A community for managing partners, GCs and compliance leads
Post-quantum cryptography (PQC) — the next generation of encryption designed to resist quantum computers — is now a settled NIST standard. The work that follows is governance work. It belongs to leadership, not to the engineering team alone.
Aug 2024
NIST finalised FIPS 203, 204, 205 — the first post-quantum standards
2035
NSA CNSA 2.0 migration deadline for US national-security systems
30–100 yrs
Confidentiality horizon on a typical law firm matter file
Written by Sushila Nair, Security and audit specialist · Co-author, Professional Services Leadership.
The leadership briefing
Adversaries — primarily nation-state intelligence services, but increasingly well-resourced criminal groups — are capturing encrypted traffic and stored ciphertext today, with the intention of decrypting it once a cryptographically relevant quantum computer (CRQC) arrives. Industry consensus places CRQC arrival somewhere between 2030 and 2040. The data you protect today is being collected, and the clock on its confidentiality starts now.
For a managing partner, the stake is the relationship. A client who shared an M&A negotiation strategy, an estate plan, a tax structure, or an IP filing with your firm did so on the understanding that confidentiality survives the engagement. The technical control that protects that promise — RSA and elliptic-curve cryptography — is the same control that will fail when a quantum computer arrives. The relationship does not break today. It breaks the day a client asks what you did between 2024 and 2030 to prepare, and you have no answer.
NIST's August 2024 finalisation of FIPS 203 (ML-KEM, key establishment), FIPS 204 (ML-DSA, signatures), and FIPS 205 (SLH-DSA, hash-based signatures) gives us the standards. The UK NCSC has published migration guidance. ISO 27001:2022 already expects cryptographic controls to be reviewed against current threat. What remains is governance: who in your firm owns the inventory, who signs off the migration plan, who reports to the board.
The relationship does not break today. It breaks the day a client asks what you did between 2024 and 2030 to prepare, and you have no answer.
How this site works
Every briefing on this site starts from the people at risk — clients, partners, staff — and works backward to the control. Technical detail earns its place only when it serves a decision a leader must make.
We work from NIST, NCSC, ENISA, ISO 27001, ICAEW, SRA, FCA SYSC and GDPR — not from vendor marketing. Where standards diverge, we name the divergence and explain the trade-off.
Managing partners are not engineers, but they are not stupid. We define jargon on first use, keep the reasoning visible, and never reduce a serious decision to a checklist the reader cannot challenge.
Replace vendor-neutral abstractions with named standards, named clauses, named regulators. ‘Appropriate technical measures’ means Article 32 GDPR; ‘effective governance’ means SRA Code 7.1. Specificity is respect for the reader's time.
The risk is real and bounded. We avoid catastrophic framing, we avoid performative compliance gestures, and we focus on the controls that genuinely move the risk needle.
The standards we work with
Each entry follows the same structure: what the standard is, what it expects of your firm, and the practical action that follows. None require an engineering degree to act on. All require the partnership to take ownership.
Post-Quantum Cryptography Standards
Finalised August 2024. ML-KEM replaces RSA/ECDH key exchange. ML-DSA replaces RSA-PSS/ECDSA signatures. SLH-DSA offers a conservative hash-based alternative.
Ask your cloud and SaaS vendors which FIPS standard they are implementing, by when, and whether hybrid mode (classical + PQC) is supported during the transition.
UK National Cyber Security Centre
Sets out the cryptographic lifecycle expectations NCSC will use when assessing UK organisations. Currently guidance rather than regulation, but anchors regulator and insurer expectations.
Use the NCSC lifecycle phases (discover, prioritise, plan, migrate, retire) as your board reporting structure. Each phase has a named owner and a named deadline.
Information Security Management — Cryptography
Requires organisations to define and implement cryptographic policies, key management, and lifecycle review. The 2022 revision explicitly expects emerging-threat review — PQC qualifies.
If your firm is ISO 27001 certified, your next surveillance audit will be asked about PQC readiness. Update the cryptographic policy now; the auditor will follow.
Solicitors Regulation Authority
Requires effective governance arrangements and confidentiality of client information. PQC readiness is now within scope of ‘effective governance’ for any firm with long-lived matter data.
Add a cryptographic risk line to your annual SRA Compliance Officer (COLP/COFA) report. The SRA has not issued specific PQC guidance yet, but the principle already applies.
Institute of Chartered Accountants in England and Wales
ISQM 1 (International Standard on Quality Management) requires firms to address risks to quality, including confidentiality of engagement data. PQC migration is a quality-management question.
Add cryptographic risk to your ISQM 1 risk register. Document the firm's transition plan as a quality response, not just an IT project.
Financial Conduct Authority — Operational Resilience
Expects regulated firms to have appropriate cyber resilience, including protection of client data against foreseeable threats. PQC is now foreseeable.
Include cryptographic transition in your FCA operational resilience self-assessment. Document the board-level owner and the milestones.
Data Protection — Security of Processing
Requires ‘appropriate technical and organisational measures’ — a standard that evolves with the threat landscape. Reliance on RSA/ECDH for data with a 10-year+ confidentiality horizon is now difficult to defend.
Review your Article 30 Record of Processing. For each processing activity with a long confidentiality horizon, document the cryptographic control and the migration plan.
Commercial National Security Algorithm Suite 2.0
NSA mandate requiring ML-KEM, ML-DSA and SLH-DSA for new national-security systems by 2025, full migration by 2035. Functions as the regulatory clock for the broader market.
Treat 2035 as your external deadline, but expect client contract clauses, insurer questions, and regulator guidance to push internal deadlines earlier — 2030 is the practical target for PSFs.
What we cover
The community is structured around the cadence at which a managing partner, GC, or compliance lead can absorb PQC guidance. Articles fit a commute. White papers fit a board pack. Discussion groups fit a monthly peer conversation.
Weekly · 800–1500 words · free
A single decision or question, framed for a managing partner reading on a phone.
Managing partners, GCs
Open access
Monthly · 8–20 pages · members
Sector-specific migration roadmaps, suitable for tabling at a partnership meeting.
Partners, IT directors, compliance leads
Member tier (from £250/year)
Monthly · 60–90 minutes · members
Facilitated peer groups of 8–25 specialists, organised by topic not by technology.
Specialist leads (risk, procurement, IT, compliance)
Member+ tier (from £500/year)
Practical first steps
None of these require a budget approval. None require an engineer. All of them move the firm from passive awareness into active governance. The point of the list is not completion — it is the shift in posture.
The owner does not need to be technical. They need authority to ask IT, procurement, and compliance for answers. ISO 27001 calls this ‘leadership commitment’ (Clause 5). SRA Code 7 expects it. Document the appointment in a partnership minute.
‘Where do we use RSA or elliptic-curve cryptography, and which of those uses protect data with a confidentiality horizon over 10 years?’ You will not get a complete answer. That is the point. The gap is your first inventory request.
Three lines: (a) what the firm has inventoried, (b) what the firm has not, (c) the next action and its owner. This is the reporting structure NCSC recommends. It also creates the audit trail a regulator or insurer will later ask for.
Document management, e-signature, and case management vendors are the highest-leverage places to start. Ask each: (a) which NIST PQC standard are you implementing, (b) by when, (c) will hybrid mode be available during transition. The answers inform your renewal negotiation.
Insurers are still calibrating their PQC underwriting questions. Being ahead of the question — bringing a one-page summary of the firm's inventory and plan — positions the firm favourably and may anchor your premium. It also forces internal progress.
About the author
I have spent my career at the boundary where security meets governance: ISO 27001 lead auditor work, ISACA-aligned audit practice, and most recently co-authoring a book on professional services leadership that takes seriously the idea that partners — not engineers — own the confidentiality promise made to clients.
This community exists because the PQC conversation I see in the market is split in two. On one side: technical material written for cryptographers, perfectly correct and perfectly inaccessible to a managing partner. On the other: vendor marketing that translates the issue but tilts the recommendation. The space in the middle — sector-specific, leadership-tier, vendor-neutral, written by someone who has sat in the audit room — is empty. I am filling it.
I am not an algorithm designer. I will not tell you which primitive to deploy. What I will do is translate what NIST, NCSC, ISO and the regulators expect of your firm, frame the decisions your partnership needs to make, and create the peer community where managing partners, GCs and compliance leads can compare approaches without vendor pressure.
Join the community
The community is intentionally small and sector-specific. Three tiers, no upsell theatre, no marketing automation. If you are a managing partner, GC, or compliance lead at a regional professional services firm, you are the audience.
Free
Always
£250 / year / person
Annual
£500 / year / person
Annual
The elsewhere layer
This site deliberately does not publish original algorithmic or mathematical content. We curate, we annotate, we translate — but the technical depth lives at the standards bodies, in the academic literature, and in the implementation libraries. The list below is the curated set we recommend to members who want to go deeper than the leadership tier.