Quantum Computing and the Expansion of Cybersecurity Risk
Modern encryption standards and techniques have been used by companies and governments to secure precious information—from financial transactions and medical records to cryptocurrency, intellectual property, personal information, and national secrets. It underpins trust in everything from cloud computing to critical infrastructure. The digital economy relies on encryption developed through complex mathematical problems that cannot be solved using today’s computing technology – “classical computing.” In short, our cybersecurity and data protection standards rest on a strong foundation based on scientific and mathematical frameworks that are not capable of being disrupted by current technology.
However, the sustained and rapid development of quantum computing threatens that foundation. Quantum computing is no longer a distant theoretical risk – it is an increasingly likely capability that will fundamentally impact how high-value, sensitive information is protected.
This reality requires significant thought and planning to prepare for the transition of data and cyber protections that will be safe under an entirely different framework.
What Is Encryption and How Does Quantum Impact It?
The fundamental component of data protection, whether the information secured is personal data, payment data, or messages, is encryption. Encryption is based on classical mathematics – a world in which things have defined values, as opposed to quantum mathematics, where things are defined in terms of probabilities.
While a technical review of encryption based on cryptographic principles is beyond the scope of this article, encryption can be understood as a technique through which data is translated into an unusable format to protect that data while it is being stored or sent.1 Decryption is the process of decoding that data into its readable form using keys. Importantly, an encryption key is a large, random set of digits representing very large numbers. In practice, these numbers cannot be guessed through “brute force” techniques on the classical computers we are all familiar with.
But quantum computers are far more powerful and significantly faster than classical computers because they leverage the unique properties of quantum mechanics such as superposition and entanglement.2 Quantum computers can process more information and perform multiple calculations at once, whereas classical computers can only do one at a time. So, a calculation that would take a classical computer hundreds or thousands of years to complete can be done by quantum computers in minutes or hours.
Ultimately, viable quantum computing is a medium-term opportunity and risk. A quantum computer capable of breaking modern encryption standards is several years away but once that threshold is crossed, a day commonly referred to as Q-Day,3 current data security standards will no longer be effective.
Timeline
Even though quantum computers that are capable of fully breaking modern encryption are not yet in existence, but progress in quantum technology is accelerating, with researchers and scientists making breakthroughs every day.
In 2019 Google AI researcher Craig Gidney estimated that it would take 20 million qubits running for 8 days to break RSA encryption.4 In 2025 that same researcher updated his estimate, stating that “2048-bit RSA encryption could theoretically be broken by a quantum computer with 1 million noisy qubits running for one week.”5
As of late 2025, quantum computers from IBM, Google, Atom Systems, and others operate in the hundreds or thousands of qubits.6 However, quantum research and development is progressing rapidly, and the updated estimate represents a 95% reduction in the number of qubits required over a six-year period. It’s difficult to estimate the exact timing, but many experts predict that achieving the number of stable, logical qubits needed to break encryption is roughly five to 10 years away.7
Implementing, inventorying, and migrating cryptographic systems across organizations is a long-term process, and planning should account for this time horizon. It is critical that companies are proactive in making their systems quantum safe, because it’s very possible that Q-Day will arrive silently – occurring over a period of days, weeks, or even months.
In fact, quantum computing represents an ongoing and current threat to data security. In a technique known as “Harvest Now, Decrypt Later,” threat actors are currently stealing protected and valuable private data that they can decrypt, monetize, or abuse post Q-Day to severely disruptive effect.8
What Companies Should Do
Any organization that relies on encryption – effectively every modern company – is exposed. Executives should view quantum risk as:
- A strategic business risk, not a technical curiosity
- A long-lead transformation challenge, not a last-minute patch
- A board-level issue with regulatory, legal, and reputational consequences
Realizing the broad potential impacts, the U.S. National Institute of Standards and Technology (NIST) led an effort to develop post-quantum cryptography (PQC) standards,9 and in 2024 NIST released the first round10 of quantum-safe encryption standards and adoption timelines.11 These standards are publicly available, and organizations should implement them now to protect their networks from potential quantum attacks in the future.
The efforts to develop these standards send a clear message: the threat is on the horizon, and the companies who dawdle or ignore the threat will face increasing regulatory and commercial pressure.
Forward-looking organizations are already acting. In addition to reviewing the NIST guidelines and implementing PQC standards, key steps that organizations should be taking include:
Inventory assets
Understand where encryption is used, what algorithms are deployed, and which data has long-term sensitivity.
Assess data longevity
Determine which data must remain confidential for decades and prioritize its protection.
Engage leadership early
Quantum readiness should be owned at the executive and board level, not buried in IT.
Design for agility
Ensure systems can easily swap cryptographic algorithms without major redesign.
Strategic Planning for Post-Quantum Crises
Beyond the technical fixes, quantum risk poses an enterprise-level challenge to organizations that rely on the safe transmission and storage of data. Under current conditions, a cyber attack or data breach can have a deleterious effect on an organization’s operations, ability to communicate with stakeholders, and market reputation. In the quantum era, this risk is amplified.
To counterbalance this risk, organizations should bake quantum risk into their emergency management and business continuity plans. Crisis communications planning is a cornerstone of ongoing business continuity preparedness. Reputational and communications challenges will be exacerbated post Q-Day, when executive, legal and communications teams will be forced to grapple with quantum concepts, convey those concepts to stakeholders, and ultimately explain why the preceding decade was not leveraged for training, development, and investment to keep consumer and other data safe.
Conclusion
The question for leaders is not if quantum will break encryption, but whether if their organizations is ready when it does. Those who act early will mitigate risk to their business, while those who wait may discover – too late – that their most valuable data has already been compromised, and trust with their most important stakeholders has been eroded.
Preparation for the quantum era is not optional. It is the price of continued trust in a digital world.
Additional Quantum Insights
Related Expertise
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.
FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political & regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2026 FTI Consulting, Inc.
All rights reserved. fticonsulting.com
References
[1] “What is encryption?”, IBM (last accessed February 13, 2026), https://www.ibm.com/think/topics/encryption
[2] “What is quantum computing,” IBM (last accessed February 13, 2026), https://www.ibm.com/think/topics/quantum-computing#:~:text=By%20taking%20advantage,minutes%20or%20hours.
[3] “What Is Q-Day, and How Far Away Is It—Really?”, Palo Alto Networks (last accessed February 13, 2026), https://www.paloaltonetworks.com/cyberpedia/what-is-q-day
[4] Craig Gidney and Martin Ekera, “How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits,” Google Inc. (May 24, 2019), chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://arxiv.org/pdf/1905.09749v1
[5] Craig Gidney, “Tracking the Cost of Quantum Factoring,” Google Security Blog (May 23, 2025), https://security.googleblog.com/2025/05/tracking-cost-of-quantum-factori.html
[6] Karmela Padavic-Callaghan, “Device with 6100 qubits is a step towards largest quantum computer yet,” New Scientist (Septeber 24, 2025), https://www.newscientist.com/article/2497439-device-with-6100-qubits-is-a-step-towards-largest-quantum-computer-yet/
[7] “What Is Post-Quantum Cryptography?” U.S. National Institute of Standards and Technology (NIST) (created August 13, 2024; updated June 11, 2025), https://www.nist.gov/cybersecurity/what-post-quantum-cryptography#:~:text=No%20one%20knows%20how%20long,harvest%20now%2C%20decrypt%20later%E2%80%9D?
[8] ld.
[9] “Post-Quantum Cryptography,” U.S. National Institute of Standards and Technology (NIST) (created January 3, 2017; updated December 11, 2025), https://csrc.nist.gov/projects/post-quantum-cryptography#pqc-standards
[10] “NIST Releases First 3 Finalized Post-Quantum Encryption Standards,” U.S. National Institute of Standards and Technology (NIST) (released August 13, 2024; updated August 29, 2025), https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
[11] Dustin Moody, Ray Perlner, Andrew Regenscheid, Angela Robinson, David Cooper, “Transition to Post-Quantum Cryptography Standards,” U.S. National Institute of Standards and Technology (NIST) NIST Internal Report NIST IR 8547 ipd (November 2024), chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf
