Quantum Negligence On The Clock: The US Just Set The Egg Timer On Quantum Migration As An Enterprise Risk
The US federal government just did something subtle yet significant for enterprise risk: it put post‑quantum cryptography (PQC) migration on a clock. The executive order, “Ushering in the Next Frontier of Quantum Innovation,” tells agencies to accelerate migration to post-quantum cryptography, assign accountable leaders, run pilots, and work toward defined deadlines for critical systems. The corresponding OMB memo makes the EO operational with requirements, migration planning, and recurring reporting. Together, they shift quantum risk from a vague technical concern, into a structured governance model, thereby turning a technology issue into a risk management issue.
What To Know About Post Quantum Negligence
The debate over whether this is a foreseeable risk just ended. Any board that chooses not to follow a comparable path will need to explain why its own standard of care is lower than the US federal government. In the event of a lawsuit, that gap can translate into findings of negligence for executives. Negligence analysis is simple: was the burden of taking action smaller than the expected harm? The new directives shape both sides of that test because they:
- Put quantum on the enterprise risk register. A quantum computer able to break today’s public key cryptography is no longer treated as a remote theory. It is framed as an eventual reality on a long but finite timeline. That makes it much harder to dismiss it as speculative.
- Elevate the scale and impact of loss. The focus is on long‑lived, high‑value data and critical systems, where compromise would have lasting and systemic consequences, not just a one‑off incident.
- Reduce the burden of action. Post‑quantum migration is now presented as an executable program: recognized standards, federal guidance, pilots, and staged migration paths. This looks like a manageable transition, not a research project.
Negligence cases aren’t about whether a risk existed; they focus on whether a company failed to act once the risk was both foreseeable and practically addressable. These directives make it much harder to argue that there wasn’t a clear way forward or that reasonable action wasn’t yet possible.
What Risk Management Must Do Now
The question is no longer whether the organization started PQC migration, but whether it can demonstrate that it prioritized the right exposures, acted in time, and reduced risk in a way that would withstand scrutiny. For risk pros,:
- Assign enterprise accountability, not just functional ownership. Designate a single accountable owner with authority to coordinate across the enterprise, but do not isolate responsibility within security. PQC exposure spans infrastructure, applications, data, and third parties. Accountability must extend across technology, risk, legal, and procurement to prevent gaps in oversight, fragmented decisions, and unmanaged dependencies.
- Prioritize based on business criticality, data exposure, and longevity. Focus first on systems where cryptographic failure creates irreversible outcomes, including exposure of sensitive data, loss of trust in digital signatures, or disruption to critical business processes. Long-lived data and externally exposed systems should drive prioritization. What is easiest to migrate is rarely what matters most from a risk perspective.
- Make third-party quantum readiness a condition of doing business. PQC exposure extends across the ecosystem, where the company has responsibility but limited control. Move beyond assessment to enforcement by embedding PQC expectations into contracts, tracking vendor readiness, and defining acceptable timeframes for compliance. Integrate these requirements into third-party risk management processes, procurement decisions, and ongoing vendor oversight.
- Turn cryptographic inventory into an exposure map that informs decisions. An inventory creates visibility but does not reduce risk. Connect cryptographic use to data sensitivity, business criticality, and third-party dependencies to identify where exposure is concentrated. Map where cryptography protects critical data, where it persists over time, and where dependencies introduce risk. If it does not show exposure, it does not enable prioritization or control.
- Monitor for requirements and updates from your cyber insurance carrier. As inaction translates into greater risk, and there is an increasingly clearer path forward, insurers will not only probe more into what policyholders are doing for PQC migration but factor your readiness into premium pricing. You may have already seen questions about PQC migration roadmap, data classification, cryptographic inventory, and cryptoagility as early indicators for carriers to assess your maturity. Look for exclusions too, as insurers draw the line for what they will and will not cover related to this risk.
- Anchor the PQC migration in board-level risk visibility and oversight. PQC risk is a governance issue, not a technical program. Provide boards with clear visibility into exposure, prioritization rationale, and progress against defined timelines. Continuous monitoring and reporting are essential to demonstrate control effectiveness and evolving risk posture, particularly as risk conditions and dependencies change over time.
Your organization needs a cross-functional Q-day team. In five to ten years, when data breaches tied to outdated encryption are tested in court, the standard will be clear: what did comparable organizations know, what did they do, and when did they do it? In the meantime, ERM’s role is to ensure the company can demonstrate that it recognized the risk, acted deliberately, and can produce the receipts to prove. Forrester clients can check out the full initiative blueprint to help drive their PQC migration or schedule a guidance session or inquiry with us.