XIII

Recommendations

Section XIII

Recommendations, by role.

Framed for adoption within the current fiscal year. Each item is scalable to organizational size and industry, and each is supported by the analysis in the preceding sections.


For Boards

Adopt a resolution designating a specific committee — audit, risk, or technology — consisting of directors and management to oversee the post-quantum transition and public messaging. A template is provided in Appendix A.

Require management to deliver, within 180 days, three artifacts: a cryptographic bill of materials, an accounting of the organization's data keyed to confidentiality duration, and a preliminary gap analysis against the NIST post-quantum standards.

Establish a reporting cadence — such as quarterly for high-exposure enterprises, semi-annually for everyone else.

Retain external consultants with appropriate expertise — cryptographic, legal, and audit — sufficient to educate management and the board on the material issues.

Review your D&O and cyber coverage for alignment with the organization's true risk profile before the next renewal.

Build, partner, acquire, or wait. The board should work with management to define the organization's strategic posture on quantum and set the cadence for reconsidering it.

For CEOs

Sponsor the program visibly. Post-quantum migration cuts across IT, security, legal, procurement, and product. It does not get done without a sponsor at the top. Naming the program and assigning an accountable executive is a low-cost, high-signal first step.

Tie the roadmap to the budget cycle. Treat post-quantum migration the way you would treat any multi-year capital investment: scoped, phased, and funded. Organizations that fund it ad hoc will waste money.

Use it competitively. Federal agencies, banks, hospitals, and critical-infrastructure operators will begin asking about post-quantum readiness in RFPs. Readiness is increasingly a commercial asset, not just a compliance item.

Assign a named executive for quantum opportunity. Separate from the defensive migration owner, the strategic posture deserves its own accountable executive — a Chief Strategy Officer or designated cross-functional lead.

Before the next public statement referencing quantum capability, confirm that the language is supportable from contemporaneous records and consistent across investor communications, customer materials, and SEC filings.

For General Counsel

Coordinate with the board on quantum risk-factor language for the next annual filing.

Draft a standard vendor post-quantum clause for procurement and renewal templates, and implement guidelines for the amendment of all legacy contracts at their next available cycle.

Integrate quantum diligence into M&A, financing, and joint-venture workflows. Treat it as you would any cybersecurity diligence item.

Create and archive board governance materials. Minutes, management reports, and other materials on this topic should be handled with the same discipline as material accounting matters.

Map the quantum IP landscape. At minimum, understand who is filing what in the company's industry, whether the company has its own opportunities to develop new IP, and any standards processes the organization should participate in.

Monitor regulatory activity. Track the FTC, SEC, and state and industry regulatory activity, with close monitoring of the organization's quantum claims that appear in filings, marketing, or investor communications to ensure they are specific, substantiated, and consistent with the internal record.

Rehearse the four-business-day clock. For any cybersecurity incident that is determined to be material, a Form 8-K is due within four business days. The time to answer the questions of who makes the materiality call, who drafts the filing, and who signs it is not during the incident.

For the Audit Committee

Add quantum readiness to the internal audit plan as a recurring focus area.

Confirm that financial-reporting systems — general ledger, ERP, consolidation infrastructure — are within the cryptographic inventory.

Manage the information channels. The SEC cybersecurity rule requires that material information — including incident information — reach the drafters of the 10-K and 8-K on a timely basis. Confirm with management that the funnels of that information are functioning effectively.

For Founders and Pre-IPO Companies

Write a short cryptographic-posture memo now. Two to four pages describing what the company uses, where, and what it has not yet addressed. This is the document that governs consistency across every customer questionnaire, diligence response, and eventually the S-1 risk factors. Update it at each financing round.

Answer diligence questions factually, not aspirationally. Describe what the company does today. Flag post-quantum transition as a known forward-looking item rather than a problem already solved.

Audit outbound customer contracts for cryptographic commitments. Identify multi-year enterprise agreements whose security representations would become non-compliant under a post-quantum posture. Incorporate crypto-agility language into new agreements so the company retains the right to update cryptographic methods over the contract term.

Add post-quantum language to inbound vendor contracts. Cloud, SaaS, and hardware agreements signed today without post-quantum commitments add to your list of enterprise risks. Require vendor roadmaps or post-quantum representations as standard procurement terms.

Stand up board-level oversight before the S-1. A named committee, a reporting cadence, and minutes reflecting substantive discussion should be in place well before pre-filing diligence. Underwriters and their counsel will be asking, and the answers should not be improvised.

Treat founder and officer representations as archived. Material statements made in management presentations, investor updates, board materials, and data-room responses should be consistent with one another and supportable by contemporaneous documentation.

Quantum is not a question on which any organization gets to defer. Nor is it a question that requires panic. It requires what fiduciary duty has always required: informed engagement, documented deliberation, and reasonable judgment exercised in advance — on both sides of the Quantum Director.

A year from now, some organizations will have named owners, documented postures, regular briefings, and minutes that reflect engaged consideration of both halves. Others will be explaining, in one form or another, why they did not. The difference is a choice, and the time to make it is now.