Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion
Sunday
Sunday

Is Quantum Risk a Cyber Risk? A Global Regulatory Analysis Says No.

Hi All


The industry loves to flatten everything into “cyber”. It’s convenient, familiar, and wrong.
If you actually read the regimes that govern technology risk -NIST (US), DORA (EU), MAS (Singapore), China’s CSL/DSL/PIPL, and Australia’s Cyber Security Act + SOCI - the conclusion is unavoidable:
Quantum risk is not a cyber risk.

It is a cryptographic, systemic, trust‑layer risk. Treating it as “cyber” is how organisations sleepwalk into structural failure.

Here is the breakdown:
1. What “risk” actually means Across NIST, ISO and MAS, risk is simply "the effect of uncertainty on objectives". That’s the umbrella. Everything else is a sub‑category.

2. What cyber/ICT/technology risk means globally Across the US, EU, Singapore, China and Australia, cyber risk is consistently defined as loss or disruption caused by systems, failures, vulnerabilities, or threats. It is always:
Threat‑driven
Operational
Recoverable

This is the world of SOC dashboards, patching cycles, and SLAs. Cyber risk is about systems failing or being made to fail.

3. Quantum risk does not behave like cyber risk Quantum risk is not a threat. It is a failure mode.
It is the risk that quantum computing breaks the cryptographic mechanisms that protect the entire trust layer. Compare the two:

Cyber is an incident. Quantum is a discontinuity.
Cyber triggers alerts. Quantum is silent.
Cyber respects perimeters. Quantum dissolves them.
Cyber is recoverable. Quantum is often irreversible.

It is the moment the mathematics stops working.

4. So why are CISOs involved? Because they are the only leaders with operational proximity to cryptography—even though cryptography has never truly been a “cyber function”.
CISOs are involved because:
Cryptography has been historically mis-owned.
They inherited decades of cryptographic debt.
Boards wrongly assume “crypto = cyber”.
Crucially: It exposes a governance vacuum.

5. The Conclusion Cyber risk is about how systems fail. Quantum risk is about what happens when the physics changes.
One is operational. One is structural.
One is episodic. One is systemic.
One is recoverable. One is irreversible.

Across the major global regimes, not a single regulator conflates the two. If you call quantum risk “cyber”, you have already misunderstood the problem.

Strategic Question: Does your Board understand that Quantum Risk sits beneath your Cyber Stack, or do they think it's just another patch?

 

With reference to original link:

https://www.linkedin.com/posts/bcouzens_pqc-quantum-activity-7412122641332883456-Xanc?utm_source=sha...

 

Regards

 

Caute_Cautim

Reply
0 Replies