What Boards Need to Know Now About Quantum Risk

By Antonio Sanchez

Share this post

QXC-Media-BBJ-Article-768×593

Quantum XChange CEO Eddy Zervigon makes the case in the Baltimore Business Journal that quantum computing has moved off the “future problem” list and onto the board agenda. The cryptographically-relevant quantum computer (CRQC) may be a few years out, but the risk is already here. Adversaries don’t need a working quantum machine to breach you tomorrow. They can harvest encrypted data now and decrypt it later, once the capability arrives.

That Harvest Now, Decrypt Later (HNDL) threat is why Zervigon argues quantum readiness belongs in enterprise risk management, not just in the IT backlog. Any organization holding data that must stay confidential into the 2030s already has an open exposure window. The breach can be retroactive, but the accountability will be current.

The article gives directors five questions to put to their management teams in 2026:

  1. Risk quantification. What data does the company hold that will still be valuable in 5, 10, or 20 years, and what happens if it’s harvested today and decrypted in 2032?
  2. Enterprise-wide crypto visibility. You can’t migrate what you can’t find. A cryptographic inventory, or Cryptographic Bill of Materials, is the foundation, and discovery alone can take 6 to 18 months for large enterprises.
  3. Migration timelines. Post-quantum migration is not a patch. A realistic enterprise migration runs 3 to 7 years, so starting in 2026 means finishing between 2029 and 2033. Waiting raises the odds of colliding with regulatory deadlines.
  4. PQC budgets. Expect a phased investment model: discovery, piloting, phased migration, then ongoing cryptographic management. Crypto-agility, the ability to change algorithms without rebuilding infrastructure, is the strategic concept directors most need to understand.
  5. Third-party vendors and supply chain. Cloud providers, certificate authorities, and software suppliers all move on different timelines. Procurement is one of the most powerful levers a board has: make post-quantum readiness and crypto-agility standard terms in new contracts and renewals.

Zervigon’s parting advice, director to director: companies that delay will face compressed timelines, scarce talent, premium vendor pricing, and rushed implementation. Boards should ask for and oversee a strategic quantum risk plan with a cryptographic inventory, a prioritized risk assessment, a phased budget, a vendor-readiness strategy, a target timeline, and named executive ownership across security, IT, legal, procurement, and operations.

“The hardest part of quantum readiness was never the math. It was the governance.” — Eddy Zervigon, CEO, Quantum XChange

Read the full byline in the Baltimore Business Journal.

Share this post

See Phio TX in action

Have one of our experts show you how Phio TX protects your organization from threats today and the quantum future.

Request Request 

a

demo demo

grainy-bg-blue