The risk. The mandate. The ask.

Nation-state adversaries and sophisticated criminal networks are harvesting encrypted data today and storing it, waiting for the day a sufficiently powerful quantum computer allows them to read it. The strategy has a name — Harvest Now, Decrypt Later (HNDL) — and it is documented in threat-intelligence reports including a 2025 Federal Reserve research paper analyzing HNDL-motivated data collection in the financial sector.

The implication for the balance sheet is direct. Any corporate communications, intellectual property, M&A materials, customer records, or trade secrets transmitted over the internet today and protected only by classical encryption may already be in an adversary's archive. Any data your organization must keep confidential for five or more years — which covers most strategically sensitive business information — is effectively at risk today, not at some theoretical future date.

The right executive framing is that HNDL is a present-tense risk with a deferred consequence. Treating it as a future problem because the decryption event is in the future is the same category mistake as ignoring a slow-motion data exfiltration because the perpetrator hasn't sold the data yet. The exposure is real, the window is open now, and the corrective work compounds over time.

Regulatory signals are translating HNDL risk into operational deadlines. NIST finalized FIPS 203, 204, and 205 in August 2024 — the standardized replacements for the public-key cryptography that underpins TLS, VPN, code signing, and identity. CNSA 2.0, the NSA's Commercial National Security Algorithm Suite, requires all new National Security System acquisitions to be quantum-resistant by January 1, 2027, with classical key establishment disallowed in 2030 and classical signatures disallowed in 2031.

For organizations outside the federal NSS perimeter, the procurement signals matter most. OMB Memorandum M-23-02 mandates annual inventories of quantum-vulnerable systems for federal agencies through 2035. The Quantum Computing Cybersecurity Preparedness Act requires OMB to issue migration guidance following NIST's standards finalization. CISA's January 2026 Product Categories guidance gives procurement teams an agency-backed framework to prefer PQC-capable products in cloud, browser, endpoint, and networking categories.

Even in industries that are not directly bound by these mandates, two procurement-driven realities apply. First, network and endpoint vendors are aligning their roadmaps to the federal calendar, which means PQC capability is becoming standard in new product families and absent in older ones. Buying equipment in 2026–2027 without a PQC upgrade path is increasingly a decision to acquire stranded assets. Second, regulated industries — financial services, healthcare, critical infrastructure — should expect their sector regulators to mirror the federal procurement language within a one-to-three-year lag.

The correct executive posture is disciplined urgency, not reactive spending. The first priority — before any vendor conversation, any architecture decision, any budget allocation — is a cryptographic inventory: a systematic map of every place your organization uses public-key cryptography across applications, infrastructure, and third-party services. Without this inventory, no meaningful migration prioritization is possible, and any vendor proposal promising to "solve" your quantum risk should be treated skeptically.

Migration should then follow a phased sequence. Protect long-lived, externally exposed data flows first. Require PQC readiness from vendors in new procurement cycles. Avoid proprietary "rip and replace" proposals in favor of standards-based vendor updates aligned to NIST FIPS 203, 204, and 205. Test hybrid deployments — a classical algorithm combined with the post-quantum equivalent — in non-production environments to surface the MTU, PKI, and firewall interactions that will dominate early operational experience.

Two failure modes to flag at the executive level. Organizations that conflate urgency with haste will waste budget on bespoke cryptographic replacements before they understand the estate, and will create new risk surface by deploying immature implementations. Organizations that conflate caution with inaction will compound their HNDL exposure with each passing year. The middle path is sequenced execution: name an owner, fund the inventory, set a quarterly review cadence, and update the procurement language now.

The four-line ask for the board

• Approve a cryptographic inventory sprint. Scope: all internet-facing and high-trust systems. Owner named. Reviewed quarterly.
• Update procurement language. Require PQC readiness criteria in all new technology contracts from 2026 forward.
• Establish a PQC transition owner. Single accountable role, reporting into the CIO/CISO line.
• Defer proprietary "quantum-safe" purchases. Wait for FIPS-validated, NIST-aligned products from the existing vendor stack.