The G7 Cyber Expert Group (CEG), co-chaired by the U.S. Department of the Treasury and the Bank of England, has officially signaled that the era of "quantum-waiting" is over. On January 12th, the group released a landmark coordinated roadmap for the transition to Post-Quantum Cryptography (PQC) across the global financial system.
For CISOs and their teams, this isn't just another compliance checklist—it is a strategic warning that the cryptographic foundations of modern finance are approaching a definitive expiration date.
The roadmap, released in a public statement, addresses the looming risk of Cryptographically Relevant Quantum Computers (CRQCs). While these machines do not yet exist at scale, threat actors are already engaging in "harvest now, decrypt later" campaigns. Which means, they are intercepting and storing encrypted financial data today, with the intent to decrypt it once quantum technology matures.
This creates an immediate risk for long-lived data, such as trade secrets, health records, and long-term financial contracts, which must remain secure for decades.
The scope of the G7 roadmap is expansive, touching every corner of the financial ecosystem:
-
Financial institutions: banks, credit unions, and investment firms
-
Critical service providers: cloud vendors, payment processors, and clearinghouses
-
Security vendors: providers of cryptographic modules, HSMs, and encryption tools
-
Infrastructure operators: those managing the hardware and networks that underpin the financial sector
The migration timeline: 2030–2035
The roadmap establishes a clear (though non-prescriptive) target range for organizations to aim for:
The G7 CEG outlines a six-step journey that security teams should begin immediately to avoid "fragmented approaches" that could lead to systemic failure:
-
Awareness & preparation: Establishing executive-level risk awareness and initial post-quantum resilience strategies
-
Discovery & inventory: Creating a comprehensive inventory of cryptographic assets and identifying third-party dependencies
-
Risk assessment & planning: Tailoring migration plans based on the systemic importance of specific functions
-
Migration execution: Progressively deploying quantum-resistant solutions, starting with high-priority areas
-
Migration testing: Performing ecosystem-oriented resilience exercises
-
Validation & monitoring: Continuous improvement and incorporation of emerging cryptographic standards
Migration to PQC is not a "rip and replace" software update; it is a fundamental re-engineering of security architecture that will take years to complete safely.
The G7 CEG emphasizes the need for cryptographic agility—the ability to switch out algorithms quickly as new threats and standards emerge. CISOs must start by managing external dependencies, as many smaller institutions are highly reliant on third-party vendors for their encryption needs.
"The introduction of quantum computers that can break our encryption tools presents a significant risk to the safety and soundness of our financial ecosystem," warned G7 CEG co-chairs in a press release from the U.S. Department of the Treasury. This is something we must address together, and the roadmap guidance will be an important reference for organizations to consider as they prepare their systems and data to be quantum resilient."
By following this roadmap, organizations can move from reactive patching to a proactive, coordinated defense that future-proofs the global economy against the quantum threat.
