Quantum Readiness: A Practical Primer for Financial Services and Digital Assets Companies and Projects
Introduction
Quantum information science and technology (QIST) is moving from a research and development topic to a board- and senior management-level strategic, cybersecurity, procurement, governance and business-planning issue. On June 22, 2026, the White House signaled a meaningful shift in U.S. quantum policy with its publication of two executive orders: “Ushering in the Next Frontier of Quantum Innovation” (the “Innovation Order”) and “Securing the Nation Against Advanced Cryptographic Attacks” (the “Security Order” and together with the Innovation Order, the “June 2026 Quantum Orders”). Taken together, the June 2026 Quantum Orders convey that, for quantum readiness, the time to act is now.
See Our Article: For a discussion of the president’s June 2026 executive orders on quantum innovation and post-quantum security, see our related article, “The White House Just Signaled Now Is the Time to Act On Quantum: What the Executive Orders on Quantum Innovation and Quantum Security Mean for Market Participants.”
For financial services and digital asset-related market participants, the key issue is not only whether large-scale quantum computers exist today. The more immediate issue is whether organizations understand their cryptographic dependencies and can adapt as post-quantum cryptography (PQC) expectations develop across government, critical infrastructure, customer contracts and market practice.
That does not mean every organization must replace its systems tomorrow. It does mean, however, that market participants should begin the work now of understanding where and how they depend on cryptography, which data and systems may be most exposed, which vendors and counterparties may drive quantum resilience timetables and where emerging QIST-related opportunities may be material to their strategies.
Why financial services firms should pay close attention
Financial services organizations rely on cryptography at nearly every layer of operations. Some examples include customer authentication, payment systems, market data, trading platforms, secure messaging, custody, application programming interfaces, cloud infrastructure, vendor connections, backup systems, mobile applications, certificates, code signing and internal communications.
The Security Order does not impose new PQC migration obligations directly onto every private financial institution. That said, its practical effects may spread quickly through procurement requirements, supervisory expectations, vendor contracts, cyber insurance underwriting, rating agency analysis, due diligence and board reporting.
Selected practical implications are likely to include:
Digital assets face a distinct quantum problem
For digital assets, the issue is not simply whether PQC algorithms exist. The harder question to address is how to implement cryptographic change across decentralized networks, custody stacks, wallets, exchanges, bridges, validators and legacy addresses without creating new material operational, governance, or security risks.
Public-key cryptography is foundational to blockchain networks, wallets, custody solutions, validator operations, smart contract administration, token issuance and transaction authorization. Many widely used blockchain systems rely on elliptic curve digital signature algorithms or related signature schemes that could become vulnerable if sufficiently powerful quantum computers emerge. While hash functions generally present a different risk profile, exposed public keys, address reuse, multisignature arrangements, bridges and custody infrastructure require careful analysis.
Digital asset-focused organizations and projects should consider:
Procurement may be the catalyst
The procurement provisions in the Security Order may become especially important. The Security Order directs the Federal Acquisition Regulatory Council (FAR Council), within 180 days, to publish a proposed rule amending the Federal Acquisition Regulation (FAR). The rule must require FIPS compliance by covered contractors no later than December 31, 2030, including compliance with all applicable FIPS incorporating PQC-compliant algorithms.
The Security Order also directs the FAR Council, within 270 days, to publish a proposed rule amending FAR requirements and contract clauses for contractor vulnerability disclosure programs. Those programs need to be consistent with NIST guidelines and incorporate reports of cryptographic vulnerabilities, including testing for lack of encryption and use of non-FIPS-approved algorithms.
If implemented, these procurement rules could significantly increase the importance of cryptographic asset visibility and cybersecurity governance for federal contractors and vendors in the federal supply chain. The affected universe of market participants may include:
The cryptographic bill of materials may become a core diligence tool
A key concept in the Security Order is the cryptographic bill of materials (CBOM). The Security Order directs the Cybersecurity and Infrastructure Security Agency (CISA), in coordination with NIST, to release public guidance within 270 days describing the agencies’ view concerning the minimum elements for a CBOM. Such elements must enable automated assessment of the cryptographic assets used by a hardware or software element.
For financial services and digital asset companies, CBOMs may become a practical bridge between cybersecurity, procurement, legal, compliance and engineering teams. They also may become relevant to M&A diligence, vendor onboarding, outsourcing reviews, customer commitments and incident response.
Market participants should expect that customers, counterparties and diligence teams may ask about things like:
Securities, governance and transaction considerations
The June 2026 Quantum Orders do not, by themselves, create private-sector securities disclosure obligations. They may, however, affect how organizations and teams assess cyber risk, technology risk, customer commitments, forward-looking statements and risk factors.
Public companies, regulated financial institutions, digital asset-focused organizations and teams seeking institutional capital and enterprises preparing for financing or exit transactions should consider whether QIST and PQC issues are material in their own respective contexts.
Boards and senior management should avoid alarmism. Quantum risk is not uniform across companies. For businesses that rely heavily on cryptography, long-lived confidential data, digital signatures, custody technology, digital asset infrastructure, or government procurement, however, the issue is no longer theoretical.
Examples of useful board and management questions may include:
Practical takeaways for financial services and digital assets companies
What’s next
Quantum may still feel like the future. But, for market participants, the compliance, procurement, cybersecurity and governance work should begin now. For financial services and digital asset-related market participants, the end goal is not to predict the exact date on which a quantum attack becomes possible. Rather, market participants should aim to build enough visibility, flexibility and governance to be ready to answer when customers, regulators, counterparties, or markets ask the tough quantum-related questions.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.