Sebastien Rousseau

POST-QUANTUM CRYPTOGRAPHY

The 2026 Post-Quantum Security Scorecard: A Board-Level Metric Framework

How boards must measure and govern the migration to NIST FIPS 203 and 204, tracking CBOM completeness and mitigating Harvest-Now-Decrypt-Later (HNDL) exposure in corporate treasury.

4 min read
Banner for: The 2026 Post-Quantum Security Scorecard: A Board-Level Metric Framework

The 2026 Post-Quantum Security Scorecard: A Board-Level Metric Framework for Fiduciary Cryptographic Agility

Post-quantum security is no longer a research project. The "supervisory clock" is ticking toward late-2020s enforcement deadlines. The finalisation of [NIST FIPS 203 (ML-KEM)](https://csrc.nist.gov/pubs/fips/203/final) and [NIST FIPS 204 (ML-DSA)](https://csrc.nist.gov/pubs/fips/204/final) has codified the standards for key encapsulation and digital signatures.

Regulatory bodies now expect Tier-1 banks to move beyond pilot programmes. In 2026, the focus has shifted to the industrialisation of these standards. Failure to demonstrate a clear migration path carries significant regulatory penalties under the Digital Operational Resilience Act (DORA) and potential personal liability for directors who ignore the foreseeable threat of quantum-enabled decryption.

01. The Board-Level Quantum Scorecard #

The following metrics provide a standardised framework for boards to evaluate quantum readiness and cryptographic health across Commercial and Investment Banking (CIB) estates.

Table 1: PQC Scorecard Metrics and Tolerances #

Metric Mathematical Formula Board-Approved Tolerances Risk if Out of Tolerance
Inventory Completeness Percentage (ICP) (Identified Crypto Assets / Total Estimated Assets) × 100 > 98% Shadow encryption and blind spots in high-value clearing data paths.
HNDL Exposure Rate (HER) (Long-Lived Data on Legacy Crypto / Total Long-Lived Data) × 100 < 5% Permanent compromise of trade secrets, sovereign debt ledgers, and wholesale payment records.
NIST Migration Progress Rate (MPR) (Systems running FIPS 203/204 / Total Critical Systems) × 100 > 60% (by YE 2026) Regulatory non-compliance and exclusion from G20-aligned counterparties.
Crypto-Agility Readiness Index (CARI) (Apps with Abstracted Crypto Layers / Total Core Apps) × 100 > 85% Severe technical debt and inability to respond to future algorithm deprecations.

02. The Cryptographic Bill of Materials (CBOM) #

The ICP metric is baselined through a comprehensive CBOM Discovery Phase. This is an automated process that identifies every cryptographic endpoint within the enterprise.

This discovery phase creates a single source of truth, enabling the CISO to report on cryptographic health with the same granularity as financial performance.

03. Eliminating HNDL Exposure in Wholesale Payments #

Adversaries are actively targeting wholesale payments and long-lived corporate databases. These "Harvest-Now-Decrypt-Later" (HNDL) attacks involve the interception and archival of today's encrypted traffic.

Even if a cryptographically relevant quantum computer (CRQC) does not exist today, the data intercepted now will be vulnerable in the future. Mitigating this requires high-priority migration of long-lived data (e.g., identity records, 30-year bond contracts, and legal archives), which directly reduces the HER metric. Upgrading payment channels to hybrid PQC-traditional encryption (using ML-KEM alongside X25519) provides immediate defence against archival threats.

04. Operationalising Crypto-Agility via Well-Designed Interfaces #

Crypto-agility is realised through engineering abstractions. Modern libraries like KyberLib demonstrate how developers can implement quantum-safe modules without rewriting the entire application stack.

This architecture ensures that if a specific PQC algorithm is compromised in the future, the organisation can pivot in hours rather than years.

05. The Quantum-Safe Ingress Validation Workflow #

The following diagram illustrates the lifecycle of data entering the secure perimeter in a quantum-agile banking environment.

graph TD
    A[Incoming Payment Request] --> B[Hybrid TLS Handshaking Gateway]
    B --> C{Check CBOM Registry}
    C -- Legacy (RSA/ECC) --> D[Redirect to Remediation / Flag for Audit]
    C -- Compliant --> E[Crypto-Agile Validation Layer]
    E --> F{Verify Signature}
    F -- ECDSA --> G[Log Traditional Validation]
    F -- ML-DSA --> H[Log Quantum-Safe Validation]
    G --> I[Real-Time Metrics Engine]
    H --> I
    I --> J[Updated Scorecard / Board Report]


Conclusion #

The cryptographic estate of a Tier-1 bank is no longer a CISO concern. It is fiduciary infrastructure. NIST FIPS 203 and 204 set the algorithms; DORA Article 5 sets the accountability surface; SM&CR pins it to a named senior manager. The scorecard above — Inventory Completeness, HNDL Exposure, Migration Progress, Crypto-Agility — gives a board the four numbers it needs to govern that estate without having to read the cryptographic code.

The number that matters most is HNDL Exposure. Every legacy-encrypted record sitting in a wholesale-payments archive today will be readable on the day the first cryptographically relevant quantum computer is shipped. The countdown is silent and asymmetric: defenders can only act on the data they hold, adversaries can act on data they already exfiltrated years ago. A 30-year corporate bond contract encrypted with RSA-2048 in 2024 is a contract that loses its confidentiality guarantee the day a CRQC goes live.

KyberLib and its peers turn this from a multi-year platform rewrite into a configuration change. The board's job is not to write the code. The board's job is to demand that the Crypto-Agility Readiness Index — the share of core applications behind an abstracted cryptographic interface — moves through 85 % within twelve months, and to read the quarterly scorecard.

Last reviewed .

Last reviewed .

Syndicate this article

Format for Medium

# The 2026 Post-Quantum Security Scorecard: A Board-Level Metric Framework

> Originally published at [https://sebastienrousseau.com/2026-06-29-post-quantum-security-scorecard-board-level-fiduciary-agility-2026/](https://sebastienrousseau.com/2026-06-29-post-quantum-security-scorecard-board-level-fiduciary-agility-2026/)

The 2026 Post-Quantum Security Scorecard provides boards and senior management with a fiduciary metric framework to track Cryptographic Bill of Materials (CBOM), HNDL exposure, and NIST FIPS 203/204 migration velocity across tier-1 banking infrastructure.

Read the full article on sebastienrousseau.com: https://sebastienrousseau.com/2026-06-29-post-quantum-security-scorecard-board-level-fiduciary-agility-2026/

Format for Mastodon

The 2026 Post-Quantum Security Scorecard: A Board-Level Metric Framework

The 2026 Post-Quantum Security Scorecard provides boards and senior management with a fiduciary metric framework to track Cryptographic Bill of Materials (CBOM), HNDL exposure, and NIST FIPS 203/204 migration velocity across tier-1 banking infrastructure.

https://sebastienrousseau.com/2026-06-29-post-quantum-security-scorecard-board-level-fiduciary-agility-2026/

Copy formatted for LinkedIn

The 2026 Post-Quantum Security Scorecard: A Board-Level Metric Framework

The 2026 Post-Quantum Security Scorecard provides boards and senior management with a fiduciary metric framework to track Cryptographic Bill of Materials (CBOM), HNDL exposure, and NIST FIPS 203/204 migration velocity across tier-1 banking infrastructure.

Here are the key strategic takeaways:

- 01. The Board-Level Quantum Scorecard. The following metrics provide a standardised framework for boards to evaluate quantum readiness and cryptographic health across Commercial and Investment Banking (CIB) estates.
- 02. The Cryptographic Bill of Materials (CBOM). The ICP metric is baselined through a comprehensive CBOM Discovery Phase.
- 03. Eliminating HNDL Exposure in Wholesale Payments. Adversaries are actively targeting wholesale payments and long-lived corporate databases.
- 04. Operationalising Crypto-Agility via Well-Designed Interfaces. Crypto-agility is realised through engineering abstractions.

What is your organisation's approach to the challenges outlined in this piece?

→ https://sebastienrousseau.com/2026-06-29-post-quantum-security-scorecard-board-level-fiduciary-agility-2026/

#PostQuantumCryptography #PqcScorecard #NistFips203 #NistFips204 #Cbom

Sebastien Rousseau | CC-BY-4.0
Cite this article

The 2026 Post-Quantum Security Scorecard: A Board-Level Metric Framework

The 2026 Post-Quantum Security Scorecard provides boards and senior management with a fiduciary metric framework to track Cryptographic Bill of Materials (CBOM), HNDL exposure, and NIST FIPS 203/204 migration velocity across tier-1 banking infrastructure.

BibTeX

@online{rousseau2026the,
  author  = {Rousseau, Sebastien},
  title   = {{The 2026 Post-Quantum Security Scorecard: A Board-Level Metric Framework}},
  year    = {2026},
  url     = {https://sebastienrousseau.com/2026-06-29-post-quantum-security-scorecard-board-level-fiduciary-agility-2026/index.html},
  urldate = {2026}
}

RIS

TY  - GEN
AU  - Rousseau, Sebastien
TI  - The 2026 Post-Quantum Security Scorecard: A Board-Level Metric Framework
PY  - 2026
UR  - https://sebastienrousseau.com/2026-06-29-post-quantum-security-scorecard-board-level-fiduciary-agility-2026/index.html
ER  -

Vancouver

Rousseau S. The 2026 Post-Quantum Security Scorecard: A Board-Level Metric Framework. sebastienrousseau.com. 2026 Jun 29. Available from: https://sebastienrousseau.com/2026-06-29-post-quantum-security-scorecard-board-level-fiduciary-agility-2026/index.html

Chicago

Rousseau, Sebastien. "The 2026 Post-Quantum Security Scorecard: A Board-Level Metric Framework." sebastienrousseau.com. June 29, 2026. https://sebastienrousseau.com/2026-06-29-post-quantum-security-scorecard-board-level-fiduciary-agility-2026/index.html.

APA

Rousseau, S. (2026, June 29). The 2026 Post-Quantum Security Scorecard: A Board-Level Metric Framework. sebastienrousseau.com. https://sebastienrousseau.com/2026-06-29-post-quantum-security-scorecard-board-level-fiduciary-agility-2026/index.html

Republish this article

The 2026 Post-Quantum Security Scorecard: A Board-Level Metric Framework

The 2026 Post-Quantum Security Scorecard provides boards and senior management with a fiduciary metric framework to track Cryptographic Bill of Materials (CBOM), HNDL exposure, and NIST FIPS 203/204 migration velocity across tier-1 banking infrastructure.

This article is licensed under Creative Commons Attribution 4.0 International. Republication requires attribution to the canonical URL.

The 2026 Post-Quantum Security Scorecard: A Board-Level Metric Framework

The 2026 Post-Quantum Security Scorecard provides boards and senior management with a fiduciary metric framework to track Cryptographic Bill of Materials (CBOM), HNDL exposure, and NIST FIPS 203/204 migration velocity across tier-1 banking infrastructure.

Originally published at https://sebastienrousseau.com/2026-06-29-post-quantum-security-scorecard-board-level-fiduciary-agility-2026/ by Sebastien Rousseau.
Licensed under CC-BY-4.0.