Technology
Jul. 2, 2026
Quantum computing and the future of cybersecurity: What organizations need to know now
Although cryptographically relevant quantum computers remain years away, organizations that delay planning for post-quantum cryptography may face significant cybersecurity, regulatory, and litigation risks.
Wynter L. Deagle
Partner
Sheppard, Mullin, Richter & Hampton LLP
Intellectual Property Practice Group and a member of the Privacy and Cybersecurity team
Phone: (858) 720-8947
Email: wdeagle@sheppardmullin.com
Northeastern U School of Law
Quantum computing is no longer a distant theoretical concern. As advances in quantum technologies accelerate, so too have discussions about their cybersecurity implications--from warnings about "Q-Day" and the potential to break widely used encryption, to the emergence of post-quantum cryptography (PQC) standards designed to guard against that threat. For organizations that depend on digital infrastructure, the question is no longer whether to pay attention, but what to do about it.
The answer is more nuanced than many high-level discussions suggest. Quantum computing does present legitimate long-term cybersecurity challenges, but the timing, scope, and implementation of potential solutions involve a complex mix of technical, legal and commercial considerations. Organizations may understandably find it difficult to assess what practical steps to take today and how to prioritize resources accordingly. This article offers a framework for thinking through those questions.
Understanding the quantum threat to cryptography
Modern cybersecurity systems rely on multiple forms of cryptography. One important distinction is between public-key cryptography and symmetric-key cryptography.
Public-key cryptography is widely used for secure communication, authentication, key exchange and digital signatures. Common examples include RSA and elliptic curve cryptography ("ECC"). These systems are foundational to internet security, including TLS/HTTPS connections, VPNs, digital certificates and many identity management systems.
Quantum computing poses its most significant threat to these public-key systems. Shor's algorithm and its variants theoretically enable a sufficiently powerful quantum computer to solve the mathematical problems that underlie RSA and ECC security. If practical large-scale quantum computers become available, attackers could potentially forge digital signatures, impersonate legitimate parties, compromise authentication systems or decrypt intercepted communications protected by vulnerable public-key cryptography.
Quantum computing presents a substantially smaller threat to symmetric-key cryptography used for bulk data storage and many forms of database encryption, such as AES-based encryption schemes. While quantum algorithms may weaken some symmetric cryptographic schemes, the impact is generally viewed as more manageable because stronger symmetric key sizes can often mitigate the risk.
The greatest long-term concern, then, is not that quantum computers will instantly expose all stored corporate data. Rather, it is that they may eventually undermine the public-key infrastructure that secures communication, authentication and trust relationships across virtually every digital system in use today.
Q-Day: How close are we?
The term "Q-Day" is often used to describe the point at which quantum computers become capable of breaking widely deployed public-key cryptographic systems. Importantly, however, this requires not merely a quantum computer, but a cryptographically relevant quantum computer (CRQC) capable of running meaningful implementations of Shor's algorithm at scale.
That technological threshold remains highly challenging. Current quantum computers are limited by noise, error correction overhead, coherence times and scalability constraints. No existing system is capable of executing large-scale cryptographic attacks against real-world RSA or ECC implementations. While projections vary considerably, many industry and government assessments place the possible emergence of CRQCs in the late 2020s to early 2030s timeframe.
Organizations should not, however, dismiss the risk simply because CRQCs do not yet exist. Significant efforts are underway to increase qubit counts, improve error correction, connect modular quantum processors and optimize algorithms to operate with fewer or noisier qubits. Because multiple technological pathways are being pursued simultaneously, the timeline for a viable CRQC remains uncertain.
This creates an unusual planning challenge: the threat may still be years away, but transitioning large-scale cryptographic infrastructure can also take years. The appropriate response is neither panic nor complacency, but deliberate, long-term planning.
Post-quantum cryptography: Progress and practical challenges
Significant efforts are underway to develop and standardize PQC algorithms designed to resist quantum attacks. The National Institute of Standards and Technology (NIST) has already selected several PQC algorithms for standardization and governments around the world have begun strongly encouraging migration planning.
The commercial reality, however, remains complicated. Many organizations operate complex legacy systems that were not designed for rapid cryptographic replacement. Updating cryptographic infrastructure may take years to plan and execute given it can require changes across software systems, authentication frameworks, communication protocols, hardware devices, embedded systems and third-party vendor products.
The PQC ecosystem itself also continues to evolve. Standards, implementations, and best practices are still maturing. Organizations may therefore benefit from emphasizing "cryptographic agility"--the ability to transition flexibly between cryptographic schemes as technologies and standards develop--rather than committing prematurely to a single solution.
Legal and governance implications
From a legal, cybersecurity, and privacy perspective, quantum computing is best understood not merely as a technological breakthrough, but as a systemic risk multiplier. Its capacity to undermine foundational security assumptions, particularly public-key encryption, creates not only technical vulnerabilities but also far-reaching governance, regulatory and liability challenges. The risk is distinctive in that it is:
· Delayed--harm may occur years after the initial compromise;
· Systemic--affecting entire trust infrastructures rather than isolated systems; and
· Predictable--sufficiently foreseeable to create present-day obligations.
For legal and governance professionals, the central challenge is not merely technical preparedness but anticipatory compliance--embedding quantum-risk awareness into today's legal, regulatory and strategic decision-making. Organizations that fail to act proactively may find themselves answering difficult questions not about what happened, but about what they should have foreseen.
Among the most immediate concerns is the "harvest now, decrypt later" threat. Because threat actors may already be intercepting encrypted information for future decryption, the legal exposure is not purely prospective. Sensitive data (such as privileged communications, trade secrets, and strategic business data) that is secure under current cryptographic standards may become readable once CRQCs emerge. This dynamic introduces what might be termed "delayed breach liability": organizations could face enforcement actions or litigation years after the initial data exfiltration, based on the contention that the quantum threat was foreseeable at the time the data was collected or transmitted.
This foreseeability framework has significant implications for litigation and regulatory exposure. As quantum-related risks become better understood and industry practices mature, organizations may face allegations of maintaining unreasonable security practices, failing to monitor evolving cybersecurity threats, making contractual cybersecurity representations inconsistent with actual preparedness, or inadequately protecting sensitive data. Organizations operating in regulated industries or critical infrastructure sectors should expect heightened scrutiny regarding their transition planning and cybersecurity governance.
If quantum-vulnerable encryption is eventually exploited--whether through a CRQC or through algorithmic advances that weaken existing schemes--organizations that failed to take reasonable preparatory steps may face data breach litigation, regulatory enforcement actions, or both. Plaintiffs and regulators are likely to argue that the risk was foreseeable and that the failure to develop or execute a transition plan constituted a failure to implement reasonable security measures. The "harvest now, decrypt later" dynamic compounds this exposure, as a breach may ultimately be traced to data exfiltration that occurred years before decryption became feasible, and raising complex questions about when the duty to protect arose and what measures were reasonable at the time of collection.
Quantum cybersecurity risk also implicates corporate governance obligations. As awareness of these threats grows, fiduciary duty principles may require boards and senior executives to ensure that management has adequately assessed and addressed quantum-related vulnerabilities as part of the organization's broader cybersecurity governance framework. For public companies, an additional question is whether quantum-related cybersecurity risks have reached a level of materiality warranting disclosure under applicable securities laws and regulations. Organizations should also evaluate whether existing cyber insurance policies will respond to losses arising from the exploitation of quantum-vulnerable cryptography, particularly where insurers may contend that the risk was known or foreseeable and that the insured failed to take adequate mitigation steps.
Vendor management and the contractual allocation of cybersecurity responsibilities will likewise grow in importance. Organizations should evaluate whether key vendors are developing post-quantum transition plans, whether future technology investments support long-term cryptographic agility, and whether existing contracts appropriately address evolving cybersecurity obligations and liability allocation. Supply chain vulnerabilities warrant particular attention: an organization's own cryptographic transition efforts may be undermined if critical vendors, service providers, or business partners fail to implement adequate post-quantum protections. Organizations operating across multiple jurisdictions should further anticipate that regulatory requirements for PQC migration may emerge on different timelines and with varying technical specifications, adding layers of compliance complexity.
Importantly, the relevant legal inquiry is unlikely to focus on whether an organization immediately replaced all existing cryptographic infrastructure with PQC. The more practical question will be whether the organization reasonably evaluated evolving risks, monitored emerging standards, and implemented an appropriate long-term transition strategy proportionate to its business operations, data sensitivity and threat profile.
For most organizations, a risk-based approach remains the most practical path forward. That means identifying systems that rely heavily on vulnerable public-key cryptography and prioritizing the protection of long-lifetime sensitive data, communication systems, authentication infrastructure and digital signature systems. In most cases, the prudent course is not immediate wholesale migration, but rather a measured and adaptable strategy--one that can evolve alongside technological developments, regulatory expectations and industry standards. The organizations that begin that work now will be best positioned when the quantum future arrives.
Submit your own column for publication to Diana Bosetti
For reprint rights or to order a copy of your photo:
Email
Jeremy_Ellis@dailyjournal.com
for prices.
Direct dial: 213-229-5424
Send a letter to the editor:
Email: letters@dailyjournal.com