If you touch financial data, financial systems, or financial transactions, you need to be paying attention to some industry shifts.
The G7 Cyber Expert Group recently released a high-level roadmap to help the financial sector prepare for cybersecurity risks arising from quantum computing.
This isn’t guidance meant only for the Morgan Stanleys and Citibanks of the world. The roadmap makes no distinction between “big bank” and “small bank.” Its perspective applies across the financial ecosystem.
While the roadmap doesn’t introduce new regulatory mandates, it does push for extensive collaboration across the world’s most influential economies, intended to shape how institutions think, plan, and govern this transition.
It’s worth pausing on who is delivering this message. The G7 represents the world’s seven largest economies. When that group collectively signals concern, the issue moves far beyond theory or niche technical debate.
“The introduction of quantum computers that can break our encryption tools presents a significant risk to the safety and soundness of our financial ecosystem. This is something we must address together, and the roadmap guidance will be an important reference for organizations to consider as they prepare their systems and data to be quantum resilient.”
– Duncan Mackinnon, G7 Cyber Expert Group Co Chair and Bank of England’s Executive Director for Supervisory Risk
A Lot Can Change In Two Years
Quantum risk has long been understood within cryptographic and PKI communities. Advanced quantum computers will be capable of breaking widely used cryptographic algorithms that protect financial data.
Earlier guidance in 2024 acknowledged the risk but left many organizations unsure how to act. Plus, just two years ago, standards were still emerging and approaches varied by geography.
This 2026-era roadmap is much different. Notably, it’s the first to explicitly recognize that while multiple post-quantum standards will coexist around the world, there is meaningful commonality across them – and that differences should not become an excuse for inaction.
The G7 is saying loud and clear: this is an international risk that demands international attention and coordination.
Indeed, we’ve already seen this shift beginning to take shape. In Asia-Pacific, for example, national governments have begun publishing post-quantum cryptography readiness frameworks – treating quantum risk as a matter of national and regional resilience, not vendor selection or algorithm debate.
5 Actions to Prepare for the Quantum Era
This is not a problem reserved for a handful of global institutions. If you operate in the financial ecosystem, you’re part of the risk – and also part of the solution.
From boosting your agility to elevating awareness, here are five essential actions to prepare.
1. Elevate Quantum Risk to the Boardroom
The most important first step is not technical execution. It is escalation. From a risk management perspective, the goal is not perfection. It is to plan for the greatest possible disruption in the shortest possible amount of time.
Boards don’t need deep cryptographic expertise. Many don’t have it. One study found that fewer than one-third of CISOs say their board includes someone with cybersecurity expertise.
What boards do need is clarity on a few realities:
- Widely deployed cryptographic algorithms will eventually fail
- Encrypted financial data can be harvested today and decrypted later
- Replacing cryptography across interconnected systems takes years
This G7 guidance gives practitioners both permission – and responsibility – to start that conversation. It provides external validation without being alarmist. It frames quantum readiness as a governance issue that requires long-term planning.
2. Recognize Cryptography as a Supply Chain Risk
One of the most important themes in the G7 roadmap is interdependence.
Financial institutions don’t operate in isolation. Cryptography underpins core banking platforms, payment systems, cloud services, fintech integrations, and third-party providers. Weaknesses in any part of that chain introduce risk across the entire ecosystem.
A practical starting point is understanding:
- Where cryptography is used within internally managed systems
- Which critical services rely on vendors for cryptographic controls
- Where long-lived or high-value financial data resides
This is not about assigning blame. Instead, it shows that quantum readiness is a shared responsibility across the financial supply chain.
3. Focus on Cryptographic Agility, Not a Single Migration Event
The G7 roadmap reinforces a point the cryptographic and PKI communities have long understood: post-quantum transition is not a one-time technology upgrade.
Treating this as the next version of a software update is a mistake. Quantum readiness is an infrastructure and risk management challenge that touches systems, data, processes, and third-party dependencies. In December 2025, NIST released its final white paper, Considerations for Achieving Crypto Agility (CSWP 39). As we shared in a related blog, cryptographic agility is the only viable way forward.
Cryptographic agility means:
- Knowing where cryptography exists through comprehensive inventory
- Designing systems so cryptography can change without breaking applications
- Maintaining continuous visibility rather than relying on point-in-time snapshots
Organizations that lack visibility into their cryptographic assets – or that migrate once without the ability to monitor and adapt afterward – will remain exposed. Agility allows financial institutions of all shapes and sizes to move in step with regulators, vendors, and industry standards rather than scrambling to catch up under pressure.
4. Apply a Risk-Based, Phased Approach
The G7 is explicit: not all systems, functions, or institutions face the same level of exposure at the same time.
Some financial data must remain confidential for decades. Some systems are critical to market confidence and operational continuity. Others present lower immediate risk.
Organizations should:
- Prioritize long-lived data and high-impact systems
- Apply more aggressive timelines where risk is greatest
- Use lower-risk systems as early pilots to build experience
This approach blends steady progress with flexibility as standards continue to evolve.
5. Use Existing Governance Structures to Drive Accountability
Quantum readiness does not require reinventing governance.
Boards and executive committees already oversee cybersecurity, third-party risk, and operational resilience. Quantum preparedness belongs in those same discussions, tracked through:
- Clear ownership across security, IT, and risk teams
- Measurable milestones tied to visibility and agility
- Ongoing reassessment as risks and dependencies change
This ensures quantum risk is part of enterprise risk management, not an abstract future problem.
Thinking in Phases, Not Deadlines
To support planning, the G7 roadmap includes a timeline. It breaks the transition into overlapping phases that many organizations will recognize:
- Awareness and preparation at the executive and board level
- Discovery and inventory of cryptographic assets and dependencies
- Risk assessment and planning based on exposure and systemic importance
- Migration execution, starting with prioritized systems
- Testing, validation, and continuous monitoring over time
Importantly, the timing suggests:
- 2025 was your time to think about it
- 2026 is the year to do your inventory
- 2028 is the time to start migrating
For boards, the message is about recognizing that cryptographic transition is a multi-year effort that starts well before algorithms change – and that waiting doesn’t reduce the work, it compresses it.
Collaboration: An International Affair
The G7 roadmap reinforces principles the cryptographic and PKI communities have long understood: quantum computing will upend the assumptions that protect financial systems, and delay only narrows future options.
When the world’s largest economies collectively acknowledge this risk, it gives boards critical context – not just about what is coming, but about the scale and inevitability of the transition ahead.
The call to action is simple: begin now. Build awareness at the board level, inventory cryptographic dependencies, and engage with industry partners shaping the transition.
Quantum readiness isn’t a problem to solve alone – but it is one to start addressing today.
