FS-ISAC’s New Roadmap for Post-Quantum Migration in Finance
Table of Contents
25 Sep 2025 – Financial industry CISOs have a new playbook for the post-quantum era. The Financial Services Information Sharing and Analysis Center (FS-ISAC) has published a position paper titled “The Timeline for Post-Quantum Cryptographic Migration,” offering a detailed roadmap for the financial sector’s transition to quantum-resistant security. The paper lays out why banks and financial institutions must act now to avoid falling behind in the race against quantum threats.
Who Is FS-ISAC and Why Does Its Guidance Matter?
FS-ISAC is an industry consortium dedicated to reducing cyber-risk in the global financial system, serving thousands of financial institutions worldwide. In practice, it’s a member-driven hub where banks, insurers, payment processors, and other financial players share cyber threat intelligence and best practices.
When FS-ISAC speaks, it reflects a consensus of leading experts across the sector. Its guidance often informs industry standards and regulatory expectations, making this new position paper especially significant. For a CISO in financial services, FS-ISAC’s recommendations can translate into actionable steps for strengthening resilience.
In short, FS-ISAC’s voice is the collective voice of the financial industry on cybersecurity – which is why a global post-quantum cryptography (PQC) roadmap from FS-ISAC is big news.
Announcing “The Timeline for Post-Quantum Cryptographic Migration”
On behalf of its Post-Quantum Cryptography Working Group (in collaboration with international partners in Canada and Europe), FS-ISAC has issued “The Timeline for Post-Quantum Cryptographic Migration.” This position paper is essentially a call to arms for the financial sector to prepare for the coming quantum computing revolution. It outlines the urgency of migrating to quantum-safe encryption, the pitfalls of delaying, and a phased strategy to get there in time. The document recognizes that upgrading the entire financial ecosystem’s cryptography is a complex, multi-year endeavor – but one that cannot wait. By providing a timeline and framework, FS-ISAC aims to jump-start the planning process within financial institutions and across their many dependencies.
The Risk of Delay: “Crypto-Procrastination” and Mosca’s Theorem
A central message from FS-ISAC is that delay is dangerous. The paper pointedly calls out “crypto-procrastination” – a tendency to put off planning for PQC migration – as a serious threat to the industry’s security timeline. Many organizations have yet to dedicate adequate resources to quantum-resistant projects, and every year of inaction compresses the time available to adapt. This complacency can stem from underestimating the impact of quantum computing, misunderstanding the complexity of a crypto overhaul, or simply deferring the quantum threat as a distant future problem. FS-ISAC warns that such procrastination could leave firms scrambling at the last minute, or worse, missing the window to protect critical data.
To illustrate the stakes, the paper invokes Mosca’s Theorem – a formula well-known in cryptography circles. In simple terms, Mosca’s Theorem states that if the time you need your data to stay secure (X years) plus the time it will take you to swap in new quantum-safe cryptography (Y years) exceeds the time until a powerful quantum computer arrives (Z years), then your data is at risk. In other words, if X + Y > Z, you’re too late. Sensitive financial data often needs to remain confidential for many years, and cryptographic migrations in large institutions can also take years.
Meanwhile, nobody knows exactly when a cryptographically relevant quantum computer will be built – but estimates are shrinking. FS-ISAC’s takeaway: the safe timeline to begin migrating is now. Every year of delay eats into the safety margin before “Q-Day” (the day quantum code-breaking becomes feasible). The position paper urges CISOs to treat this like a ticking clock: start the transition early enough so that your Y (migration period) is finished well before Z (quantum arrival), with room to spare.
A Need for Global Coordination in PQC Migration
Another major theme is the call for global coordination. Financial services is a massively interconnected web – banks rely on payment networks, market exchanges, central clearinghouses, and each other. If firms migrate to post-quantum cryptography on mismatched schedules, the whole system could suffer. The FS-ISAC paper argues that the sector needs a synchronized plan so that critical interoperability points (like communication protocols, payment rails, and central bank systems) all transition in step. A coordinated timeline would prevent bottlenecks where some parts of the ecosystem are held back by “slow movers” still using outdated crypto.
Today, however, such coordination is mostly lacking. “Despite growing awareness of the quantum threat, a comprehensive and widely shared action plan in this area remains elusive. The lack of such a plan… may induce protracted inertia in the financial system’s migration efforts,” warns a report from Banca d’Italia cited by FS-ISAC. In other words, without a common roadmap, many institutions may hesitate to act, each waiting for others to move first.
The FS-ISAC authors believe this inertia can be overcome by establishing clear global milestones. In fact, they state plainly that global coordination is necessary to set consistent timelines across the industry and “the financial services ecosystem should be working towards a common end-date”. If regulators, industry groups, and firms align on target dates, it creates a sense of inevitability that pulls everyone forward together.
There is precedent that shows the power of a coordinated timeline. The paper notes the positive impact of the U.S. National Security Agency (NSA)’s first PQC transition plan, known as CNSA 2.0, released in 2022. By publishing its internal roadmap for eliminating vulnerable crypto, the NSA achieved three things: it gave public visibility into its plans, set concrete milestones for U.S. national security systems, and signaled to vendors what would be expected of them. This had a ripple effect. Vendors like browser makers and software libraries began building in PQC support almost immediately in 2022-2023, knowing that big customers (the U.S. government) would soon require it.
In short, a clear timeline from a major authority prompted action across the ecosystem. FS-ISAC is effectively calling for the same effect on a global scale for financial services: a coordinated schedule that everyone can rally around.
Challenges Beyond Any Single Institution: Ecosystem Dependencies
Why can’t a forward-thinking bank just go it alone on quantum-proofing? FS-ISAC emphasizes that no institution operates in isolation. The paper outlines several critical dependencies in the financial ecosystem that make collective action and careful sequencing necessary:
- Peer Institutions and Market Infrastructures: Banks and trading firms depend on each other and on shared financial market infrastructures (FMIs) – for example, central counterparties (CCPs) for clearing trades, and central securities depositories (CSDs) for settling securities transactions. If your bank is ready to eliminate legacy cryptography but a key counterparty or market utility isn’t, you may be forced to delay to maintain connectivity. The need to support “slow movers” could drag out full migration if not managed sector-wide.
- Public Sector Systems: Many essential financial systems (payments networks, settlement systems, central bank services) are operated by the public sector or central banks. Private-sector institutions depend on these systems daily. The paper notes that these public-sector platforms also have to migrate within the necessary timelines for the overall transition to succeed. If, say, a central bank’s interbank payment system doesn’t upgrade its cryptography, every bank connected to it remains vulnerable.
- Other Critical Infrastructure: Beyond finance, sectors like telecommunications and energy underpin the stability of financial services. Financial firms rely on telecom networks, cloud providers, and power grids – all of which use cryptography too. A weakness in those sectors (e.g., an ISP that hasn’t upgraded its TLS encryption) could become an indirect weakness for banks. Ensuring telecoms, utilities, and other critical providers also become quantum-safe is part of the broader challenge.
- Technology Vendors and Service Providers: Modern banks use a multitude of third-party technology solutions – from core banking software to cloud services to security appliances. FS-ISAC points out that financial institutions are heavily dependent on vendors to supply mature, quantum-safe products. Replacing or upgrading all these pieces takes time and coordination. Importantly, many big banks are themselves providers of financial technology to smaller institutions, so there’s a chain effect. The paper suggests finding ways to influence vendors’ roadmaps (for example, by communicating timeline expectations or pooling demand for PQC features).
- Standards and Governing Bodies: Underlying all of this are the technical standards that ensure different systems work together. Banks can’t unilaterally decide on a new cryptographic protocol – they depend on standards bodies like the Internet Engineering Task Force (IETF), industry groups (e.g., the ANSI X9 committee for financial security standards), and others to define things like PQC-enabled TLS or interoperable digital certificate formats. FS-ISAC highlights that coordination with these bodies is essential so that standards for algorithms, certificates, and interim solutions (like hybrid crypto schemes) are in place in time for the migration. Similarly, regulators and supervisors need to set cohesive policies that support the transition.
All these dependencies mean that a single bank’s PQC initiative could be slowed down by external factors. The FS-ISAC paper essentially tells CISOs: know your dependencies. An inventory of where and how you use vulnerable cryptography (and on whom you depend to change it) is a prerequisite for any realistic migration plan. It’s also a plea for collaboration – success will require financial firms, vendors, standards bodies, and regulators to all pull in the same direction.
Timelines and Milestones: 2030 as a Wake-Up Call, 2035 as a Deadline
So what does the timeline for action actually look like? FS-ISAC’s position paper reviews the landscape of recommendations and converging timelines from government agencies and standards bodies around the world. A clear picture emerges: the early 2030s are a make-or-break period for post-quantum migration.
Notably, the paper observes that while regulators agree on the 2030-2035 window at a high level, not everyone is moving at the same speed yet. Some guidance has been conservative about near-term action. FS-ISAC gently points out that merely starting in 2028 is too late and ignores that many quantum-resistant solutions are already available today. The clear implication is that the financial sector should not wait; early adopters will be in a far better position to hit the 2030 milestone than those who procrastinate.
In sum, the clock is ticking, and the early 2030s will be the defining moment – a “crunch time” when any stragglers will face immense pressure to catch up.
A Four-Phase Migration Approach: Initiation, Discovery, Deployment, Exit
To help financial institutions navigate the journey, the FS-ISAC paper outlines a four-phase migration strategy. This phased approach is designed to prioritize the highest risks first and spread the effort over time, ensuring no critical steps are overlooked. At a high level, the phases are:
- Initiation: Launch a focused PQC transition program. This includes embedding quantum resistance into your organization’s risk management framework and culture, and securing the necessary resources and budget for the multi-year effort. Essentially, phase 1 is about getting executive buy-in, allocating funds, and assigning clear ownership to drive the project. A key outcome of this phase is an initial action plan with proper leadership accountability.
- Discovery & Inventory: Conduct a thorough inventory of where and how your systems use quantum-vulnerable cryptography (such as RSA, ECC, DH algorithms). This phase involves discovering all cryptographic dependencies, and prioritizing them by risk. FS-ISAC suggests focusing first on the “high-risk portions” of your architecture – for example, systems handling long-lived secrets or sensitive data that must remain secure for many years. Over this phase, firms should map out all use cases of classical cryptography (internal and with partners) and start applying a risk-based ranking to guide the order of upgrades.
- Deployment: Begin deploying post-quantum solutions, starting with the high- and medium-risk use cases identified earlier. This means actually implementing PQC algorithms or hybrid solutions in place of or alongside legacy crypto for critical systems. By the end of this phase, all high and medium priority instances of vulnerable crypto should be remediated or have a mitigation plan in place. During deployment, organizations should also start disallowing the use of legacy algorithms in new systems and, where feasible, even blocking cryptographic connections that rely on deprecated algorithms. It’s a gradual tightening of the gates: as PQC replacements roll out, the old crypto is phased out from use.
- Exit: The final phase is exiting the era of classical encryption entirely. In this phase, a financial institution should disallow all quantum-vulnerable algorithms – meaning legacy crypto like RSA or ECC is fully removed or disabled in all systems. The firm should now embrace cryptographic agility: the ability to swap algorithms in and out as needed, which ensures future-proofing against not just quantum threats but any crypto weakness. Other tasks in this phase include conducting a thorough audit to confirm no “hidden” dependencies on old algorithms remain (for example, in forgotten backup systems or vendor products). Finally, organizations need to be able to measure and attest to their crypto migration status – in other words, provide assurance to regulators, partners, and internal governance that they are compliant with all policies and requirements in the post-quantum world.
By following these phases in order, firms can tackle the problem methodically. The phased approach also mitigates risk: it prioritizes quick wins and critical fixes (so you address the biggest exposures early) and leaves lower-risk items for later, all while building confidence and institutional knowledge. FS-ISAC’s guidance here aligns with common cybersecurity program management practices – it’s about breaking a massive challenge into manageable stages, each with clear objectives.
Importantly, the paper notes that the timing of these phases should be informed by the global timelines discussed earlier. For instance, by around 2030, your organization should be well into the Deployment phase, having already completed Discovery and started upgrading the most critical systems. And by 2035, the Exit phase should be done – meaning you are fully quantum-safe by the time classical cryptography is slated to be phased out industry-wide. These anchors help CISOs plan backward: if 2035 is the end of the journey, and it might take 3-5 years to replace crypto across the enterprise, then the journey must start no later than, say, 2025-2027 (if not earlier) to comfortably finish on time.
Aligning with NIST, NSA, the EU, and Other Global Guidance
One noteworthy aspect of FS-ISAC’s position paper is how it ties into the broader chorus of international guidance on post-quantum crypto. The document doesn’t exist in isolation – it explicitly references and builds upon the timelines set by government agencies and standards bodies worldwide. This is reassuring for CISOs who are tracking those regulatory signals.
For a CISO, the alignment of FS-ISAC’s guidance with these government and standards initiatives means one thing: the writing is on the wall. Whether through hard mandates or industry consensus, the direction is clear that the 2020s are the preparation phase and the early 2030s the execution phase for quantum-safe cryptography. FS-ISAC essentially consolidates these various signals into a single financial-sector-focused roadmap. That’s incredibly useful – instead of parsing NIST, NSA, EU, and others separately, CISOs have a one-stop reference that distills what all these authorities mean for their sector.
My Take
The Timeline for Post-Quantum Cryptographic Migration is more than just another white paper – it’s a timely blueprint at a moment when the financial industry might otherwise be caught flat-footed. In terms of quality and importance, it’s hard to overstate the value of this document for a financial CISO. First, the clarity is commendable: the paper translates a complex problem into concrete phases and deadlines, without getting lost in cryptographic technicalities. It acknowledges the uncertainties (like not knowing exactly when quantum attacks will materialize) yet still provides a confident path forward. This kind of clear guidance is exactly what busy technology leaders in finance need.
Second, the paper emphasizes coordination – arguably its most important contribution. By highlighting interdependencies (across firms, vendors, and regulators) and calling for a common timeline, FS-ISAC is pushing the conversation beyond individual company preparedness to sector-wide readiness. This collaborative lens is crucial for something as sweeping as PQC migration. No bank, no matter how sophisticated, can solve this alone. The position paper effectively says: we need to share plans, set shared milestones, and avoid a scenario where one institution’s delay becomes everyone’s problem. That message coming from FS-ISAC – a trusted industry body – carries weight and can galvanize joint action in a way that isolated government edicts might not.
Finally, the sense of urgency is palpable and well-founded. The authors make it clear that the timeline to act is finite and shrinking. By coining “crypto-procrastination” and explicitly warning against it, the paper addresses the psychological hurdle head-on. It serves as a wake-up call: quantum risk is not a tomorrow problem, it’s a today planning problem. For the financial services sector, which historically has taken years to upgrade legacy systems (think of how long the migration off Windows XP or the adoption of cloud took in banking), this wake-up call is critical. The paper’s urgent tone, backed by global expert consensus and hard dates, can help CISOs communicate to their boards and CEOs why investment in quantum-safe cryptography can’t be put off.