Post Quantum Crypto in ASEAN: The Quantum Cybersecurity Governance Problem
For most enterprises in Southeast Asia, post quantum cryptography PQC sits somewhere between important and not yet urgent on the technology agenda. The research published over the past year makes that position harder to hold. In 2019, breaking RSA-2048 encryption was estimated to require around 20 million physical qubits. By 2025, that estimate had fallen below one million. Research published in early 2026 suggests the figure could be as low as 100,000, and one March 2026 paper puts certain attacks on the elliptic curve cryptography that secures digital signatures and digital asset wallets, within reach of roughly 10,000 qubits. No machine of that scale exists today. But the gap between the hardware that exists and the hardware required is narrowing on both sides, and the runway between where the science is heading and where most ASEAN institutions stand is shrinking faster than their roadmaps assumed.
For technology leaders in the region, the question has shifted. This is no longer a research field to monitor. It is an operational and governance problem, and the window for addressing it on an institution's own terms is closing.
This article draws on discussion from AIBP's closed-door roundtable, "From Risk to Resilience: Future Proofing Security in the Quantum Age," held in Bangkok on 9 June 2026, in partnership with IBM.
The Quantum Risk Analysis Gap: ASEAN Enterprises Between Assessment and Action
Industry surveys suggest that roughly 40% of organisations across Asia have conducted a corporate quantum risk analysis for quantum threats to cybersecurity, while fewer than one in ten have a formal programme in place to act on it. That gap, between knowing the risk exists and being structured to address it, is where most ASEAN enterprises currently sit.
The reasons for inertia are understandable. Technology budgets are under sustained pressure, AI has absorbed much of leadership's attention and capital, and without a hard regulatory deadline on quantum readiness, deferral has looked like the rational short-term choice.
But deferral is not a neutral choice. Sophisticated adversaries are already collecting encrypted data, including financial records, communications and credentials, with the intention of decrypting it once the capability arrives. This is the "harvest now decrypt later" threat, and it reframes the question entirely: how much of the data an organisation encrypts today will still need to be confidential in five to ten years? For most financial institutions, the honest answer is most of it. Some of it may already be in the wrong hands.
Why the Post Quantum Cryptography Roadmap for ASEAN No Longer Holds
Most institutional post quantum cryptography roadmaps in Southeast Asia were built around a 2030 readiness horizon. That was reasonable when it was set. It is less reasonable now. The 2026 research findings, alongside credible industry assessments, point to 2029 or potentially earlier as the more realistic threshold. The capital flowing into the field tells the same story: the multi-billion-dollar commitments announced in the months before the Bangkok roundtable are not the scale of funding that goes into academic research. They reflect a competitive and geopolitical race already well underway.
The regional picture, as of mid-2026, is uneven. Japan and Singapore are the clear frontrunners in Asia-Pacific, with major financial institutions in both markets having moved from assessment into active migration to post quantum cryptography. Across Thailand, Indonesia, Malaysia, the Philippines and South Korea, the situation is broadly similar: senior awareness exists, but organised action has not begun.
The clearest explanation for the gap between movers and watchers is not capability. It is regulatory pressure. The United Kingdom's National Cyber Security Centre — operating under the NIST cybersecurity framework equivalent — has set dated milestones for the transition: discovery and migration planning by 2028, highest-priority migration by 2031, full migration by 2035. Deadlines of that kind concentrate minds. Where they are absent, the pattern is predictable.
As Umut Cikla, IBM Quantum Safe Asia Pacific Executive and IBM Quantum Senior Ambassador, observed at the roundtable: "We see strict regulations in many parts of the world. Although we have great reports and recommendations from ASD, the industry regulators for banking & financial services or critical infrastructure industries haven't published any deadlines and regulations yet for the adoption of post quantum crypto in Australia. This is causing procrastination in Australia. But the case is not like this in other parts of the world. For example, although many banks from Japan and Singapore in the APAC region started their Quantum Safe projects already and made significant progress, we don't see many projects starting in Australia yet. Most of the CISO's or CRO's we talk to think like, 'Since we don't have a regulation yet in ANZ, it is difficult to get board approval and secure a budget for quantum cybersecurity efforts yet. Maybe this year we can prioritize other priorities and AI related risks, and next year once we have a regulation, we can start focusing on quantum threat. But this approach is too risky because the encrypted internet traffic is already being copied today by adversaries with an aim to decrypt once they have access to a powerful enough quantum computer in the very near future. This risk is called Harvest Now Decrypt Later risk and it is not a future risk. It is already here and organizations should secure their crown jewels and confidential data against this risk. 2026 is the year to be able to reach a quantum safe state by 2030."
In Thailand, it took a directive from the central bank's governor, delivered at board level to financial institutions, to convert awareness into motion. That dynamic will be familiar to technology leaders across the region who have made the case internally only to watch it stall without an external forcing function. The pattern from markets that have moved is consistent: waiting for the external prompt means inheriting someone else's timeline.
Why Migration to Post Quantum Cryptography Alone Is the Wrong Frame
The instinct to treat post-quantum readiness as a migration, a defined project with a start date, an end date and a deliverable, is understandable. It also leads organisations toward programmes that will need to be repeated.
The reason is straightforward: quantum safe encryption algorithms are not static. What is considered quantum-safe today may be refined or superseded as the field matures, and full industry-wide adoption of new cryptographic standards has historically taken a decade or more. An organisation that completes a one-time migration and considers the matter closed will face the same challenge again, on a shorter timeline, with less preparation.
Practitioners with direct migration experience make this point forcefully. Khun Yarnvith Raksri (Park), Deputy Managing Director at KASIKORN Business-Technology Group (KBTG), where he leads deep technology research, put it plainly: "Don't think of this as a programme to migrate to PQC. The goal should not be 'we are going to be PQC-ready by X.' The goal should be crypto agility by X year. That is the important question."
Crypto agility, in practical terms, comes down to an architectural decision about how encryption is managed. In most institutions today, encryption is embedded directly into individual applications by the developers who build them. When a protection needs to change, someone has to go into each application, find every place the old method was used, replace it, and test that nothing broke. For a large institution with hundreds of applications, that is an enormous undertaking, and one that repeats every time standards evolve.
The alternative is to manage encryption centrally. Applications do not specify how data should be protected; they request that it be protected, and a shared service handles the rest. When the underlying method changes, it changes in one place. For legacy systems too embedded or too sensitive to modify, a protective layer can be added around them, re-securing data as it leaves before it crosses any external network. It is not a permanent fix, but it is a practical bridge for institutions with complex inherited infrastructure.
Quantum Risk Management: Why the Bottleneck Is Organisational, Not Technical
Khun Natasak Rodjanapiches, AIBP Advisory Board member and a senior financial services executive who participated in the discussion, framed the dilemma facing most executives: "We are in the age of the horse carriage. But what we are actually facing is a new kind of vehicle entirely." The question sitting with many leaders, he noted, is how to adapt when the investment required is large and the risk is larger still.
Technology leaders who have begun this work tend to report the same finding: the hardest part is not technical. It is the question of who owns the risk, and whether that person has the authority and resources to act on it. Post-quantum readiness cuts across data governance, legal exposure, procurement, software development, vendor relationships and board-level risk reporting. It cannot be owned by a single function. The institutions that have made the most progress in the region treated it as a business risk requiring a business response, not a technical problem delegated downward. Khun Park reinforced this from experience: prioritising which applications matter and which are at risk requires input from business and compliance functions, and the decision to proceed is made at the top, not within the IT team.
As Umut highlighted, organisations should not wait and lose very valuable time to get Quantum Safe. Starting just a couple of years before the 2029-2030 deadline is very risky. You'd have very short time and you don't want to hurry the cybersecurity related efforts. The work needs to start now. Institutions that move early retain the benefits of better understanding the risk areas, building organisational know-how and internal capability, running pilots, tests, and extrapolating realistic costs and efforts estimation for the entire program. Those that wait will be executing under pressure, with high costs and less room for the inevitable surprises.
One exposure tends to be overlooked entirely. Every new system procured and every new application built on outdated security standards adds quietly to the future migration workload. Institutions that have moved are folding quantum-safe requirements into procurement and development standards now, well before any formal programme begins, precisely because it is the one intervention that costs nothing today.
What surfaced in Bangkok was less a technology discussion than a quantum risk management one. The institutions making progress share three characteristics: they have mapped where and how encryption is used across their estates, they have placed ownership of the risk at board level rather than within the technology function, and they are building the capability to change cryptographic protections centrally rather than treating readiness as a one-off compliance exercise. For ASEAN enterprises still weighing the timing, the open questions are concrete. Which data being encrypted today still needs to be confidential in 2031? What will the region's central banks and regulators expect, and how much notice will they give? And if exposure mapping alone takes months, what does starting in 2028 actually leave time for? The quantum transition will not arrive as a single moment of disruption. It is a structural shift already underway, in laboratories, in capital flows, and in the data being quietly collected by adversaries playing a longer game. The evidence from the first half of 2026 suggests the institutions still watching will have less time to respond than they assume.
For those ready to move from awareness to action, AIBP's upcoming session on Zero Trust on 21 July offers a practical starting point. Click here to find out more.
Stay tuned for more upcoming activities by AIBP here.
