Markets vs “Harvest-Now, Decrypt-Later”: The Real Near-Term Quantum Threat

Why PQC migration is urgent for long-lived financial data—today, not when big quantum arrives

A common misconception is that markets can wait for “Q-Day” to migrate. In reality, the most credible near-term risk is harvest-now, decrypt-later (HNDL): adversaries record encrypted traffic today and decrypt it in the future when large quantum computers exist. For finance, that jeopardises long-lived secrets—customer PII, trade records, high-value keys—and exposes institutions to retrospective breaches.

US and UK authorities have moved from awareness to actionable guidance. A joint CISA/NSA/NIST paper urges organisations to start with crypto inventory, risk assessment for long-lived data, and vendor engagement to plan transitions—because migrations can take many years in brownfield estates. NIST’s NCCoE has supplemented this with draft SP 1800-38 guides on PQC migration architectures and automated discovery tools. Seen together, the message is clear: begin now.

For markets, HNDL has operational consequences beyond secrecy. Historic trade messages and internal audit logs often carry non-repudiation and legal weight. A future decryption event could taint those records, complicating disputes and compliance. Exchanges and custodians should therefore prioritise backbone links and archives: move to hybrid TLS/IPsec for transport, adopt post-quantum signatures for new code releases and artefacts, and begin re-encryption programmes for data with regulatory retention spanning a decade or more.

The commercial posture that lands with boards is risk transfer: make PQC a product of availability and integrity, not just confidentiality. Vendors can package crypto-agile gateways (fronting legacy apps with hybrid TLS), key management upgrades (HSM firmware and policies for ML-KEM/ML-DSA), and inventory/reporting tools that auditors accept. Anchor roadmaps to NIST FIPS releases and IETF hybrid drafts so supervisors recognise the trail.

Costs are real, but so are offsets. Early adopters benefit from lower correlated risk, smoother upgrades, and fewer emergency changes when standards harden. Cloud and CDN providers are already rolling out post-quantum handshake options at scale, reducing the integration burden for banks and venues that ride their networks. Use these as stepping stones rather than attempting big-bang migrations.

The punchline: the threat that matters in 2025 is time asymmetry. Adversaries can bank ciphertext now; you can’t retroactively add PQC later. Treat HNDL as a governance problem with engineering answers—inventory, hybrids, signatures, and archives—and you convert a looming cryptographic cliff into a managed slope.