PQC Roadmap for a Global Bank

Challenge

A global financial institution recognized the looming threat that quantum computers pose to its long-term data security. Much of the bank’s sensitive data – customer information, transaction records, cryptographic keys – needed to remain confidential for decades. Yet widely used encryption schemes (like RSA and ECC) could be broken by future quantum algorithms, meaning today’s secure communications might be vulnerable to a “harvest now, decrypt later” attack. The challenge was enormous: thousands of applications and systems across the bank were using cryptography, often with little centralized visibility. The bank needed a comprehensive cryptographic modernization plan to safeguard data against quantum threats and to comply with emerging regulatory expectations for post-quantum readiness.

Furthermore, the bank faced a complex IT landscape with layers of legacy systems alongside modern digital services. Identifying every instance of cryptography in such a vast environment was a daunting task. Leadership was concerned not only about external threats but also about meeting regulatory timelines – financial regulators and government agencies were signaling that institutions should prepare for post-quantum cryptography (PQC) within the next several years. The problem was clear: how could the bank systematically upgrade or replace its cryptographic foundation without disrupting daily operations or customer trust?

How Applied Quantum Helped

Our team partnered with the bank to develop a cryptographic inventory and PQC migration roadmap from the ground up. As a first step, we conducted a thorough Cryptographic Bill of Materials (CBOM) exercise. This meant inventorying all cryptographic assets across the bank’s thousands of applications, databases, and network devices. We worked closely with application owners and security teams to catalogue every instance of encryption or digital signature: the algorithms in use (RSA, ECC, AES, 3DES, etc.), key lengths, certificate dependencies, and the data those cryptographic controls were protecting. This CBOM provided the bank’s CISO and architects with unprecedented visibility into where and how encryption was used enterprise-wide. By shining a light on legacy areas – for example, an older payment system using 1024-bit RSA keys – the bank could pinpoint vulnerabilities that would be first to fail against a quantum attacker.

With the cryptographic inventory in hand, we moved on to assess the “harvest now, decrypt later” exposure. We analyzed which sensitive data and transactions would remain sensitive in 5, 10, or 20 years and could be intercepted today by adversaries preparing for future decryption. For instance, long-term customer account data, archived transaction logs, or inter-bank communications were examined for risk. If encrypted with algorithms like RSA-2048, an adversary could conceivably record that data now and decrypt it once quantum computing capabilities mature. Our analysis identified these high-risk data flows and storage systems, helping the bank prioritize which areas required urgent transition to quantum-safe encryption.

Using the risk assessment and inventory, we then collaborated with the bank to design a multi-year PQC migration and crypto-agility roadmap. This roadmap was aligned with both the bank’s technology refresh cycles and regulatory guidance (such as anticipated deadlines from central banks or cybersecurity authorities for quantum-safe readiness). Key elements of the roadmap included:

• Prioritized Migration Phases: We defined which systems and applications to transition first. For example, systems handling long-lived sensitive data (like tape backups of transaction histories or keys that secure customer data) were slated in earlier phases, whereas more transient systems could be updated later.

• Introduction of Post-Quantum Algorithms: We recommended and planned pilot implementations of NIST-recommended post-quantum algorithms (such as lattice-based encryption for key exchange and digital signatures) in non-production environments. This allowed the bank’s engineers to familiarize themselves with PQC performance and integration challenges early on.

• Crypto-Agility by Design: The roadmap emphasized embedding crypto-agility into the bank’s systems. We updated architectural standards so that new applications must support pluggable cryptographic modules (able to swap out algorithms easily). In practice, this meant establishing standardized APIs and libraries for cryptography, so that when PQC algorithms are standardized and approved, they can be adopted by simply updating these libraries rather than rewriting entire applications.

• Governance and Training: We helped set up a governance structure to oversee the cryptographic modernization program, including roles for executive sponsorship (the CISO and CTO jointly) and a working group of cryptography experts within the bank. We also ran training workshops for development and security teams, so they understood the rationale for PQC migration and how to implement new algorithms correctly.

Throughout the engagement, our team worked hand-in-hand with the bank’s stakeholders. We facilitated communication with regulators by providing documentation of the bank’s quantum-security strategy, showing that the institution was proactively addressing the threat. We also coordinated with the bank’s vendors and technology partners – for example, ensuring that hardware security module (HSM) providers and core banking software vendors had roadmaps to support PQC, so that the bank’s plans would not hit unforeseen obstacles.

Outcome

By the end of this engagement, the global bank had a clear and actionable quantum-security strategy in place. The cryptographic inventory (CBOM) became a living resource: the bank integrated it into their configuration management database, continuously updating it as systems evolved. This means the organization now has ongoing visibility into its cryptographic posture, making it far easier to spot weaknesses (like an out-of-policy algorithm) and address them promptly.

The bank’s leadership formally approved the multi-year PQC migration roadmap, backed by dedicated budget and resources. Early wins from the roadmap were already apparent. In one instance, the bank upgraded a high-value data archive from RSA encryption to a hybrid approach using both classical and post-quantum algorithms, significantly reducing the risk of that archive being compromised in the future. Several pilot projects successfully demonstrated that new PQC algorithms could be integrated into the bank’s software stack without significant performance loss, paving the way for broader deployment as standards mature.

Crucially, the bank’s efforts were aligned with regulatory timelines. When regulators later issued guidelines for financial institutions to report on their quantum readiness, this bank was ahead of the curve, having already documented its cryptographic assets and transition plans. The outcome is that the institution is now widely seen as a leader in security innovation among its peers. Its customers and partners can have confidence that the bank is safeguarding their data not just against today’s threats, but tomorrow’s as well. In the words of the bank’s CISO, the project “gave us control over our cryptography in a way we never had before – we’re now confidently on track to be quantum-safe, with minimal disruption to the business.”