Don’t Wait for Q-Day: Why the Quantum Threat Is Already Here

Key Takeaways

• Quantum Risk Is Already Active: “Harvest now, decrypt later” attacks mean sensitive data is being collected today for future decryption, making this a present, not future, risk.
• Retroactive Exposure Changes Everything: Unlike traditional breaches, quantum threats create backward-looking risk, potentially exposing years of previously secure communications.
• High-Value Data Faces Long-Term Risk: Government, financial, healthcare, and legal data remain sensitive for years, making them prime targets for future decryption.
• Third-Party Risk Expands Exposure: Weak encryption across vendors and partners can undermine even strong internal controls, elevating the importance of quantum readiness in TPRM.
• Migration Must Start Now: With NIST post-quantum standards finalized, organizations that delay cryptographic transition risk being unprepared when Q-Day arrives.

Deep Dive

There is a date that does not yet appear on any calendar. Cybersecurity experts refer to it as Q-Day, the moment when a quantum computer becomes capable of breaking the encryption that protects nearly all sensitive digital communications worldwide. No one knows the precise timing. Estimates vary from a few years to possibly a decade or more.

But here is what we do know—and what every organization, government, and individual with sensitive information must understand: the damage may already be in progress.

This article isn’t about a threat that is coming; it’s about a threat that has quietly and invisibly already started.

The Invisible Threat: Harvest Now, Decrypt Later

Perhaps the most unsettling aspect of Q-Day is that its damage has likely already started. Intelligence agencies and advanced adversaries are widely believed to be carrying out what security experts call “harvest now, decrypt later” attacks.

The idea is simple and frightening: intercept and store large amounts of encrypted data now, with the goal of decrypting it once quantum computers become strong enough to break current encryption methods.

Consider what type of information will remain valuable years from now:

• State secrets and military communications
• Corporate intellectual property and trade secrets
• Medical records and personal health information
• Financial transactions and account information
• Diplomatic cables and government correspondence
• Personal communications of political leaders and executives

All of this data is being transmitted across the internet every day, secured by encryption that quantum computers will eventually be able to break. If that data is being collected and stored now, then Q-Day won’t just reveal future communications—it will also unlock everything that was intercepted in the years, possibly the decade, leading up to it.

This is why many cybersecurity experts contend that the quantum threat is not a future issue but a current one. The data being collected today cannot be unretrieved. The only way to defend is to start encrypting sensitive communications with quantum-resistant algorithms now, before Q-Day occurs.

Why the Clock Is Already Running

Most cybersecurity threats follow a forward-looking timeline. A breach occurs, and the impact is assessed from that moment onward. Quantum computing completely alters this perspective.

Since adversaries can store encrypted data indefinitely and decrypt it later, the exposure becomes retroactive. In a very real sense, the breach has already happened.

Consider the shelf life of sensitive data. A classified government communication intercepted today may remain operationally sensitive for a decade or more. A corporate acquisition strategy, a pharmaceutical research file, a diplomatic negotiation—they are not fleeting documents. Their value endures long after they are transmitted.

If an adversary is archiving this data today, they do not need quantum computing to exist yet. They just need to be patient.

In 2022, the United States National Security Agency (NSA) issued guidance explicitly warning that adversaries were likely already engaged in this type of collection activity. The National Institute of Standards and Technology (NIST) finalized its first set of post-quantum cryptography (PQC) standards in 2024, a process that took nearly a decade—showing how seriously the government takes this threat.

These are not just theoretical warnings. They are institutional signals that the window to act is closing.

Who Is Most at Risk Right Now

While every organization that handles sensitive data has some level of exposure, certain sectors face higher risks due to the long-term value of their information assets.

Government and Defense

State secrets, military strategy, and intelligence assets remain indefinitely sensitive. Any government communication intercepted today that remains operationally relevant in five to ten years could lead to a disastrous future disclosure. Defense contractors and their supply chains are also vulnerable, as an adversary who cannot breach a primary contractor directly might instead collect encrypted communications from a third-party vendor with weaker protections.

Financial Institutions

Banking and financial services organizations transfer large amounts of sensitive data daily, much of which has long-term regulatory and legal importance. Transaction records, account structures, and strategic communications all have extended value durations. Financial institutions are also highly interconnected through third-party relationships, greatly expanding the attack surface.

Healthcare Organizations

Medical records are among the most sensitive and enduring types of personal data. A patient’s health history never expires. If these records are collected using today’s encryption and decrypted years later, the privacy risks are serious, and the regulatory consequences under laws like the Health Insurance Portability and Accountability Act (HIPAA) could be significant.

Legal and Professional Services

Attorney-client privilege exists precisely because confidentiality in legal communications is essential to the justice system. If encrypted communications between lawyers and clients are being intercepted now, the potential retroactive exposure of privileged information would be unprecedented in its consequences.

The same concern applies to accounting firms, consulting practices, and any professional services organization managing sensitive client matters.

The Third-Party Risk Dimension

One of the most overlooked aspects of quantum risk is how it spreads through third-party relationships. An organization might invest heavily in its own cryptographic systems, but if a key vendor, partner, or supplier is sharing sensitive data with weak encryption, the entire network is at risk.

This is not a hypothetical concern. Third-party risk management (TPRM) professionals are increasingly recognizing that quantum readiness should become a standard part of vendor due diligence.

Just as organizations today ask vendors about their data breach response capabilities, encryption standards, and access controls, they need to start asking:

What is your quantum migration plan?

Organizations that neglect to consider their vendor ecosystem are making a serious mistake. A chain is only as strong as its weakest link, and in the quantum era, a vendor with outdated cryptographic practices becomes a liability that could compromise the entire relationship.

What Organizations Should Be Doing Today

The good news is that there are clear, actionable steps available right now. Quantum-resistant cryptography is not just a future technology—it exists today. The real challenge lies in migration.

Organizations that start the process now will be in a much stronger position than those that wait.

Conduct a Cryptographic Inventory

Before migrating to quantum-resistant encryption, organizations must understand their current cryptographic posture. This involves inventorying every system, application, and data flow that relies on encryption, identifying which algorithms are used, and evaluating where the most significant vulnerabilities lie.

This process is often more complex than it appears, especially in organizations with legacy systems and extensive third-party integrations.

Begin Migration to NIST-Approved Post-Quantum Algorithms

NIST finalized its initial post-quantum cryptography standards in 2024, including CRYSTALS-Kyber for key encapsulation and CRYSTALS-Dilithium for digital signatures. These algorithms are designed to withstand attacks from both classical and quantum computers.

Organizations should begin planning—and where possible, implementing—migration to these standards now, focusing on their most sensitive data and highest-risk systems.

Integrate Quantum Readiness into Vendor Risk Assessments

Third-party risk assessments should include quantum readiness as a standard factor. This involves asking vendors about their awareness of the quantum threat, their cryptographic practices, and their migration timelines.

Organizations with mature TPRM programs should incorporate quantum-specific questionnaires and scoring criteria into their vendor lifecycle management processes.

Reassess Data Retention Policies

The “harvest now, decrypt later” threat is especially risky for data that remains sensitive over extended periods. Organizations should collaborate with legal and compliance teams to identify which categories of stored data are most vulnerable and whether current retention periods pose unnecessary risks.

In some cases, reducing long-retained sensitive data can itself lower quantum risk.

Engage Leadership and the Board

Quantum risk is not solely a technical issue for IT departments. The strategic, financial, and reputational risks of future data exposure require awareness at the board level and support from top executives.

CISOs and risk leaders should be prepared to explain the “harvest now, decrypt later” threat in terms that resonate with non-technical stakeholders and advocate for investment in quantum-resistant infrastructure today.

The Window to Act Is Already Closing

There is a temptation in cybersecurity, as in many areas, to treat future threats as problems for the future.

Q-Day is not a distant problem. It is a current issue with a looming deadline.

Each day that passes without action is a day when adversaries—already waiting for quantum computing to advance—may be collecting sensitive data.

The organizations that will emerge from Q-Day with their data, their reputations, and their relationships intact are not the ones that act when quantum computing arrives.

They are the ones acting now.

Q-Day is approaching. However, its damage might already be in progress. The only question left is whether your organization will be one of those that anticipated it—or one that becomes its newest retroactive victim.

About the Author

Norman J. Levine is the Founder of Cyber Risk Partners LLC and Chief Operating Officer at RiskQ. He holds CISA and CDPSE certifications and brings more than 20 years of experience in Third-Party Risk Management, Governance, Risk, and Compliance, and Data Privacy across Fortune 500 organizations.

He is under contract with Taylor & Francis to publish The Future of Third-Party Risk Management & Data Privacy in 2026 and serves on the cybersecurity advisory boards of Pace University and Seton Hall University.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.