logo

IBM urges financial institutions to prepare for quantum-safe transition

IBM urges financial institutions to prepare for quantum-safe transition
Author
Written by Nanda Lakhwani
  • Nov 19, 2025
  • 8 min read

As quantum computing continues to advance, IBM’s Ray Harishankar explains why financial institutions must begin preparing their cryptographic infrastructure for a post-quantum world — and how early planning can ensure a smooth, coordinated transition across payments and core banking systems.

Quantum computing is shifting from theoretical curiosity to engineering reality, with progress now putting pressure on the cryptographic foundations of global finance. For Ray Harishankar, IBM fellow for Quantum Safe technology — who holds more than 25 patents and is the author of Becoming Quantum Safe — the implications are neither abstract nor distant. Modern financial systems rely on asymmetric cryptography for everything from payments to identity. Once quantum machines reach sufficient scale, today’s security guarantees will need to be re-evaluated

Speaking on the sidelines of the Singapore FinTech Festival (SFF) 2025, Harishankar outlined how close the industry is to that threshold, where the greatest systemic risks lie and what banks must prioritise as they begin migrating to post-quantum cryptography (PQC). His message is direct: the transition to quantum-safe cryptography is entirely achievable with early preparation.

Quantum computing progress reshapes cyber-risk timelines

Over the past decade, quantum hardware has advanced faster than at any point since the field’s inception. “We have made progress in quantum computing in the last 10 years, which is much more than what we made in the previous 20 years,” Harishankar said. IBM’s current roadmap anticipates achieving fault tolerance “in the 2029 timeframe”, a milestone that will allow quantum machines to execute reliable, large-scale computations. While the firm’s first fault-tolerant system — IBM Quantum Starling — will not operate at the scale or error-rate required to threaten current public-key encryption, it still marks a meaningful step towards the class of quantum machines that will pose real cryptographic risk for financial institutions.

The significance for banks is clear. Today’s asymmetric cryptography is secure because classical computers cannot solve the underlying mathematical problems, such as large-number factorisation, within any meaningful timeframe. Quantum computers, however, can apply Shor’s algorithm to break these assumptions. “When you have a quantum computer of sufficient scale and capacity… asymmetric cryptography will be broken,” he said.

Industry and government signals point to the same horizon. The World Economic Forum places the risk window in the early to mid-2030s, and both the US National Security Agency (NSA) and the UK National Cyber Security Centre (NCSC) have issued guidance on similar timelines. Some experts believe RSA-2048 could be vulnerable as early as the early 2030s. The exact date is uncertain, but Harishankar is clear: “It’s not like Y2K… but the early to mid-2030s is really the time frame by which enterprises ought to be prepared.”

“Harvest now, decrypt later” is already under way

The most immediate risk does not come from future quantum computers, but from adversaries acting today. Harishankar emphasised the growing threat of “harvest now, decrypt later”, in which attackers steal encrypted data now with the intention of decrypting it once quantum capability matures.

“Motivated bad actors are exfiltrating information or data today with absolutely no way of decrypting them, with the fond hope that sometime in the future they will be able to decrypt them,” he said. Sensitive, long-lived data—customer identities, regulatory archives, market infrastructure logs—must therefore be secured well before quantum computers become cryptographically relevant.

For data already stolen, there is little remediation available. For data still under an institution’s control, however, preventive measures are both possible and critical. “Enterprises can protect existing data that they have today to prevent this harvest now, decrypt later from happening,” he said.

Post-quantum cryptography exists, but migration is complex

The good news, Harishankar said, is that PQC standards already exist. The US National Institute of Standards and Technology (NIST) began with more than 80 candidate algorithms; in 2022 it selected four for standardisation, with IBM researchers contributing to three. A second round is underway.

The challenge is not the algorithms but the migration. “One doesn’t know where all cryptography exists within an enterprise,” he said. Cryptography is embedded across core systems, middleware, APIs, distributed architectures and the edge devices they rely on. Replacing classical cryptography with PQC therefore requires discovery, inventory creation, dependency mapping and coordinated action across the software supply chain.

Financial services face this at exceptional scale. “Every enterprise on the earth uses some financial transaction or the other. So financial services is a very, very important area to focus on,” he said.

IBM has spent more than four years working with banks on early transition efforts, including direct engagements and industry-wide collaboration through the Emerging Payments Association Asia (EPAA) with HSBC, PayPal Australia, Payment Plus and others. As Harishankar noted, the consortium was created because “payments is so regional” and requires an understanding of the “regional nuances” shaping how transactions flow across borders. The group now has around 40 members.

This regional interdependence heightens the urgency in Southeast Asia, where instant-payment networks such as PayNow–DuitNow, PromptPay, QRIS and Nexus-aligned pilots rely on cryptographic signatures to authenticate transactions and secure bilateral and multilateral links. As these schemes scale into cross-border interoperability frameworks — from QR interlinkage to real-time payment corridors and regional tokenisation pilots — a cryptographic weakness in one market can propagate across the network.

The implication, reinforced by Harishankar’s comments, is clear: because payments operate across borders and involve multiple vendors, regulators and operators, quantum-safe readiness must be coordinated at a regional ecosystem level, not only within individual banks.

Discovery and dependency mapping

Banks cannot begin PQC migration until they can see how and where cryptography is used. IBM has developed tooling to scan custom codebases, third-party packages and network traffic to detect cryptographic usage. These tools generate inventories, but, Harishankar cautioned, raw data alone is insufficient. “You have all this information now, but then it’s all data. You’ve got to really draw some insights from that.”

To standardise analysis, IBM created a cryptography bill of materials (C-BOM), now published as an open standard under CycloneDX, widely used for software and security bills of materials.

Once cryptographic assets are catalogued, institutions must then map dependencies. On mainframes, migration is simpler, Harishankar noted. “Mainframes are already PQC-ready on IBM’s z16 and z17 systems,” he said. Distributed estates, however, rely on complex chains of vendors, products, HSMs, API gateways and cloud services. “Pretty soon you are going to run into a component on the payment rail that is not yet quantum safe. So you’re stuck there until they become quantum safe,” he warned.

The solution is proactivity. Institutions must embed PQC transition requirements into vendor engagements, procurement cycles and licence renewals. “That is the only way you can ensure that your entire supply chain is going to be quantum safe,” he said.

Crypto-agility must be designed in, not added later

Beyond migration, institutions must prepare for continuous algorithmic change. Crypto-agility is the ability to switch algorithms or implementations “with minimal to no disruption to your business”.
Harishankar urged banks to incorporate abstraction layers now. “Since you’re already looking at a lot of the cryptographic algorithm implementations anyway, might as well take an additional step to abstract it so that you can switch from one to the other, ideally by a configuration change and not code software,” he said.

Performance will vary across systems, especially in constrained environments such as mobile clients, edge devices and HSMs. Institutions must therefore test how PQC behaves within their own architectures. “Your environment will be definitely different from ours,” he said.

Misconceptions slow the industry's response

IBM’s recent survey of 750 executives across 28 countries — for which findings are published in IBM’s “Secure the post-quantum future” report — revealed several misconceptions hindering financial-sector readiness.

The first is timing. While 79% of respondents acknowledge the need to engage with PQC, only 19% have begun. “They think they have time… but this requires transformation of almost all of the systems that you have,” he said.

The second is responsibility. Around two-thirds of executives believe migration is primarily a third-party issue. “You need to become quantum safe. Your third parties need to be quantum safe as well,” he said.
The third is underestimating technical complexity. Keys, certificates and secrets introduce hidden layers of interdependence. “It’s a lot more complex than we think it is,” he warned. His advice: “Begin planning today; experiment in a small area, understand what you’re getting into and then chart out a plan that works for you.”

Singapore FinTech Festival reflects shifting tone

Harishankar said the Singapore FinTech Festival has become a catalyst for more serious regional engagement. “This is the second year we are at the Singapore Fintech Fest, and this is by far one of the largest and well attended fintech festivals of this kind,” he said.

What struck him was a shift from vendor-driven awareness to enterprise-driven demand. “Up until now… it has been us pushing the message out. Now I’m seeing enterprises beginning to pull and say, ‘I see this and I need to take some action here.’”

This shift, he said, indicates that regional institutions are entering a phase of concrete planning rather than conceptual interest.

A call to action for financial institutions

The financial sector has historically been an early adopter of security technologies. Harishankar expects it to lead the quantum-safe transition, but warns that delay carries material risk. PQC migration will affect core banking systems, payments infrastructure, identity architectures, data governance and third-party ecosystems.

His guidance is simple yet urgent. “Begin planning today,” he said. “Experiment in a small area, understand what you’re getting into and then chart out a plan that works for you.”

Quantum computing will redefine the trust assumptions that underpin global finance. Institutions that act now—building cryptographic inventories, mapping dependencies, embedding crypto-agility and engaging vendors—will be best positioned to safeguard their systems as the post-quantum era arrives.