Submit RFP

      Today’s world runs on data, from emails and passwords to financial and medical records, from factories, schools and armies to energy grids and telecommunications networks. And encryption protects this data, preventing criminals and hackers and other bad actors from getting their hands on this precious resource.

      While cracking encryption would take a traditional computer billions of years, with the emergence of quantum computing these codes could potentially be broken in hours. It is possible that encrypted data may have already been stolen, with the anticipation that in the next decade or so, quantum computers might be able to decrypt this information. That’s a concerning prospect when you consider that certain types of data should be kept secure for many years or decades. These include health records and financial information, defense designs, autonomous systems and critical infrastructure, like payment systems, telecommunications and energy supply.

      Misuse of data has a real-world impact on people. When hackers are able to steal individuals’ identities to misdirect payments (such as house deposits or salaries), apply for credit cards or passports, or file for government benefits, the impacts to respective financial systems could stretch to trillions of dollars. Organizations could fall prey to phishing and malware attacks, leading to business interruption, ransoms and negative publicity.

      This is not a future problem but an immediate issue. On the one hand, numerous governments, companies and researchers are racing to scale up their quantum computing systems, with many technology companies producing quantum roadmaps towards large, error-corrected quantum computers. On the other hand, these organizations are also seeking smart ways to make it harder to crack encryption, by producing quantum-safe cryptosystems. Nor is it just a technological threat; there are likely to be regulations that could leave organizations facing penalties for failing to meet encryption standards, as well as being locked out of defense, national security, health and government contracts, as procurement requirements are updated.

      In the US, for example, the Quantum Computing Cybersecurity Preparedness Act requires federal government agencies to “adopt technology that will protect against quantum computing attacks.”1 The Australian Signals Directorate (ASD) has updated its guidelines for cryptography and information security.2,3 And in February 2025, Europol hosted a Quantum Safe Financial Forum (QSFF) event, calling on financial institutions and policymakers to prioritize the transition to quantum-safe cryptography.4 Which has been followed by a European Commission transition timeline for critical infrastructure, starting in 2026 and to be completed by 2030.5 As quantum computing evolves, and the cyber threat increases, we can expect to see an increase in industry-specific frameworks, regulations, and best practice guidelines.

      Creating a quantum-resilient organization

      Encryption is typically implemented by internal IT teams, cloud and software providers. However, despite being totally reliant on encryption, many organizations know relatively little about how and where the data they use is encrypted. This magnifies the challenge of quantum resilience, which now calls for an understanding of both your own cryptographic implementation as well as all dependent systems.

      To protect against quantum cyber risk, organizations should adopt post-quantum cryptography (PQC) algorithms, which resist the efforts of powerful quantum computers. The US National Institute of Standards and Technology (NIST) has already made such algorithms available. Transitioning to PQC is a major effort over several years, involving the entire enterprise — not just IT — preferably overseen by a cross-organizational encryption leader.

      PQC algorithms would need to be implemented in various software solutions, including key libraries, digital signatures and authentication. Given the scale of the task, it’s important to broaden cyber expertise, plan budgets, and empower teams to manage this increasing risk, as part of a multi-year transition effort.

      Organizations should aim to build a cryptographic bill of materials (CBOM), to better understand what encryption is being used, and where. The CBOM lists all the cryptographic assets employed across software (including software-as-a-service), services, and infrastructure — within the enterprise and across the supply chain. It’s also vital to assess the level of risk of each asset, to prioritize high-value data — which varies between sectors. For consumer companies, for example, customer data is paramount; in life sciences, intellectual property is especially valuable. Other organizations may be keen to protect financial, operational, and employee information.

      These key efforts support the development of a roadmap for discovery, assessment, management, remediation and monitoring the transition to quantum resilience, and coping with ongoing risk. This requires coordination across the IT estate. With so many players involved in encryption, contractual agreements with third parties should specify appropriate levels of quantum cybersecurity and clarify how the PQC transition can be harmonized. Procurement strategies, whether for devices or software, should also be updated to include quantum-resistant technologies, so that these IT investments can support PQC requirements during their lifetime.

      As is already the case it's vital to review data retention policies, to reduce the time that sensitive data is stored and only retain data that’s absolutely necessary, while deleting data no longer needed. To maintain operational continuity, organizations should make appropriate enhancements to security controls (based upon their unique risk profile) to integrate PQC, and to select and test quantum-safe, cryptographically agile solutions in their IT infrastructure, ahead of full deployment.

      Get started

      It is not yet a full quantum computing world, but it soon will be. As they prepare to adopt PQC, IT leaders should be aware that this is not a standalone project but a transition to a new business-as-usual. It will take several years and impact the entire enterprise, calling for multiple internal and external stakeholders to build a willing coalition. With bad actors always seeking to find ways to break encryption, organizations should continually re-evaluate their defenses. Getting started now, with a carefully managed plan for PQC transition, can help to keep one step ahead, maintain resilience and operations, with safe, secure, data.

      Our insights

      Quantum computing changing the security infrastructure of the digital economy.

      Read more

      Enabling customer-centric transformation for sustainable growth.
      Read more

      How to harness AI to promote secure workplace behaviors.

      Read more

      In an AI-dominated business environment, the foundational principles of cybersecurity are even more critical.
      Read more

      1 H.R.7535 - Quantum Computing Cybersecurity Preparedness Act, US Government, December 21, 2022.

      2 Guidelines for cryptography, Australian Signals Directorate, July, 2025.

      3 Information Security Manual, Australian Signals Directorate, June, 2025.

      4 Call for action: urgent plan needed to transition to post-quantum cryptography together, Europol, February 7, 2025.

      5 A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography, European Commission, 23 June, 2025.

      Our people

      Michael Egan
      Michael Egan

      Director, Quantum Technologies

      KPMG Australia

      James Mabbott
      James Mabbott

      Partner in Charge, KPMG Futures

      KPMG Australia