Today’s cryptography protects our members’ trust just as much as it protects their balances. But quantum computers promise an exponential leap in computing power. Algorithms that would take today’s computers thousands of years to break could be undone in days or hours.
Cybercriminals and nation-state actors are already stockpiling encrypted data they stole. When quantum computing achieves the necessary scale, every stolen file could suddenly become readable. For credit unions, that means member Social Security numbers, account histories, and financial transactions could be exposed retroactively.
A recent bill in Congress aims to create a national strategy for quantum cybersecurity migration, highlighting the seriousness of the threat at the highest levels of government. The message is clear: migration to quantum-safe encryption is not optional, but a responsibility we cannot defer.
The Board’s Role: Oversight, Not Engineering
Boards need not become Post-Quantum Cybersecurity (PQC) experts. Our responsibility is governance and oversight. We must ensure management understands the risk, has a migration strategy and roadmap, and is holding 3rd party partners accountable. Strong boards drive strong credit unions.
Research published by CUES emphasizes that boards that are proactive, engaged, and well-informed directly correlate with institutions that remain resilient through disruption. The same applies here. Boards that ask the right questions now will secure their credit unions’ future.
The Questions to be Asking
Here are the kinds of questions every board should be asking:
- What is the Board’s strategy for Post Quantum Cryptography.
- What is our institution’s timeline for migrating to quantum-safe encryption?
- Do we know which vendors are quantum-ready, and how they are proving it?
- What guidance are we receiving from regulators and industry associations, and how are we incorporating it?
- What budget has been allocated for this transition, and is it sufficient?
The point here is for boards to have sufficient knowledge to guarantee that the right solutions are being pursued and verified. During Y2K, the agencies and firms that prepared early avoided more costly efforts. Given the uncertainty as to an effective quantum computing date, it could lead to paralysis. But the stakes are too high to gamble. By insisting on early quantum readiness and a PQC resourced plan, boards protect not only against catastrophic breaches but also strengthen their overall cybersecurity posture today.
The Stewardship Imperative
Credit union boards are stewards of trust. Members do not expect us to be cybersecurity experts. They do expect us to ensure that our institution remains safe, competitive, and trustworthy in a digital world.
That credit union stewardship involves having the foresight to recognize that today’s earnings and other ratios mean little if tomorrow’s cyber breach erases confidence. It involves the courage to approve investments in security even when ROI is not immediate, and the accountability to ensure management does not delay action until regulators mandate it.
Practical Steps for Boards
To translate concern into action, boards should consider:
One: Vendor Accountability: Require periodic reports from core providers, cloud partners, and fintech vendors we partner with on their PQC readiness roadmaps.
Two: Risk Committee Focus: Ensure enterprise risk management explicitly includes PQC and other emerging technologies in its assessments.
Three: Education: Schedule board training sessions on quantum computing, blockchain, and AI. Directors don’t need to be experts, but they must be literate.
Four: Capital Planning: Treat quantum migration as a long-term capital expense and build reserves for cybersecurity upgrades now.
Five: Industry Collaboration: Engage with America’s Credit Unions, Defense Credit Union Council, CUES, and credit union Leagues to share strategies and insights, and push for regulatory clarity. We are stronger together to confront this challenge.
‘We Must Act Today’
The quantum era is coming. We do not know the date, but we know the destination. Just as we prepared for Y2K, boards must act today to prepare for a PQC environment tomorrow. If we fail, the consequences will not be limited to system outages. They will strike at the very trust that underpins the credit union movement. If we succeed, we will do more than protect our members’ data; we will prove once again that credit unions are built on effective stewardship and people helping people.
For board members, the choice is clear: govern with urgency now, or govern in crisis later.
Edward B. Cody is the chairman of the board of directors at PenFed Credit Union, one of the nation’s largest federal credit unions, serving nearly three-million members worldwide.
Elle Westbrook is the Identity & Access Management Engineer at PenFed Credit Union.
