Quantum Computing & Third-Party Risk: Why TPRM Leaders Need to Prepare Now

Quantum computing promises enormous opportunity, but it also accelerates the urgency of rethinking cryptography across your company and its third parties. By beginning the transition now — through inventories, vendor engagement, and roadmap development — TPRM leaders can establish resilience for a quickly approaching post-quantum cryptography (PQC) future.

What is Quantum Computing?

Unlike traditional computers, which process information in binary bits (0s and 1s), quantum computers use qubits. Qubits can represent 0 and 1 simultaneously, enabling quantum machines to solve specific problems far faster than classical computers. This makes quantum machines powerful for fields such as drug discovery, supply chain optimization, and financial modeling.

However, quantum’s most significant impact on risk management stems from its ability to break widely used encryption methods —the very algorithms that protect sensitive data across global networks.

Why it Matters for TPRM Leaders

The benefits of quantum computing—faster analysis, advanced simulations, and new scientific breakthroughs are significant. Yet, the risks, particularly those related to cybersecurity, may emerge first.

The need for post-quantum cryptography (PQC) extends across the entire vendor ecosystem; any third party that fails to transition to PQC creates an entry point for adversaries that can compromise your company. As a result, TPRM groups should consider:

• Vendor Dependencies: Many third-party solutions, cloud services, financial platforms, and healthcare applications rely on quantum-vulnerable cryptography.
• Regulatory Pressure: NIST and other standards-setting bodies are finalizing PQC algorithms, and companies that delay migration could face compliance gaps and heightened exposure.
• Data is at Risk Today: Adversaries may already be stealing encrypted data through “harvest now, decrypt later” (HNDL) strategies, with the intent to unlock it once quantum capabilities mature.

For TPRM leaders, PQC represents a supply chain challenge. The security of your company will depend not only on your readiness, but also on the readiness of your third and fourth parties.

How to Prepare Your Company

Early preparation is essential. TPRM leaders should encourage their companies and suppliers to take the following steps now, well before large-scale quantum computers are commercially available:

Establish Quantum-Readiness Roadmaps

• Form cross-functional teams (risk, IT, procurement) to plan for PQC migration.
• Build cryptographic inventories to identify systems and vendors that rely on vulnerable algorithms.
• Prioritize migration for high-impact systems and critical third parties.

Engage with Vendors and the Supply Chain

• Ask technology vendors about their quantum-readiness plans and migration timelines.
• Align internal PQC transition strategies with those of critical suppliers.
• Evaluate reliance on both commercial and custom-built technologies, ensuring migration pathways exist.

Develop a Practical Assessment Approach

Incorporate quantum-readiness into supplier assessments by asking questions such as:

• Have you inventoried all cryptography in use across your systems?
• Are you planning a migration to NIST’s PQC finalists (ML-KEM, ML-DSA, SLH-DSA) related to secure encryption, key exchanges, and digital signatures?
• For symmetric encryption, are you using AES 128 or higher (preferably AES 256)?
• Are you tracking developments in quantum cryptographic threats?

Shared Assessments is closely monitoring the evolving landscape of quantum computing and its implications for third-party risk management. Through our AI & Emerging Technology Committee, Tech in Focus LinkedIn Newsletter , and resources available on our website, we will continue to explore this critical topic and provide guidance to help our members stay ahead of emerging technology risks.