Quantum Computing and the Future of Financial Security: A Board-Level Issue We Can’t Ignore
By Tony Ferris
Until recently, I had no idea what Post-Quantum Cryptography (PQC) even was. Like many of you, I assumed the encryption systems we have relied on for decades were rock solid. But through my involvement in strategic conversations with industry leaders and regulators, I have come to understand that PQC is not some futuristic issue. It is a very real and very important development that could reshape how we protect our members and our institutions.
At the simplest level, think of today’s encryption as the digital locks on our financial system. These locks guard everything from your online banking login to the payment networks that move money to the files that hold member information. They have worked reliably for decades, much like the combination locks we all grew up with or the chip in a credit card that makes it secure to use.
The Math Problem
The problem is that the math behind these locks, while unbreakable by today’s computers, will not hold up forever. Quantum computers, expected to reach maturity in the 2030s, will have the power to break these locks wide open. If that happens, the data we rely on to protect our members leaving logins, transactions and personal records exposed.
And here is the real challenge: even if quantum computing is still a decade or more away, replacing all of these locks across every system and vendor will also take about that long. That is why the time to prepare is now.
Not Another Y2K
Some have asked me whether this is another Y2K. I do not see it that way. Y2K was a coding oversight with a fixed deadline and a straightforward fix. PQC is different. It is a real, impending scenario with no single deadline and no quick solution. Hackers can already engage in what is called Harvest-now, Decrypt-later (HN-DL), which means they can steal encrypted data today and simply hold onto it until quantum computers can decrypt it. That puts long-lived data like loan records, member information, and payment archives at risk right now.
This is why regulators and standards bodies are already moving. NIST has finalized new PQC standards, and federal agencies are under orders to begin migrating. While there are no mandates yet for credit unions or banks, it is not hard to see what is coming next.
The Critical Message
From a board perspective, I believe the critical message is not panic but preparation. In my experience, directors who begin asking questions early position their institutions to lead, not lag. The opportunity is to turn this challenge into a differentiator: to strategically leverage trust with our members by showing that we are thinking ahead and protecting them before regulators require us to.
So, what should we be asking?
- First, has management inventoried where our encryption is actually used?
- Second, have our core processors and critical vendors given us a roadmap for adopting PQC?
- And third, how are we building PQC readiness into our long-term strategic plans and risk appetite discussions?
What Members Expect
This is the kind of forward-looking oversight our members expect from us. Quantum computing may not disrupt financial services tomorrow, but the preparation must begin today. By leaning in, we can mitigate a critical risk and at the same time strengthen the foundation of trust that defines our cooperative mission.
Tony Ferris is CEO of Rochdale. For info: https://rochdaleparagon.com.
