Guidelines for boards and executive leadership.
Seven practical guidelines — from inventory and data classification to crypto-agility, vendor diligence, disclosure, contingency, and credentialed oversight — that all organizations can follow to promote quantum resiliency.
The sources covered above collectively boil down into broad guidelines that all organizations can follow to promote quantum resiliency. The following are the ones most likely to be expected by stakeholders in the near term.
A. Conducting a Comprehensive Inventory
A board cannot oversee what the organization hasn't inventoried. The first step should be to ensure that the organization actually knows where its sensitive data lives and its current level of encryption. This exercise has a name in security circles: a cryptographic bill of materials, or CBOM. A usable CBOM captures the algorithms in use, the lifetimes of keys and certificates, the hardware that protects them, the code-signing infrastructure, and — critically — the cryptographic posture of third-party vendors. An organization that cannot produce such an inventory on request is flying blind.
B. Classification of Data by How Long It Must Stay Secret
Not all data is equal. Some information is sensitive for hours; some for decades. The c-suite and board should work together to ensure the organization has ranked information assets by confidentiality half-life and has prioritized migration to PQC accordingly. Healthcare and financial data, national security information, and attorney-client material cannot be treated the same as a quarterly press release.
C. Cryptographic Agility
The engineering term is “crypto-agility.” The business translation is straightforward: systems designed today without the ability to swap cryptographic algorithms will have to be replaced, not upgraded, as new encryption standards are introduced. Boards have a duty to ask whether new system purchases — especially for long-lived infrastructure — build this flexibility in as a requirement. The cost of asking the question now is relatively small. The cost of retrofitting or rebuilding an inflexible system under time pressure is not.
D. Vendor and Supply-Chain Diligence
Your cryptographic exposure is only as strong as your weakest supplier. Cloud providers, SaaS vendors, and hardware suppliers each operate their own systems with unique cryptographic settings. Contracts signed today for multi-year terms without post-quantum representations and warranties pose risks to your organization's own security. The board should ensure that procurement, legal, and information security have aligned on a standard vendor post-quantum clause and that it is being used.
E. Fulfilling Duties of Disclosure
For public companies, material cybersecurity risks must be disclosed. For any company contemplating a financing, acquisition, or public offering, it is a diligence item that sophisticated counterparties will raise. Silence reads, increasingly, as an affirmative representation that nothing is wrong. That is not the best place to be.
F. Contingency Planning
C-suites and boards must satisfy themselves that the organization has thought through an uncomfortable question: what happens if their existing security is breached by a post-quantum attack before the migration is complete? Industry-wide episodes exposing private keys through a flaw in a widely used encryption library and exploiting weaknesses in older web encryption protocols have required emergency remediation at enterprise scale. A surprise quantum breach is likely to require a faster and more comprehensive response than any of those. In such an event, what is the contingency plan? How will your organization respond to mitigate the risk or damage?
G. Credentialed Oversight
Not every CEO or director needs to be a cryptographer. But the c-suite and board must have, or must retain access to, expertise sufficient to manage risks and seize opportunities. The Board's Caremark duties to implement reasonable oversight measures require regular updates from in-house personnel or internal consultants with the expertise to inform and advise them. A board that has no line of sight into quantum readiness is neglecting its essential oversight role.
Start the Conversation With a Few Key Questions
C-suites and boards can start by asking the following:
Five Questions to Open the Discussion
- Has our organization audited our quantum-transition risk? If so, what did it find?
- Have we made public statements about PQC or our cybersecurity measures generally? Do our internal records support every characterization we are making publicly?
- Are we calling anything “hypothetical” or “potential” that our own people would not call that internally?
- Do we have the right experts on staff or on retainer to advise on PQC and our contingency planning?
- If a material cybersecurity incident occurred next Tuesday, do we know who decides materiality, who drafts the 8-K, and who signs it — inside the four-business-day window?
A board's role is informed oversight. A c-suite's role is execution. Both require regular cadence and a documented record.