[EDRM Editor’s Note: This article was first published here on February 16, 2026, and EDRM is grateful to Rob Robinson, editor and managing director of Trusted Partner ComplexDiscovery OÜ, for permission to republish.]

ComplexDiscovery Editor’s Note: This article arrives at an inflection point for professionals working at the intersection of cybersecurity, legal technology, and information governance. The Citi Institute’s January 2026 report quantifying the GDP-at-risk from a quantum-enabled cyberattack—paired with Check Point’s documentation of attacks on financial institutions doubling in 2025—transforms what has often been a theoretical discussion into an operational mandate. For eDiscovery practitioners, the “harvest now, decrypt later” threat introduces an entirely new dimension to data preservation and defensible disposal decisions: the encryption safeguarding collected ESI has an expiration date. Information governance professionals must begin incorporating post-quantum migration into their data maps, retention schedules, and risk assessments. And cybersecurity teams must balance the urgency of AI-powered defense deployments with the governance and transparency standards that legal and compliance functions require. This article connects these threads in a way that enables cross-functional teams to act, not just observe.

Somewhere right now, an adversary is quietly siphoning encrypted financial data off a major bank’s network—not to read it today, but to crack it open the moment quantum computers catch up.

That scenario is not a Hollywood pitch. A January 2026 report from the Citi Institute—drawing on econometric modeling first developed by the Hudson Institute—puts a staggering price tag on the threat: a single quantum-enabled cyberattack targeting a top-five U.S. bank’s access to the Fedwire payment system could put between $2 trillion and $3.3 trillion of American GDP at risk—triggering a potential six-month recession and a 10 to 17 percent decline in real economic output. No quantum computer capable of breaking current encryption exists today. Yet the analysis reframes quantum computing not as a distant curiosity for physicists, but as an operational, legal, and governance emergency bearing down on every institution that stores, transmits, or litigates over digital information.

The “Harvest Now, Decrypt Later” Problem

The Citi report zeroes in on the strategy cybersecurity professionals increasingly call “harvest now, decrypt later,” or HNDL. Adversaries—state-sponsored groups, organized crime syndicates, and opportunistic hackers—are already intercepting and stockpiling encrypted data from financial institutions, government agencies, and corporate networks. The bet is straightforward: once a cryptographically relevant quantum computer arrives, today’s unreadable ciphertext becomes tomorrow’s open book. For data with a long shelf life—financial records, trade secrets, government archives, medical histories, and biometric identifiers—the implications are severe.

For cybersecurity, information governance, and eDiscovery professionals, HNDL collapses the comfortable timeline that “Q-Day” (the moment a quantum machine can break standard public-key encryption) remains a decade or more away. The Global Risk Institute’s 2024 survey of quantum experts places the probability of Q-Day arriving by 2034 at 19 to 34 percent, jumping above 60 percent by 2044. But the data harvested today cannot be retroactively secured. Once stolen, the only question is when—not whether—it can be decrypted. This forces a fundamental rethinking of data retention schedules, defensible disposal policies, and encryption-at-rest standards. Organizations holding legacy archives of electronically stored information face a compounding liability: every year those records remain protected only by classical cryptography, their exposure window grows wider.

Professionals working in eDiscovery should immediately consider how quantum vulnerabilities intersect with legal hold obligations. If an organization is collecting, preserving, and producing encrypted data that could be compromised by future quantum decryption, what duty of care applies? Information governance teams should begin mapping every system relying on current cryptographic standards—especially those housing data subject to long-term regulatory retention—and flag them for post-quantum migration planning.

The Largest Cryptographic Overhaul in History

Industry analysts have called the transition to quantum-resistant cryptography the most expansive upgrade of its kind ever attempted, dwarfing the Y2K remediation efforts of the late 1990s. The Y2K bug came with a fixed deadline and a relatively contained problem. The quantum transition, by contrast, requires replacing every layer of public-key encryption that underpins secure web traffic, digital signatures, interbank messaging, and payment infrastructure—with no clear finish line.

The U.S. National Institute of Standards and Technology finalized its first set of post-quantum cryptography (PQC) standards in August 2024 and selected a fifth algorithm, HQC, in March 2025. Many roadmaps envision federal high-risk systems transitioning to PQC by around 2030 and broad adoption by the mid-2030s, though NIST’s guidance focuses on beginning migration now rather than waiting for fixed deadlines. Across the EU, policymakers are pushing member states to develop coordinated quantum and cybersecurity strategies this decade, with several initiatives aiming to transition high-risk systems by around 2030. In January 2025, a White House executive order on strengthening and promoting innovation in cybersecurity called for accelerated adoption of PQC across federal cryptographic systems.

Yet the path from standards on paper to implementation in production environments remains grueling. In September 2025, the Financial Services Information Sharing and Analysis Center (FS-ISAC) published a white paper warning of what it termed “crypto-procrastination”—the tendency of organizations to delay defining or allocating resources for quantum-resistant projects. That delay, FS-ISAC cautioned, threatens to compress future migration tasks into impossibly short windows. Large banks face the added challenge of coordinating with hundreds of third-party vendors while retraining staff across sprawling legacy environments.

Financial Sector Under Siege—Today

While the quantum threat looms on the horizon, financial institutions are already contending with a punishing wave of cyberattacks in the present. Check Point Software’s 2025 Finance Sector Landscape Report, authored by researchers Shir Atzil, Mariana Raiser, and Ruty Davidson, documented a dramatic escalation: cyber incidents targeting the financial sector more than doubled, from 864 in 2024 to 1,858 in 2025. Distributed Denial of Service (DDoS) attacks surged 105 percent, while data breaches jumped 73 percent, and ransomware incidents reached 451 cases for the year.

The report revealed a shift beyond purely financial motivations. Coordinated hacktivist campaigns—fueled by geopolitical tensions—targeted high-visibility financial platforms, with Israel absorbing the heaviest DDoS volume at 16.6 percent of attacks, followed by the United States at 5.9 percent and the United Arab Emirates at 5.6 percent. Groups like the North African hacktivist collective Keymous+ and pro-Russian operation NoName057 launched rapid-fire campaigns using shared botnets and modular infrastructure, enabling even moderately skilled operators to inflict outsized damage.

A third of all attacks were carried out by unidentified actors using burner accounts and decentralized identities to mask their digital footprints. Check Point characterized this as a “notable evolution” in threat actor behavior—one that makes attribution, investigation, and subsequent legal proceedings far more difficult. For eDiscovery professionals tasked with tracing the forensic chain of a breach, this anonymization trend raises the evidentiary bar considerably. Information governance teams, meanwhile, must reckon with the reality that misconfigurations—open storage buckets, permissive access controls, unmonitored API endpoints—continue to serve as invitations for threat actors.

AI as Both Shield and Sword

A countervailing force is emerging in the form of artificial intelligence-driven security. Glilot Capital Partners, an Israeli venture firm that raised $500 million in September 2025 to back cybersecurity and AI startups, has been at the forefront of this shift. Glilot co-founder Arik Kleinstein has framed the current moment as a transition from passive protection to proactive defense architecture, where AI automates the triage of alerts, detects anomalies in real time, and deploys defensive agents that can adapt dynamically to emerging threats. Industry surveys indicate that a strong majority of senior executives are now prioritizing AI security technologies as a core investment area.

The megabanks are putting their money where the trend lines point. JPMorgan Chase committed $18 billion to technology spending in 2025—up $1 billion from the prior year—with billions earmarked for AI-centric initiatives. CEO Jamie Dimon has called AI a force that “affects everything: risk, fraud, marketing, idea generation, customer service.” The bank’s proprietary LLM Suite platform has reached 200,000 internal users and is driving what executives describe as a 30 to 40 percent annual growth in AI-attributed business value. Bank of America, for its part, dedicated roughly $13 billion to technology in 2025, with $4 billion allocated to AI and related new technology initiatives.

These investments are not purely defensive. AI-powered tools are accelerating software development, automating compliance checks, enhancing fraud detection, and streamlining the review of legal and regulatory documents—directly touching eDiscovery workflows. JPMorgan’s COIN platform, for instance, automates 360,000 hours of legal work annually. For legal teams conducting document review, technology-assisted review (TAR) platforms built on advanced AI models are shrinking review timelines and costs. But these efficiencies introduce their own governance questions: how do organizations validate AI-generated work product, manage algorithmic bias, and maintain defensible processes when regulators or opposing counsel demand transparency?

Governance at the Crossroads

The convergence of quantum risk, escalating cyberattacks, and rapid AI adoption creates a governance challenge that no single department can solve in isolation. Legal teams must understand the cryptographic underpinnings of preserved data. IT security teams must communicate risk in terms that boards and general counsel can act on. Information governance professionals must update retention policies and data maps to account for post-quantum migration timelines. And eDiscovery practitioners must prepare for a world where the encryption protecting collected ESI may not hold indefinitely.

The World Economic Forum’s 2025 report with Accenture, “Quantum Technologies: Key Strategies and Opportunities for Financial Services Leaders,” emphasized that public-private collaboration, targeted research investment, adaptive regulation, and global standards are all necessary to navigate the quantum era. Banks such as HSBC, Banco Sabadell, and Intesa Sanpaolo are already testing quantum-safe methods and quantum-inspired approaches for risk modeling and fraud detection. In the UK, fraud cost the banking industry $1.6 billion in 2024, prompting the government to commit $162 million to quantum technology investments in April 2025.

For those working in cybersecurity, information governance, and eDiscovery, the actionable takeaway is clear: begin an enterprise-wide cryptographic inventory now. Identify which systems use classical public-key encryption, prioritize those housing data with long-term confidentiality requirements, and build a migration roadmap aligned with NIST PQC standards. Integrate quantum risk into data protection impact assessments and legal hold workflows. Engage vendors early to understand their post-quantum readiness. And stay alert to how AI is both expanding the attack surface (through generative AI misuse and data leakage) and providing the tools to defend against it.

Ultimately, the organizations that treat quantum readiness as a compliance checkbox rather than a strategic imperative will find themselves exposed—not just to the hackers of tomorrow, but to the regulators, litigators, and market forces that will demand accountability for foreseeable failures. The clock is not starting. It started years ago. The data is already being harvested.

If the encrypted data your organization is preserving today can be decrypted by adversaries within the next decade, how should that reality reshape your information governance and eDiscovery strategies right now?

Read the original article here.

News Sources

• Citi Puts a Multi-Trillion-Dollar Price Tag on The Quantum Cybersecurity Threat (The Quantum Insider)
• Are Financial Services Firms Easy Cybercrime Targets? (FinTech Magazine)
• Top 3 Cyber Threats Disrupting the Financial Sector Today (Check Point Research)
• Citi: Banks Face $3 Trillion Risk from Quantum Cyberattacks (American Banker)
• FS-ISAC Urges Financial Sector to Adopt Timeline for Implementing Quantum Computing Defenses (ABA Banking Journal)
• Banking in the Quantum Technologies Era: 3 Strategic Shifts to Watch (World Economic Forum)
• JPMorgan Chase AI Strategy: US$18B Bet Paying Off (AI News)
• Israeli Cyber Fund Glilot Capital Raises $500 Million (SecurityWeek)

About ComplexDiscovery OÜ

ComplexDiscovery OÜ is an independent digital publication and research organization based in Tallinn, Estonia. ComplexDiscovery covers cybersecurity, data privacy, regulatory compliance, and eDiscovery, with reporting that connects legal and business technology developments—including high-growth startup trends—to international business, policy, and global security dynamics. Focusing on technology and risk issues shaped by cross-border regulation and geopolitical complexity, ComplexDiscovery delivers editorial coverage, original analysis, and curated briefings for a global audience of legal, compliance, security, and technology professionals. Learn more at ComplexDiscovery.com.

Source: ComplexDiscovery OÜ
Assisted by GAI and LLM Technologies per EDRM’s GAI and LLM Policy.