English
Quantum Computing Threatens the Cryptographic Backbone of Finance
As Moody's Ratings and the Bank for International Settlements (BIS) issue stark warnings, the financial world is confronting a new systemic risk: quantum computing. The day when a quantum computer can break current encryption—known as 'Q-Day'—is approaching, and the potential for disruption is measured in trillions of dollars. A quantum-driven breach of critical payment infrastructure could generate $2–3 trillion in indirect economic losses, according to a Citi Institute analysis cited in Moody's May 2026 report. This article examines the timeline to Q-Day, the preparedness gaps across central banks and major institutions, and the strategic implications for global financial stability in 2026.
What Is Q-Day and Why Does It Matter?
Q-Day refers to the moment when a cryptographically relevant quantum computer becomes capable of breaking widely used public-key encryption algorithms such as RSA and Elliptic Curve Cryptography (ECC). These algorithms underpin the security of digital payments, blockchain systems, central bank digital currencies, and virtually all secure communications in finance. According to the post-quantum cryptography timeline, NIST plans to deprecate RSA by 2030 and prohibit it by 2035, but many experts believe Q-Day could arrive as early as 2033–2037. The BIS warns that the 'harvest now, decrypt later' (HNDL) threat is already active: adversaries are intercepting encrypted financial data today with the intent to decrypt it once quantum computers mature.
Moody's Systemic Threat Assessment
In May 2026, Moody's published its first systemic quantum threat assessment, warning that quantum computing poses a growing systemic cyber risk to digital finance. The report highlights that institutional finance is increasingly approaching quantum threats as a long-term operational resilience issue rather than a distant scientific problem. Moody's notes that quantum computers could theoretically derive private cryptographic keys from public information, threatening wallets, custody systems, and digital signatures on irreversible public blockchains. The report underscores that public blockchains are especially vulnerable due to irreversible transaction finality. Recent major incidents like the $1.5 billion Bybit theft and the Coinbase data breach underscore the rising cyber risks that quantum attacks could amplify.
The $2–3 Trillion Exposure
A Citi Institute analysis cited in the Moody's report estimates that a quantum-enabled cyberattack disrupting a major U.S. bank's access to Fedwire could put $2.0–$3.3 trillion of U.S. GDP at risk. This reframes quantum computing as a systemic financial threat rather than a distant technology issue. The analysis projects that a quantum disruption affecting critical payment infrastructure could generate $2–3 trillion in indirect economic losses through cascading failures across interconnected financial systems.
BIS Roadmap and Central Bank Preparedness
On July 7, 2025, the BIS published a major paper titled 'Quantum-readiness for the financial system: a roadmap,' urging the global financial sector to prepare for the post-quantum era. The BIS, often called the 'central bank of central banks,' warns that quantum cyber risk is a systemic financial stability concern, not just an IT issue. The roadmap outlines a three-phase approach: Engagement & Awareness, Planning & Coordination, and Execution & Oversight. It emphasizes starting the transition immediately, conducting cryptographic inventories, building crypto agility, and adopting Post-Quantum Cryptography (PQC) as the near-term solution. The BIS Innovation Hub's Project Leap, a collaboration with the Banque de France and Deutsche Bundesbank, is focused on quantum-proofing the financial system.
Institutional Response: JPMorgan, HSBC, and the Race to Crypto-Agility
Major financial institutions are already taking action. JPMorgan Chase is developing 'crypto-agile' infrastructure and has deployed hybrid ML-KEM across its networks. HSBC completed Phase 1 PQC migration in 2025 as the first global bank to deploy hybrid ML-KEM across its treasury network. Over 15 global banks, including Goldman Sachs, BBVA, Barclays, and BNP Paribas, are actively exploring quantum technologies. However, the financial sector quantum preparedness gap remains significant. Many smaller institutions lack the resources to conduct cryptographic inventories and begin migration, creating a potential systemic vulnerability.
Regulatory Pressure: DORA and the EU Quantum Act
The EU's Digital Operational Resilience Act (DORA), which took effect in January 2025, mandates financial institutions to adopt crypto-agile approaches, maintain cryptographic inventories, and develop policies enabling rapid algorithm replacement—including migration to quantum-resistant systems. ENISA's June 2025 guidelines further recommend adopting quantum-resistant algorithms against HNDL attacks. The European Union is set to propose the Quantum Act in Q2 2026, which will institutionalize funding for quantum communication infrastructure, incentivize PQC-compliant hardware supply chains, and mandate harmonized EU Quantum Standards. Banks that delay PQC transition face security vulnerabilities and competitive disadvantage under these new regulatory frameworks.
Expert Perspectives
'Quantum computing is a strategic technology risk for boards and senior executives, not a distant technological issue,' states the Global Risk Institute's March 2026 primer for financial sector executives. 'Because replacing cryptographic systems across large IT environments can take many years, organizations cannot wait until quantum technology is fully mature.' Phil Intallura, Global Head of Quantum Technologies at HSBC, emphasizes that upgrading to PQC is a 'must-do' given risks that quantum computers could break encryption like RSA-2048 within a decade. Early adopters in financial services could unlock $1–2 trillion in value by 2035, justifying investment in quantum capabilities.
FAQ
What is Q-Day in quantum computing?
Q-Day is the hypothetical future date when a quantum computer becomes powerful enough to break widely used encryption algorithms like RSA and ECC, threatening the security of digital communications and financial systems.
When is Q-Day expected?
Most experts project Q-Day between 2033 and 2037, though some estimates range from 2030 to 2040. NIST plans to deprecate vulnerable algorithms by 2030 and prohibit them by 2035.
What is 'harvest now, decrypt later' (HNDL)?
HNDL is a threat model where adversaries intercept and store encrypted data today with the intention of decrypting it once quantum computers become available. This makes immediate migration to quantum-safe cryptography urgent.
How much could a quantum attack cost the financial system?
A Citi Institute analysis estimates that a quantum-enabled disruption of critical payment infrastructure could generate $2–3 trillion in indirect economic losses, with a single attack on Fedwire potentially putting $2.0–$3.3 trillion of U.S. GDP at risk.
What is the EU DORA regulation's role in quantum preparedness?
DORA, effective January 2025, mandates financial institutions to adopt crypto-agile approaches, maintain cryptographic inventories, and plan migration to quantum-resistant algorithms. It is a key driver of post-quantum cryptography adoption in Europe.
Conclusion: The Window for Action Is Closing
The convergence of Moody's systemic threat assessment, the BIS roadmap, and the EU's DORA regulation creates an urgent, regulatory-driven moment for the financial sector. The global financial stability implications of Q-Day are profound: a single quantum breach could cascade through interconnected payment systems, triggering a crisis comparable to the 2008 financial meltdown. Financial institutions must act now—conducting cryptographic inventories, building crypto-agile systems, and migrating to NIST-standardized PQC algorithms. The cost of inaction is measured not just in dollars, but in the integrity of the global financial system itself.
Follow Discussion