Blog

Quantum Readiness: A Practical Primer for Financial Services and Digital Assets Companies and Projects

Pillars of court building

    Introduction

    Quantum information science and technology (QIST) is moving from a research and development topic to a board- and senior management-level strategic, cybersecurity, procurement, governance and business-planning issue. On June 22, 2026, the White House signaled a meaningful shift in U.S. quantum policy with its publication of two executive orders: “Ushering in the Next Frontier of Quantum Innovation” (the “Innovation Order”) and “Securing the Nation Against Advanced Cryptographic Attacks” (the “Security Order” and together with the Innovation Order, the “June 2026 Quantum Orders”). Taken together, the June 2026 Quantum Orders convey that, for quantum readiness, the time to act is now.

    See Our Article: For a discussion of the president’s June 2026 executive orders on quantum innovation and post-quantum security, see our related article, “The White House Just Signaled Now Is the Time to Act On Quantum: What the Executive Orders on Quantum Innovation and Quantum Security Mean for Market Participants.

    For financial services and digital asset-related market participants, the key issue is not only whether large-scale quantum computers exist today. The more immediate issue is whether organizations understand their cryptographic dependencies and can adapt as post-quantum cryptography (PQC) expectations develop across government, critical infrastructure, customer contracts and market practice.

    That does not mean every organization must replace its systems tomorrow. It does mean, however, that market participants should begin the work now of understanding where and how they depend on cryptography, which data and systems may be most exposed, which vendors and counterparties may drive quantum resilience timetables and where emerging QIST-related opportunities may be material to their strategies.

    Why financial services firms should pay close attention

    Financial services organizations rely on cryptography at nearly every layer of operations. Some examples include customer authentication, payment systems, market data, trading platforms, secure messaging, custody, application programming interfaces, cloud infrastructure, vendor connections, backup systems, mobile applications, certificates, code signing and internal communications.

    The Security Order does not impose new PQC migration obligations directly onto every private financial institution. That said, its practical effects may spread quickly through procurement requirements, supervisory expectations, vendor contracts, cyber insurance underwriting, rating agency analysis, due diligence and board reporting.

    Selected practical implications are likely to include:

    • Cryptographic inventory will become essential. Organizations should identify where and how they use cryptography across systems, products, vendors and data flows.
    • Intended long-term confidential data deserves priority. Sensitive communications, customer data, trade secrets, transaction records, M&A materials, source code, private fund data and regulated data may remain valuable for years and may be attractive targets for “harvest now, decrypt later” and “trust now, forge later” attacks.
    • Vendor management will change. PQC readiness, algorithm agility, validation status regarding the Federal Information Processing Standards (FIPS) of the National Institute of Standards and Technology (NIST), key-management dependencies and cryptographic bills of materials may become standard diligence topics.
    • Operational resilience programs should account for PQC migration. Migration may have far-reaching effects, including concerning performance, interoperability, certificate infrastructure, latency, hardware compatibility and third-party dependencies.
    • Board reporting should evolve. For organizations with material cryptographic exposure, quantum risk belongs on the cyber and technology risk agenda, with clear board- and senior management–level owners, milestones and budget assumptions.

    Digital assets face a distinct quantum problem

    For digital assets, the issue is not simply whether PQC algorithms exist. The harder question to address is how to implement cryptographic change across decentralized networks, custody stacks, wallets, exchanges, bridges, validators and legacy addresses without creating new material operational, governance, or security risks.

     

    Public-key cryptography is foundational to blockchain networks, wallets, custody solutions, validator operations, smart contract administration, token issuance and transaction authorization. Many widely used blockchain systems rely on elliptic curve digital signature algorithms or related signature schemes that could become vulnerable if sufficiently powerful quantum computers emerge. While hash functions generally present a different risk profile, exposed public keys, address reuse, multisignature arrangements, bridges and custody infrastructure require careful analysis.

    Digital asset-focused organizations and projects should consider:

    • Custody architecture. Custodians, exchanges, wallet providers, stablecoin issuers and tokenization platforms should assess whether signing infrastructure can support algorithm agility and, eventually, PQC migration.
    • Protocol governance. Public blockchain migration may require many steps, including protocol upgrades, validator coordination, wallet updates, exchange support, bridge updates and user migration.
    • Exposed public keys. Market participants should assess when public keys become visible on-chain and whether operational practices increase quantum-related exposure.
    • Smart contract administration. Admin keys, upgrade keys, emergency pause keys, oracle keys and bridge keys should be evaluated as part of broader key-management and decentralization analysis.
    • Risk disclosures. Exchanges, custodians, funds and token issuers should consider whether disclosures accurately describe cryptographic, protocol, custody, operational and migration risks.
    • Institutional diligence. Banks, asset managers, insurers, registered funds and public companies entering digital asset markets are likely to ask harder questions about cryptographic resilience and PQC planning.

    Procurement may be the catalyst

    The procurement provisions in the Security Order may become especially important. The Security Order directs the Federal Acquisition Regulatory Council (FAR Council), within 180 days, to publish a proposed rule amending the Federal Acquisition Regulation (FAR). The rule must require FIPS compliance by covered contractors no later than December 31, 2030, including compliance with all applicable FIPS incorporating PQC-compliant algorithms.

    The Security Order also directs the FAR Council, within 270 days, to publish a proposed rule amending FAR requirements and contract clauses for contractor vulnerability disclosure programs. Those programs need to be consistent with NIST guidelines and incorporate reports of cryptographic vulnerabilities, including testing for lack of encryption and use of non-FIPS-approved algorithms.

    If implemented, these procurement rules could significantly increase the importance of cryptographic asset visibility and cybersecurity governance for federal contractors and vendors in the federal supply chain. The affected universe of market participants may include:

    • Cloud service providers.
    • Cybersecurity vendors.
    • Software-as-a-service providers.
    • Hardware manufacturers.
    • Telecommunications providers.
    • Defense and intelligence contractors.
    • Fintech providers involved in government programs.
    • Data center providers.
    • Oil, gas, and energy companies.
    • Utility providers.
    • Identity, authentication, payment and digital signature platforms.
    • Blockchain analytics, custody and digital asset infrastructure companies with government customers.

    The cryptographic bill of materials may become a core diligence tool

    A key concept in the Security Order is the cryptographic bill of materials (CBOM). The Security Order directs the Cybersecurity and Infrastructure Security Agency (CISA), in coordination with NIST, to release public guidance within 270 days describing the agencies’ view concerning the minimum elements for a CBOM. Such elements must enable automated assessment of the cryptographic assets used by a hardware or software element.

    For financial services and digital asset companies, CBOMs may become a practical bridge between cybersecurity, procurement, legal, compliance and engineering teams. They also may become relevant to M&A diligence, vendor onboarding, outsourcing reviews, customer commitments and incident response.

    Market participants should expect that customers, counterparties and diligence teams may ask about things like:

    • Cryptographic algorithms used in products and services.
    • Key sizes and modes of operation.
    • Certificate and key-management dependencies.
    • Cryptographic libraries and modules.
    • FIPS validation status.
    • PQC readiness and algorithm agility.
    • Use of deprecated, nonapproved, or vulnerable algorithms.
    • Third-party cryptographic dependencies.

    Securities, governance and transaction considerations

    The June 2026 Quantum Orders do not, by themselves, create private-sector securities disclosure obligations. They may, however, affect how organizations and teams assess cyber risk, technology risk, customer commitments, forward-looking statements and risk factors.

    Public companies, regulated financial institutions, digital asset-focused organizations and teams seeking institutional capital and enterprises preparing for financing or exit transactions should consider whether QIST and PQC issues are material in their own respective contexts.

    Boards and senior management should avoid alarmism. Quantum risk is not uniform across companies. For businesses that rely heavily on cryptography, long-lived confidential data, digital signatures, custody technology, digital asset infrastructure, or government procurement, however, the issue is no longer theoretical.

    Examples of useful board and management questions may include:

    • Does the organization depend on cryptography for core products, customer trust, custody, transaction authorization, or confidential data protection?
    • Does the organization serve the federal government, critical infrastructure, or highly regulated financial services customers?
    • Does the organization maintain data that must remain confidential for many years?
    • Does the organization have a realistic plan for cryptographic inventory, algorithm agility and PQC migration?
    • Does the organization’s vendor ecosystem create cryptographic dependencies that the organization itself does not control?
    • Do risk factors, cybersecurity disclosures, product statements and customer commitments accurately describe the organization’s posture?

    Practical takeaways for financial services and digital assets companies

    1. Brief the board or relevant committee. Provide a balanced overview of quantum risk, QIST-related business opportunity and planned next steps.
    2. Create a cryptographic inventory. Identify where cryptography exists across systems, products, vendors and data flows.
    3. Prioritize long-term sensitive data. Focus first on data that must remain confidential or valuable for years, including customer records, financial data, source code, trade secrets, private keys, strategic plans, M&A information and regulated data.
    4. Build flexibility into contracts and technology. Address the ability to update algorithms, replace libraries, rotate keys, update certificates and maintain interoperability.
    5. Update vendor diligence. Add PQC and CBOM questions to reviews for cloud, cybersecurity, identity, payments, digital asset custody, software and critical infrastructure providers.
    6. Monitor FAR rulemaking. Companies that contract with the federal government, or sell to companies that do, should track proposed procurement rules under the Security Order and assess how they may affect product design, pricing, compliance and representations.
    7. Review solicitations and contract terms carefully. Companies that contract with the federal government or fall within the government supply chain should closely review solicitation provisions, contract clauses and government guidance incorporated by reference into binding agreements that may comport with the directives in the June 2026 Quantum Orders. Procuring agencies often include specific terms in solicitations or issue an agency deviation to include requirements prior to promulgation of final FAR rules.
    8. Treat PQC as a multiyear migration program. Assign clear senior-level owners, milestones, budgets and escalation paths.
    9. For digital assets, assess both protocol-level and custody-level exposure. Review custody keys, validator keys, multisignature arrangements, smart contract admin keys, bridge keys, wallet infrastructure and upgrade pathways.
    10. Revisit disclosures and customer commitments. Ensure that public statements, agreements, security white papers, cyber disclosures and risk factors remain accurate.
    11. Include QIST and PQC in M&A and investment diligence. Assess cryptographic inventories, PQC roadmaps, export control exposure, foreign investor rights and dependencies on inflexible cryptographic systems.
    12. Follow NIST, CISA, the Office of Management and Budget, the National Cyber Director and the FAR Council. Practical obligations for market participants are likely to develop via guidance, pilots, procurement rules, validation processes and sector-specific engagement.

    What’s next

    Quantum may still feel like the future. But, for market participants, the compliance, procurement, cybersecurity and governance work should begin now. For financial services and digital asset-related market participants, the end goal is not to predict the exact date on which a quantum attack becomes possible. Rather, market participants should aim to build enough visibility, flexibility and governance to be ready to answer when customers, regulators, counterparties, or markets ask the tough quantum-related questions.

     

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts