The quiet cyber threat hiding in encrypted data

Encryption has long served as the backbone of digital security. Financial transactions, intellectual property, healthcare records, and critical infrastructure data are routinely protected by systems designed to withstand even sophisticated cyberattacks.

But a new threat is quietly emerging: “Harvest Now, Decrypt Later” (HNDL). The concept refers to malicious actors collecting encrypted data today with the expectation that it can be decrypted once quantum computing capabilities become powerful enough to break today’s encryption standards.

A 2025 Federal Reserve research paper warned that existing safeguards may not be sufficient to address the data privacy risks posed by “harvest now, decrypt later” attacks.

While practical quantum decryption may still be years away, organizations that store sensitive data with long-term value should consider the potential for latent cyber risk. Information that appears secure today may become compromised tomorrow. Understanding this dynamic and preparing for it will become increasingly important for businesses and insurers alike.

Harvest now, decrypt later

Most organizations assume that if sensitive information is encrypted, it is effectively protected. In the short term, that assumption is largely correct. Modern encryption algorithms are extremely difficult to break using conventional computing methods.

However, encryption does not eliminate risk if adversaries can capture the encrypted data itself. Under a HNDL strategy, attackers focus on collecting and storing encrypted data for future exploitation. Once quantum computers reach a level capable of breaking current cryptographic systems, previously captured files could become readable.

For certain categories of information, this delayed exposure could be significant. Examples include:

• Intellectual property and proprietary research
• Long-term financial records and transaction histories
• Health and biometric data
• Government or defense-related information
• Strategic corporate communications and contracts

In many industries, the useful life of sensitive data extends well beyond the lifespan of today’s encryption standards. That gap is what makes HNDL an increasingly relevant concern.

Why attackers are collecting encrypted data today

The economics of cybercrime and geopolitical intelligence gathering have long favored large-scale data collection, even when the information cannot be immediately exploited. Nation-state actors and advanced cybercriminal groups routinely harvest encrypted data during intrusions, anticipating that its value may increase as new analytical tools, AI systems, or computing capabilities emerge.

Quantum computing introduces a particularly powerful future capability, as many widely used cryptographic systems are theoretically vulnerable to quantum algorithms that could dramatically reduce the time required to break encryption keys. While quantum systems capable of doing so at scale do not yet exist, the global race to build high-performance computing environments for AI is also accelerating research environments capable of supporting quantum experimentation.

As explored in The Baldwin Group’s analysis of the data center development lifecycle, the rapid expansion of advanced computing infrastructure is concentrating enormous volumes of sensitive information within large-scale digital environments. At this scale, the resilience of the encryption protecting that data becomes increasingly critical, particularly in the face of quantum computing risk.

The coming shift to post-quantum cryptography

Recognizing this emerging threat, governments and technology standards bodies have already begun preparing for a transition to post-quantum cryptography by exploring encryption methods designed to withstand attacks from quantum computers.

In 2024, the U.S. National Institute of Standards and Technology (NIST) finalized several new cryptographic standards intended to replace algorithms vulnerable to quantum attacks. These new approaches rely on mathematical problems believed to be resistant to both classical and quantum computing techniques.

The shift, however, will not happen overnight. Migrating global digital infrastructure to new cryptographic systems will require changes across:

• Enterprise IT systems
• Cloud environments
• Software applications
• Communications networks
• Embedded devices
• Operational technology

In some cases, encryption is deeply embedded within legacy systems that were never designed to accommodate rapid cryptographic upgrades. For large organizations, the transition to post-quantum encryption could take many years. That timeline is what makes HNDL a present-day issue rather than a purely theoretical one.

Where the risk sits for businesses

For many organizations, the most significant exposure lies in data longevity. If sensitive information needs to remain confidential for decades, which is common in industries such as healthcare, finance, defense, and advanced manufacturing, then encryption standards used today may not provide adequate protection against future decryption capabilities.

Intellectual property presents another potential risk area. Proprietary research, industrial designs, and trade secrets may retain competitive value for many years. If those materials were harvested during a breach today, quantum-enabled decryption could eventually expose them.

Regulatory expectations are also evolving. Governments and regulators increasingly expect organizations to demonstrate proactive cybersecurity governance, including forward-looking risk assessments around emerging technologies.

Companies that delay evaluating their exposure to quantum-related cyber risks may eventually face questions from regulators, investors, and clients about the resilience of their data protection strategies.

Insurance and governance implications

For risk managers and corporate leaders, the emergence of HNDL raises several important considerations:

• Skewed risk timelines – Cyber risk timelines may extend beyond the traditional breach response window. If encrypted data stolen during a breach becomes readable years later, organizations could face delayed discovery of exposure.
• Governance implications – Boards and executive leadership teams are increasingly expected to oversee cybersecurity governance at a strategic level. As quantum computing developments accelerate, post-quantum readiness may become part of broader cyber resilience discussions.
• Systemic risk implications – The evolution of large-scale computing infrastructure driven by AI growth and hyperscale data center expansion introduces additional layers of systemic risk. Concentrated computing power, high-value data environments, and globally interconnected cloud ecosystems create attractive targets for sophisticated threat actors.

These dynamics are prompting organizations to evaluate cyber risk through a longer-term lens. Forward-looking companies are beginning to treat quantum preparedness as part of a broader technology risk management strategy, integrating it into cybersecurity planning, enterprise risk management frameworks, and insurance program design.

What organizations should start doing now

Although practical quantum decryption may still be years away, organizations can take several steps today to better position themselves for the transition.

• Establish data lifecycle governance:
  Not all data needs to be retained indefinitely. Identifying which information must remain confidential for decades and which can be safely deleted can significantly reduce long-term exposure.
• Conduct an encryption inventory:
  Organizations should understand where and how encryption is currently used across their systems. This includes identifying cryptographic algorithms, key management practices, and systems that may require upgrades as post-quantum standards emerge.
• Begin planning for post-quantum migration:
  Technology leaders are increasingly evaluating how new cryptographic standards will be implemented across networks, applications, and infrastructure. Early planning can help avoid costly emergency migrations later.
• Evaluate third-party and supply chain exposure:
  Many organizations rely heavily on cloud providers, software vendors, and technology partners. Assessing whether those partners are preparing for post-quantum encryption standards can be an important part of long-term cyber resilience.

Organizations that begin addressing these issues now will be better positioned to navigate the transition to post-quantum security. As quantum-related cyber risks evolve, organizations will increasingly need to align cybersecurity planning, governance oversight, and insurance strategy to maintain resilience.

Preparing for a longer horizon of cyber risk

As emerging technologies from AI to quantum computing continue to transform the digital landscape, cyber risk is increasingly defined by long-term strategic dynamics rather than isolated breach events. HNDL strategies illustrate how protecting large volumes of sensitive data requires a forward-looking view of cyber resilience.

Organizations that treat cybersecurity as a strategic priority rather than a reactive technical function are better positioned to navigate emerging risks such as quantum-enabled decryption. Building resilience requires coordinated planning across cybersecurity, technology infrastructure, governance, and risk management.

The Baldwin Group’s Cyber experts help organizations evaluate evolving digital threats, strengthen cyber resilience strategies, and align insurance programs with emerging technology risks.

Connect with our team to explore how forward-looking cyber risk strategies can help safeguard your organization for the next generation of digital risk.