Moody’s Ratings has put chief information officers and chief financial officers on notice. Slow adoption of post-quantum cryptography could elevate credit risk for companies that handle sensitive financial data or run critical digital infrastructure. The credit agency, whose assessments shape borrowing costs for nations and corporations alike, argues that organizations underestimate how fast quantum computing advances threaten existing encryption. And the spending required to counter that threat will now fight for the same resources poured into artificial intelligence projects.
Google and Cloudflare both accelerated their migration timelines to 2029. The moves came months apart yet landed on the same aggressive deadline. Google announced its shift in March 2026. Cloudflare followed in April. Their decisions signal that two of the largest handlers of global internet traffic no longer view 2035, the U.S. government target for national security systems, as sufficient protection. Cloudflare now aims for full post-quantum security across its platform, including authentication, by that date. Over 65 percent of human-initiated traffic to the company already uses post-quantum encryption. The firm started preparations in 2019 and turned on hybrid post-quantum TLS by default for websites and APIs in 2022.
But encryption alone falls short. Authentication remains the harder challenge. Cloudflare author Bas Westerbaan noted the company feels excitement at current adoption levels yet insists work continues until authentication upgrades finish. Credible new research and rapid industry developments suggest the deadline to migrate arrives sooner than once expected. Recent estimates show roughly 10,000 qubits could execute Shor’s algorithm against today’s standards. Another 26,000 might crack P-256 elliptic curve cryptography. Google Quantum AI research indicated a 20-fold drop in required computing resources. Such numbers compress timelines that once seemed comfortably distant.
Moody’s analysts examined the financial sector in particular. They described how institutional digital finance has turned cyber risk from a niche concern into a mainstream one. Blockchain-based payments, tokenized assets, stablecoins and hybrid architectures expand the attack surface. Quantum computers could derive private keys from public data. The result threatens wallets, custody systems, transaction signatures and inter-institution communications. Irreversible public blockchains magnify damage because traditional recovery options like account freezes disappear once assets move on-chain.
JPMorgan Chase inventories cryptographic dependencies, tests post-quantum algorithms alongside legacy systems and builds crypto-agile infrastructure that allows rapid swaps. HSBC runs trials with quantum key distribution for internal systems and simulated foreign exchange transactions. Other banks join Bank for International Settlements and Group of Seven initiatives. These steps reflect early migration planning rather than waiting for a defined Q-Day. Yet Moody’s cautions that exposure varies. Custodians, exchanges and tokenization platforms face heavier risks due to direct reliance on cryptographic controls.
The agency links quantum threats to broader cyber trends. It cited major incidents including a $1.5 billion Bybit theft in 2025 and a significant Coinbase breach in 2024. Many attacks exploited third-party vendors, key management or integration points rather than core blockchain ledgers. Quantum risk sits atop those weaknesses. A Citi Institute analysis referenced in coverage warned that disruption to critical payment infrastructure such as systems tied to Fedwire could trigger $2 trillion to $3 trillion in indirect economic losses. The figure underscores systemic potential.
Regulators respond. The European Union’s Digital Operational Resilience Act took effect in 2025 and demands stronger IT risk management and testing. U.S. agencies tighten cyber governance, third-party oversight and incident disclosure. Asian authorities including Singapore’s Monetary Authority encourage cryptographic assessments. Delayed preparation, Moody’s analysts wrote, could bring higher remediation costs, greater supervisory pressure or erosion of market trust. One quote captured the stakes: “As digital finance markets attract a growing share of institutional clientele, cyber risk linked to blockchain-based platforms has evolved from a niche risk to one that is mainstream.”
Costs mount quickly. The White House estimated federal system migration at $7.1 billion over ten years. That figure excludes national security systems and offers only a baseline. Moody’s predicts post-quantum migration could consume 2.5 percent of annual IT budgets if addressed now. Delay until 2030 and expenses might double. Hybrid connections inflate data volumes dramatically. A standard cryptographic handshake uses about 64 bytes. Hybrid post-quantum versions require around 1,568 bytes. The 24-fold jump forces hyperscalers to expand infrastructure even as they pour capital into AI data centers.
Here lies the tension. AI projects promise revenue growth, productivity gains and competitive differentiation. Post-quantum work delivers none of those visible returns. It simply prevents future losses. Executives must therefore treat the investment as table stakes for digital resilience. PQC spending will compete directly with AI investment. Organizations that grasp the risk early avoid painful catch-up expenses later. Those that treat it as a distant science project invite credit downgrades when regulators or counterparties demand proof of preparedness.
Market forecasts reflect rising urgency. Analysts project the global post-quantum cryptography sector to expand sharply. One estimate sees growth from roughly $1.2 billion in 2026 to $13 billion by 2035. Another places the 2025 market near $0.42 billion expanding at a 46 percent compound annual growth rate through 2030. Government and defense outlays already exceed several billion dollars annually across dozens of countries. Enterprises in finance, defense and telecom accelerate upgrades. The numbers indicate momentum yet also reveal how far the transition must still travel.
Harvest-now-decrypt-later attacks add pressure. Adversaries steal encrypted data today and archive it for decryption once quantum hardware matures. Sensitive information with decades-long value, from intellectual property to government secrets to long-term financial records, sits vulnerable. Banks and cloud providers cannot assume their data enjoys permanent protection. The combination of compressed quantum timelines, regulatory scrutiny and budget competition leaves little room for hesitation.
Cloudflare and Google demonstrate one path forward. They integrate post-quantum capabilities by default so customers gain protection without extra effort or cost. Cloudflare plans post-quantum authentication support for origin connections by mid-2026, broader network deployment through 2028 and full coverage by 2029. Such default rollout reduces friction for the broader internet. Enterprises can mirror the approach by requiring quantum-safe support in vendor contracts, conducting cryptographic inventories and building agility into procurement standards.
Financial institutions already feel the shift. Credit ratings may soon incorporate quantum preparedness as a factor alongside traditional cyber hygiene. Boards that once viewed the topic as technical esoterica now confront it as a balance-sheet issue. Chief information security officers compete with chief AI officers for the same budget pool. The winner in that contest will not always be the initiative with the clearest return on investment. Sometimes defense must prevail over offense.
Recent analyses reinforce the message. A Forrester report noted that quantum security spending could exceed 5 percent of overall IT security budgets by 2026. Juniper Research highlighted regulatory standards and real-world testing as drivers behind projected market growth. These independent assessments align with Moody’s core warning. The transition will prove long and complex. Satellites in orbit, legacy hardware in vehicles or ATMs and embedded systems resist quick updates. Yet postponement only raises the final bill.
So companies face a choice. They can fund both AI innovation and quantum resilience in parallel. Or they can prioritize short-term gains and risk long-term exposure that rating agencies stand ready to penalize. The credit giant feared by governments and corporations has spoken. Its message carries weight because it translates technical risk into financial consequences. Post-quantum cryptography no longer represents a future expense. It competes for resources today.
Pingback: Moody’s Warning Forces Tech Leaders To Weigh Post-Quantum Costs Against AI Budgets - AWNews