For years, quantum computing has been discussed mostly in academic circles and research labs. But in 2025, it’s time for corporate boards to take notice, because this technology is no longer theoretical. It’s advancing quickly, and with it comes a significant cybersecurity risk that boards cannot afford to ignore.

Still Time – But Not to Waste

Encryption sits at the core of the issue. It acts as a digital “lock” safeguarding everything from customer information and financial records to confidential intellectual property and internal communications. Current encryption methods are secure because conventional computers would require thousands of years to break their algorithms. But quantum computers don’t play by those rules. When they reach full power, they will be able to break many of today’s most widely used encryption methods in a matter of hours or days.

While that critical moment is still years off, it doesn't mean organizations are secure in the interim. One of the most pressing vulnerabilities is the so-called “harvest now, decrypt later” threat. Bad actors already have an incentive to steal and store encrypted data today, with the goal of decrypting it later when quantum capabilities mature. This means that sensitive information collected and stored now - even if it’s protected today - could become exposed in the future. The risk is especially high for sectors like finance, defense, healthcare, and energy, where long-term confidentiality is critical. Authorities and technology advisors alike emphasize the urgency of transitioning to quantum-resistant algorithms long before “Q‑day” arrives.

Regulators Are Waking Up.

Governments and scientists have been working on solutions, including new types of encryption designed to withstand quantum attacks. In the U.S., the National Institute of Standards and Technology (NIST) has spent years evaluating and selecting these so-called “quantum-safe” algorithms. The first standards have now been published, and more are on the way. That is a positive step, but most organizations have barely begun. A recent report shows that only 15% of companies have robust quantum‑safe strategies, while 30% significantly underestimate the threat, and the transition can take years.

The urgency is mirrored in regulatory and political arenas. In Washington, lawmakers are beginning to focus on this risk, and there are signs that quantum cybersecurity may become a formal regulatory priority in the near future. A recent U.S. Government Accountability Office (GAO) report warned that no single agency currently leads the national quantum cybersecurity strategy. In parallel, hearings in the Congressional Oversight Subcommittee reiterated the need for updated cybersecurity protocols to match quantum advances and maintain America’s global competitiveness. Boards that wait for external mandates may find themselves caught flat-footed.

Global Signals

In Europe, too, concern is growing. Surveys indicate that while 67% of European IT professionals expect quantum computing to reshape cybersecurity over the next decade, just 4% report having a clear strategy in place to address it. The UN’s designation of 2025 as the International Year of Quantum underscores a critical moment for governance, signaling that boards must prepare for both the transformative potential of quantum technology and the significant security challenges it brings.

Some leading companies, including financial institutions and tech firms, are quietly beginning to update their systems to include quantum-safe protections. But for many others, there is no clear plan, no timeline, and often not even basic awareness at the board level.

From Awareness to Action

For boards, the implications are clear: fiduciary responsibility now extends beyond traditional cyber oversight. Directors don’t need to be cybersecurity experts, but they do need to be asking the right questions. What is the company’s exposure if today’s encrypted data is compromised in the next 5 to 10 years? What steps are being taken to assess and update our systems, so that we’re not scrambling when regulators, customers, or shareholders start demanding action? Boards should call for clarity from management about risk exposure, progress on post-quantum computing (PQC) migration, and cryptographic inventories. Scenario planning should include worst-case decrypt scenarios decades ahead.

This challenge cannot be addressed alone. The transition to quantum-safe infrastructure will require coordination across IT, legal, compliance, and even third-party vendors. It will also take time. Replacing core encryption systems is a bit like rebuilding the foundation of a building while people are still working inside; it has to be done carefully and gradually, which is exactly why boards need to engage sooner rather than later.

Future-Proofing Starts in the Boardroom.

The good news is that there’s still time to act. Directors can begin by requesting a high-level briefing from management on the company’s current encryption strategy and exposure to quantum-related risks. They should ask whether the company has begun planning a transition to quantum-safe technologies, and if not, what a reasonable roadmap would look like. Finally, they should ensure that quantum-readiness is being treated not as a side project, but as a long-term strategic priority, just like digital transformation or climate resilience.

Quantum computing represents not only a generational cybersecurity risk, but also an opportunity for boards to demonstrate forward-thinking leadership. Directors who view quantum readiness as strategic governance rather than a technical footnote will position their companies for both security and innovation in the coming decade before the clock runs out.

At Corporate Boards USA, our mission is to prepare executives to be highly qualified board candidates. We offer our members educational courses and events, networking opportunities, boardroom news, workshops, and mentorship programs.  Learn more about membership. We Make You Board Ready.