Sector Insights
Quantum-Ready Cryptography: When Should Family Offices Start Planning?
Simone Nogara
January 2026 · 8 min read
The development of cryptographically relevant quantum computers poses a unique threat to institutions managing intergenerational wealth. Family offices and private wealth structures rely on cryptographic protections for communications, transactions, and data storage that were designed for a pre-quantum world. The question is not whether to migrate to post-quantum cryptography but when to begin — and for institutions with long-duration confidentiality requirements, the answer is now.
The threat is not imminent in the conventional sense — no quantum computer currently exists that can break widely deployed cryptographic algorithms. However, the nature of the risk demands early action. Data encrypted today with algorithms vulnerable to quantum attack will remain vulnerable when those computers arrive. For family offices managing information with confidentiality requirements measured in decades, the timeline to quantum relevance matters less than the longevity of the data they protect today.
The Harvest-Now-Decrypt-Later Threat
The most pressing quantum-related risk for family offices is the “harvest-now-decrypt-later” (HNDL) attack model. Sophisticated adversaries — state-sponsored actors, organised criminal enterprises — are intercepting and storing encrypted communications and data transfers today, with the expectation of decrypting them once quantum computing capability matures. This is not theoretical speculation: intelligence agencies have publicly acknowledged the practice.
For family offices, the implications are acute. Communications regarding estate planning, investment strategies, beneficial ownership structures, and family governance contain information whose sensitivity persists for decades. A private communication encrypted in 2026 and intercepted by an adversary could be decrypted in 2035 or 2040, at which point the information may still be commercially and personally sensitive. The HNDL threat converts a future quantum computing capability into a present-day collection imperative for adversaries.
The practical question for family offices is whether their current communication and data handling practices expose them to HNDL collection. Organisations that transmit sensitive information over public networks, store encrypted data with cloud providers, or rely on standard TLS for web-based portfolio management and banking platforms are potentially exposed. The risk is proportional to the sensitivity and longevity of the data and the sophistication of likely adversaries — considerations that vary significantly across family offices depending on their profile and jurisdiction.
NIST Post-Quantum Standards
The U.S. National Institute of Standards and Technology (NIST)[1] finalised its first set of post-quantum cryptographic standards in 2024, selecting algorithms for key encapsulation (ML-KEM, formerly CRYSTALS-Kyber) and digital signatures (ML-DSA, formerly CRYSTALS-Dilithium, and SLH-DSA, formerly SPHINCS+). These standards provide the foundation for migration, giving technology vendors and implementing organisations concrete algorithms around which to build quantum-resistant systems.
European institutions should note that while NIST leads standardisation, European bodies including ENISA[2] and national agencies such as BSI (Germany) and ANSSI (France) are evaluating these algorithms and developing guidance for European adoption. The European approach may incorporate additional algorithms or impose specific implementation requirements reflecting European security policy preferences. Family offices operating across jurisdictions should monitor both NIST and European standardisation developments.
The availability of finalised standards removes the principal argument for delay. Organisations can now begin migration planning with confidence that the target algorithms are stable, peer-reviewed, and endorsed by major standards bodies. Early movers gain the advantage of implementing migration on their own timeline rather than under pressure when quantum threats become more proximate.
Migration Timeline and Complexity
Cryptographic migration is not a simple software update. It touches every system that uses encryption: communications platforms, VPNs, email encryption, document management systems, banking interfaces, and data storage. The migration process involves inventorying all cryptographic dependencies, assessing vendor readiness for post-quantum algorithm support, implementing hybrid approaches during transition, testing interoperability, and updating key management procedures.
For family offices, the complexity is moderated by their typically smaller technology footprint compared to large enterprises, but complicated by their dependence on third-party services. Banking platforms, custodian systems, legal document management, and communication tools are provided by external vendors whose migration timelines are outside the family office's direct control. The family office's role is to assess vendor readiness, prioritise migration of systems it controls directly, and engage vendors on their post-quantum roadmaps.
A realistic migration timeline for a well-resourced family office is 18 to 36 months from initiation to completion, with high-priority systems — email encryption, VPN tunnels, and document storage — migrated first. The hybrid approach, using both classical and post-quantum algorithms simultaneously, provides protection during transition without requiring all counterparties to have completed their own migrations.
Practical Steps for Family Offices
The first step is a cryptographic inventory: a comprehensive catalogue of where and how cryptographic algorithms are used across the family office's technology environment. This inventory should identify algorithm types (RSA, ECDSA, AES), key lengths, certificate authorities, and the systems that depend on each cryptographic implementation. This exercise frequently reveals unexpected dependencies and legacy systems that complicate migration planning.
Second, assess data sensitivity and longevity. Not all data requires the same level of protection against quantum threats. Information with confidentiality requirements exceeding ten years — estate structures, trust documentation, long-term investment strategies, family governance records — should be prioritised for quantum-resistant protection. Information with shorter sensitivity windows can be migrated on a less urgent timeline.
Third, engage key service providers. Request post-quantum migration roadmaps from banking partners, custodians, legal advisors, and technology vendors. Evaluate whether current providers are taking the quantum threat seriously and investing in migration capability. Provider readiness for post-quantum cryptography is an increasingly relevant factor in vendor selection and relationship management.
Investment Implications
Beyond the direct cybersecurity considerations, the quantum computing transition creates investment implications that family offices should evaluate. The post-quantum migration will drive significant enterprise technology spending across all sectors over the next decade. Companies providing quantum-resistant solutions, cryptographic migration services, and quantum-safe infrastructure represent a thematic investment opportunity that aligns naturally with the family office's own technology modernisation journey.
Conversely, portfolio companies with significant cryptographic dependencies — financial services, healthcare, defence, telecommunications — face migration costs and risks that should be factored into valuation and due diligence. The quantum readiness of a target company is an emerging dimension of cyber due diligence that will become standard practice as migration timelines shorten. Family offices with direct or fund-of-fund exposure to these sectors should ensure their investment teams understand the quantum risk dimension.