Insider Brief
- Moody’s said institutional finance is increasingly treating quantum computing as a future operational and systemic cyber risk as digital asset infrastructure expands into mainstream financial markets.
- The report said major financial institutions including JPMorgan and HSBC are already testing post-quantum cryptography, crypto-agile systems and quantum-secure communications technologies.
- Regulators in the U.S., Europe and Asia are increasing focus on cyber resilience and post-quantum preparedness as blockchain-based financial systems become more interconnected and irreversible.
Moody’s reports that institutional finance is increasingly treating quantum computing as a future operational and financial stability risk as digital assets and blockchain-based financial systems expand deeper into mainstream markets.
In a new sector report, Moody’s Ratings said the growth of institutional digital finance has transformed cyber risk from a niche issue affecting retail crypto platforms into a broader concern for banks, exchanges, custodians and tokenization systems. The report indicates that quantum computing could eventually amplify those risks by threatening the cryptographic systems that secure digital financial infrastructure.
The report reflects a growing concern as major financial institutions, regulators and technology firms intensify efforts to prepare for post-quantum cryptography, or PQC, a new generation of encryption designed to withstand attacks from future quantum computers.
Moody’s said the issue is no longer being treated solely as a distant scientific problem. Instead, analysts said large financial institutions are beginning to approach quantum risk as part of long-term operational resilience and cyber governance planning.
‘Growing Institutional Exposure’
The report pointed to growing institutional exposure through blockchain-based payment systems, tokenized assets, stablecoins and hybrid financial architectures that combine private financial systems with public blockchains.
“As digital finance markets attract a growing share of institutional clientele, cyber risk linked to blockchain-based platforms has evolved from a niche risk to one that is mainstream,” Moody’s analysts write in the report.
The report places quantum risk within a broader rise in cyber incidents affecting digital finance infrastructure over the past two years. Moody’s highlighted several large attacks involving exchanges, custody systems and wallet infrastructure providers, including the roughly $1.5 billion Bybit theft disclosed in 2025 and a major Coinbase data breach disclosed in late 2024.
According to Moody’s, many of the incidents did not stem from failures in blockchain consensus systems themselves. Instead, analysts said attacks increasingly exploit operational weaknesses such as third-party vendors, key management systems, access controls, software dependencies and infrastructure integration points.
This is important for the quantum industry because the report frames future quantum threats primarily as a problem for cryptographic controls surrounding financial infrastructure rather than the blockchain ledger itself.
Unauthorized Access
Quantum computers, if they become powerful enough, could theoretically derive private cryptographic keys from public information. Such an attack could allow unauthorized access to wallets, custody systems and digital signatures used to authorize transactions.
Moody’s said this creates a foundational challenge for public key cryptography, which secures not only blockchain transactions but also APIs, software authentication systems and communications between financial institutions.
According to the report, the transformation of institutional finance toward blockchain-based systems could magnify the severity of future cyber incidents because many public blockchains are effectively irreversible once transactions are finalized.
In traditional financial systems, institutions often retain the ability to freeze accounts, reverse transactions or intervene operationally after a cyberattack. Public blockchain systems typically offer fewer recovery options once assets move on-chain.
Increased Operational Complexity
Moody’s said the growing convergence between permissioned institutional systems and public permissionless blockchains increases operational complexity and expands the attack surface.
The report highlighted cross-chain bridges, APIs and oracles as additional points of vulnerability. These systems connect private and public financial infrastructure and often concentrate large amounts of value in shared operational systems.
For institutional finance, Moody’s said cyber risk scales alongside organizational complexity, third-party dependencies and operational growth.
The report also suggests the financial sector is already moving toward practical quantum preparedness efforts.
Quantum Security Pioneers
Moody’s cited JPMorgan Chase as an example of a major bank inventorying cryptographic dependencies, testing post-quantum cryptography alongside existing systems and building “crypto-agile” infrastructure capable of rapidly replacing vulnerable encryption methods.
HSBC was cited for conducting trials involving quantum key distribution, or QKD, a communication method designed to use quantum physics to secure data transmission. According to the report, HSBC has tested quantum-secure communications for internal systems and simulated foreign exchange transactions.
Other large financial institutions are participating in industry initiatives involving the Bank for International Settlements and the Group of Seven nations, according to Moody’s. The report said many organizations are moving toward early migration planning rather than waiting for a defined “Q-Day,” the theoretical moment when quantum computers become capable of breaking widely used public key encryption systems such as RSA and ECC.
Systemic Risk
Quantum risk is potentially systemic rather than isolated to individual firms, analysts write.
Moody’s cited analysis from the Citi Institute warning that a quantum-enabled disruption affecting critical payment infrastructure, including systems connected to Fedwire, could generate between $2 trillion and $3 trillion in indirect economic losses.
Although analysts emphasized that quantum risk is not considered immediate, the report suggests that the long time horizons associated with financial infrastructure and sensitive data make preparation necessary today.
In addition, there is a growing concern around “harvest now, decrypt later” strategies in which encrypted information is stolen today and stored for future decryption once quantum systems become more capable.
Moody’s said exposure to quantum risk is uneven across the digital finance ecosystem. Custodians, exchanges, stablecoin issuers and tokenization platforms may face greater exposure because their systems rely heavily on cryptographic key control tied directly to asset issuance, redemption and transaction settlement.
Underlying blockchain consensus systems may be less immediately vulnerable than the operational infrastructure surrounding them, according to the report.
The report also indicates regulators are increasingly embedding cryptographic resilience into financial supervision frameworks.
Moody’s pointed to the European Union’s Digital Operational Resilience Act, known as DORA, which took effect in 2025 and requires financial institutions and technology providers to demonstrate stronger information technology risk management, incident response capabilities and operational resilience testing.
In the United States, supervisory agencies have increased focus on cyber governance, third-party risk and disclosure of material cyber incidents, according to the report.
Regulators in Asia, including the Monetary Authority of Singapore, have also encouraged institutions to assess cryptographic dependencies and prepare migration plans toward post-quantum standards.
While few jurisdictions currently require immediate migration to quantum-safe cryptography, Moody’s said regulatory momentum increasingly suggests that preparedness and governance discipline could become part of future supervisory assessments.
“Delayed investment in cyber resilience or cryptographic preparedness could translate into higher remediation costs, greater supervisory pressure, or erosion of market trust as institutional exposure grows,” the analysts write.
