The global financial system already has a “Quantum-Safe” strategy to combat cyberattacks. Latin America has yet to develop its own.
- Alejandro Herrera Jimenez
- 2 days ago
- 4 min read
In March 2026, Google published something the security industry had been fearing but had hoped to have more time to process: according to its estimates, Q-Day—the moment when a quantum computer could break the encryption that protects the internet—could occur in 2029. Not in 2040, not in 2035. In three years. What was previously estimated to require millions of qubits turns out to be achievable with just 10,000, thanks to recent advances in quantum error correction. The threshold has dropped dramatically—and with it, the time available to act.
For the financial sector, that figure isn't just another headline. It's a countdown.
In January 2026, Citigroup published a report that put concrete numbers on the table. The conclusion: a successful quantum attack against any of the five largest banks in the United States could cost the economy between 2 and 3.3 trillion dollars in indirect impact, representing a 10% to 17% drop in U.S. GDP.
The mechanism is simple: a sufficiently powerful quantum computer could break the encryption protecting the interbank payment system, freezing transactions and triggering a cascading financial crisis. That report was released when most estimates placed “Q-Day” in the 2030s or beyond. With Google’s new projection pointing to 2029, those risk figures become even more immediate.
The cryptography that protects the financial system today—the RSA and elliptic curve algorithms behind every digital transaction—is based on mathematical problems that would take a classical computer thousands of years to solve. A quantum computer could solve them in a matter of hours. But what should concern us most is not that future attack, but the one that is already happening. It’s called “Harvest Now, Decrypt Later.” State-sponsored actors and advanced cybercrime groups are currently capturing and storing encrypted data, emails, contracts, transactions, and communications, with the patience of those who know that in a few years they’ll have the tools to decrypt them. If a contract is supposed to remain confidential for 15 years and the quantum computer arrives in 8, that contract is already compromised as of this moment.
In response, the developed world took action. In January 2026, the G7 Cybersecurity Expert Group—led by the U.S. Department of the Treasury and the Bank of England—published a coordinated roadmap for the financial sector to migrate to QuantumSafe cryptography. The plan outlines a path beginning with awareness-raising in 2026–2027, followed by a cryptographic inventory and risk assessment, and culminating in the implementation of migrations in critical systems between 2030 and 2032. In March 2026, the U.S. issued a federal directive requiring the adoption of QuantumSafe cryptography in government systems. Canada set its first sovereign migration deadline in April 2026. Europe requires that its critical infrastructure be migrated by 2030. Australia, Germany, and the United Kingdom all have dates, plans, and budgets in place. Latin America has none of the three.
The region is not ignoring the threat. In the first half of 2026, the Colombian financial system faced 27 billion cyberattack attempts, a 69% increase compared to the same period in 2024. The Financial Superintendency already recognizes that quantum computing will be one of its key priorities in the coming years.
But acknowledging the threat is not the same as having a plan.
While the G7 coordinates migrations, inventories, and technical standards, in Latin America the issue remains, at best, an academic discussion. There are no specific regulations, no deadlines, and no guidelines for a mid-sized bank to know what
to do or when.
This creates a problem that goes beyond internal security. In January 2026, the World Economic Forum warned of the risk of a two-tier financial system: countries that have migrated to QuantumSafe and those that have not. For a Colombian bank that operates through correspondent banks in Europe or the U.S., failing to comply with the new standards is not just a security risk—it could mean being excluded from international payment networks.
What many organizations don’t realize is that migrating to QuantumSafe doesn’t mean replacing everything overnight. It means starting by figuring out what you have: most companies don’t know which cryptographic algorithms they use, where they are, or who maintains them. That inventory—technically called a CBOM, or Cryptography Bill of Materials—is the starting point. From there, priorities are set based on the risk horizon for each type of data, because a medical record that must remain confidential for 20 years does not carry the same urgency as a recent payment confirmation. And finally, the requirement is extended to vendors, because if the chain of software, hardware, and services does not migrate, the organization remains exposed even if it has migrated its own systems.
There is something that countries with early regulation understood and that Latin America is still coming to terms with: whoever gets to QuantumSafe first builds a competitive advantage—not just a defensive one. It attracts investment from companies that need certainty about the security of their data, exports technical expertise, and becomes a regional benchmark. Colombia has what it takes to be that benchmark. It has an active fintech industry, a growing digital infrastructure, and—as demonstrated by the pilot project conducted with GSE, one of the country’s leading Certification Authorities—there is already local technical capacity to implement QuantumSafe cryptography in real-world environments.
What’s missing is a sense of urgency. And urgency, as always, comes before or after the crisis. The question isn’t whether the quantum risk will reach the Colombian financial system. The question is whether we’ll be ready when it does.
At Cyte, we have been working for years on QuantumSafe solutions for the Colombian and Latin American financial sectors. If you would like to assess your organization’s cryptographic status, please email us at info@cyte.co.
Referencias:
Citi Global Perspectives & Solutions, The Trillion-Dollar Security Race (January 2026): https://www.citigroup.com/rcs/citigpa/storage/public/Citi_Institute_Quantum_Threat.pdf.
G7 Cyber Expert Group, Quantum Roadmap for the Financial Sector (January 2026): https://home.treasury.gov/news/press-releases/sb0355.
World Economic Forum, Quantum divide and the two-tier financial system (January 2026): https://www.weforum.org/stories/2026/01/quantum-divide-two-tier-global-financial-system/.
The Quantum Insider, “Harvest Now, Decrypt Later” (May 2026): https://thequantuminsider.com/2026/05/01/harvest-now-decrypt-later-why-should-you-care/.
Comments