The Cross Market Operational Resilience Group (CMORG) has published guidance to the financial sector on transitioning towards quantum-safe cryptographic practices, following recent guidance from the UK’s National Cyber Security Centre (NCSC).  The guidance is intended to provide clarity to banks and other financial institutions on how they will switch to post-quantum cryptography—a new kind of encryption that will remain secure even when quantum computers arrive. 

David Raw, MD for Resilience and Cyber at UK Finance said ‘‘The integration of Post Quantum Cryptography to protect the security of our data and digital assets is essential. Firms, both large and small, are faced with the same emerging threat from Cryptographically Relevant Quantum Computers in the hands of bad actors. We need to act fast as firms and collaborate as a sector to ensure we are protected." 

‘This paper is a timely call for the sector to adopt post-quantum cryptography,’ said Matthew Field, Executive Director for Technology and Cyber Policy for JPMorganChase. ‘Managing quantum risk is a shared challenge requiring action from not only financial institutions, but also the wider tech vendor community and our regulators. We must all come together to address this priority now, to ensure we are well positioned for resilience against quantum computing’s future threat.’ 

What is Post-Quantum Cryptography? 

Today’s digital security, like the encryption used to protect your bank account or personal data, is based on complex mathematical problems that normal computers struggle to solve. But quantum computers, which are still in development, could one day solve these problems much quicker, making current encryption methods vulnerable. 

Post-quantum cryptography (PQC) refers to new types of encryption designed to withstand these future quantum threats. In short, it’s about building security systems that can’t be cracked by tomorrow’s quantum computers. 

Why Start Now? 

Quantum computers capable of breaking today’s encryption may still be years away, but experts warn that we can’t afford to wait. Data stolen today could be stored and later decrypted when quantum technology becomes available—a tactic known as “store now, decrypt later.” 

The NCSC has published a timeline urging firms to: 

• Have plans in place by 2028 
• Protect high-priority systems by 2031 
• Complete the transition by 2035 

To help the industry meet these targets, CMORG’s Cyber Coordination Group (CCG) has released new guidance that outlines practical steps financial institutions should take now. 

What’s in the New Guidance? 

The guidance explains: 

• What quantum computing is and why it threatens current encryption 
• What post-quantum cryptography is and how to start adopting it 
• A step-by-step roadmap for how firms can prepare 
• The need to understand and work with technology vendors to make sure they are also quantum-ready 
• The importance of coordination between banks, suppliers, and regulators 

One key early step is for firms to build a “cryptographic inventory” - a detailed list of where and how they currently use encryption. From there, they can develop a plan to replace vulnerable systems. 

Banks and financial institutions are considered critical national infrastructure, meaning any failure in their cybersecurity can have wide-reaching impacts. That’s why early action is so important—not only to protect individual firms, but to safeguard the broader economy and society. 

You can access this paper here.  

CMORG-endorsed capabilities (including good practice guidance, response frameworks and contingency tools) have been developed collectively by industry to support the operational resilience of the UK financial sector. The financial authorities support the development of these capabilities and collective efforts to improve sector resilience. However, their use is voluntary, and they do not constitute regulatory rules or supervisory expectations; as such, they may not necessarily represent formal endorsement by the authorities.