Learn@IoD
Cart
Close-up of a window with a single green leaf pressed against the glass, showcasing a blend of nature and architecture.

The quantum risk hidden in old breaches

Encrypted data stolen today may become readable in future, creating a new risk for boards to address now, says Brandon Hutcheson.

author
Patricia Thompson, Freelance Writer
date
28 May 2026

Brandon Hutcheson

Boards need to start treating quantum computing as a cyber risk that could affect data already held by attackers, says Brandon Hutcheson, Director of Quantum at HSO.

He will discuss the issue at the Institute of Directors’ Governing AI Forum in Tāmaki Makaurau Auckland on 18 June 2026. His fast fact session will focus on quantum-related cyber risk and current security systems.

“Quantum computing doesn’t only create new opportunities for breaches – it exposes those you’ve already had,” says Hutcheson. “Traditionally, cyber risk is immediate. A breach occurs, an organisation responds and the impact is contained within a defined timeframe.

“Quantum risk reverses that model. Instead of a single event, it creates a time-delayed exposure. Data is stolen today; it remains encrypted and unusable, but it becomes readable in the future.”  

This is commonly described as ‘harvest now, decrypt later’ – when attackers collect encrypted data with the expectation that future computing power will unlock it.

“It’s like people stole the safe and can’t get in, but in the next two years there will be tools available to crack all the safes,” he says.

“The implication is profound. The point of failure and the point of impact are no longer the same. Decryption will start to happen, so boards need to be planning now to get ahead of it.”

Hutcheson is concerned the risk is not well recognised in New Zealand.  

“There’s a lot happening in the US and Europe. Microsoft has moved its transition line for targeted roll-out of early adoption quantum-safe capabilities from 2032 to 2029.  

“The US National Institute of Standards and Technology (NIST) is preparing encryption systems capable of resisting future attacks from quantum computers. But no one is talking about it in New Zealand. Most organisations see quantum as a future technology problem.”

Hutcheson is also a Council Member of AI Forum New Zealand and co-founder of Aware Group, a New Zealand AI and data consultancy. He will discuss two categories of quantum risk at the forum: current risk, where encryption may no longer protect data for as long as organisations expect; and delayed breaches, where old incidents create future crises. “Encryption can no longer be viewed as a permanent safeguard. It needs to be treated as something with a defined life, especially for data that must remain confidential over many years. 

Boards need to be asking:  

    • How much of our data depends on encryption that may not hold up over time?
    • Do we have a plan to move to the new post-quantum standards being defined by NIST?
    • How long would that transition take across our systems and partners? 

Some breaches detected today may carry consequences that emerge years later. “An organisation may have suffered an intrusion years ago, completed the investigation, notified where required and moved on,” says Hutcheson. “If encrypted data was taken and stored by the attacker, that incident may be reactivated once quantum capability makes the data readable.  

“Boards need to face uncomfortable questions. Do they remember what data was breached a decade ago? Is the same CEO even in place? Is there a clear inventory of what was taken?”

Hutcheson says this matters most for data that remains sensitive for many years. That could include customer records, identity data, health information, financial records, legal material, biometric data, intellectual property, trade secrets and government-related information.

“If that was stolen but not yet decrypted, the organisation may still be carrying the risk today. Unlike passwords or short-lived transactional data, these cannot simply be reset or replaced. Once exposed, their impact is often permanent.

“If boards act now, they have time to prepare. Quantum risk is often framed as a technical challenge. In reality, it’s a governance issue. The key decisions sit at board level.  

“The breach may be technical but the failure to prepare may ultimately be judged as a board-level failure.  

“Boards should stop treating quantum risk as speculative. The exposure window has already opened. Organisations that act early will not be the ones trying to explain, years from now, why the risk was left untreated.” 

The one-day Governing AI Forum will be held in Tāmaki Makaurau Auckland on 18 June 2026. It will help directors cut through the noise around AI and focus on the boardroom questions that matter as adoption grows. Register here.  

Related content