What is the harvest-now-decrypt-later threat to Indian banks?

Harvest-now-decrypt-later (HNDL) is a cyberattack strategy where adversaries intercept and store encrypted banking data today, intending to decrypt it once quantum computers become powerful enough to break current RSA and ECC encryption. With 87% of Indian banks using quantum-vulnerable encryption and ₹45 billion in daily UPI transactions at stake, the threat is active — not hypothetical. Financial institutions that delay quantum-safe migration are already accumulating cryptographic risk.

When is Q-Day and how much time do Indian banks have to prepare?

Q-Day — the point at which quantum computers can break RSA and ECC encryption — is projected to occur between 2025 and 2032. With NIST's post-quantum standards finalised in August 2024 (FIPS 203, FIPS 204, FIPS 205), the practical migration window for Indian banks is estimated at five to seven years. RSA-based key establishment will be deprecated after 2030 and formally disallowed after 2035. Given that enterprise cryptographic migrations typically take three to five years, the preparation window is not wide.

What is post-quantum cryptography and how does it protect banking systems?

Post-quantum cryptography (PQC) refers to cryptographic algorithms mathematically resistant to attacks from both classical and quantum computers. Unlike RSA or ECC, PQC algorithms rely on hard mathematical problems — such as lattice structures — that quantum computers cannot efficiently solve. Standardised by NIST in 2024 under FIPS 203 (CRYSTALS-Kyber), FIPS 204 (CRYSTALS-Dilithium), and FIPS 205 (SPHINCS+), PQC can be deployed on existing hardware without quantum infrastructure, making it the most practical migration path for India's banking sector today.

Threat Intelligence

BFSI Quantum Threat Intelligence Report

Q: What regulatory deadlines should Indian banks and financial institutions know about?

The RBI mandates adoption of bank.in domains by October 31, 2025, with quantum-safe encryption protocols expected by 2026. SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) directly address quantum risks through five resilience goals and a Cyber Capability Index. MeitY published its quantum cyber readiness whitepaper in 2025, and India's National Quantum Mission has a dedicated banking task force operating under a PM India mandate. Non-compliance penalties are estimated at ₹500 to ₹1,000 crores per major bank.

The quantum threat to BFSI refers to the risk that quantum computers — projected to arrive between 2025 and 2032 — will break the RSA and ECC encryption currently protecting every bank transaction, UPI payment, and customer record in India. With ₹45 billion in daily UPI transactions at risk, the window for quantum-safe migration is narrowing fast.

Why This Matters Now

The threat is real: harvest now, decrypt later is already happening. While 92% of BFSI leaders are concerned, funding for quantum prep remains low. With NIST 2024 standards in place and RSA deprecation beginning in 2030, the clock is already ticking.

What the Threat Intelligence Report Reveals

This report is not a position paper. It is a data-grounded operational assessment of exactly where India's banking sector stands — and how much time remains to act. The findings are direct:

87% of Indian banks currently rely on quantum-vulnerable RSA and ECC encryption
₹45 billion in daily UPI transactions are at cryptographic risk right now
₹2.3 trillion of the Indian banking sector remains exposed to harvest-now-decrypt-later attacks
Regulatory penalties for non-compliance are estimated at ₹500 to ₹1,000 crores per major bank
65% of financial organisations reported a ransomware attack in 2024, up from 34% in 2021
23% increase in BFSI cyber incidents reported in 2024 versus 2023
Early adopters of quantum-safe protocols achieve a 40% operational advantage over unprepared institutions

How India's Regulators Are Responding

RBI, SEBI, and MeitY are not waiting for Q-Day. The RBI mandates .bank.in domains by October 31, 2025, with quantum-safe protocols expected by 2026. SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) directly address harvest-now-decrypt-later risks through five resilience goals and a Cyber Capability Index. MeitY published its quantum cyber readiness whitepaper in 2025.

India's National Quantum Mission has a dedicated task force for banks, operating under a direct PM India mandate.

What You Will Find Inside This Report

The BFSI Quantum Threat Intelligence Report from QNu Labs covers the full scope of the challenge — from threat architecture and regulatory timelines to migration frameworks and deployment models.

It is built for CISOs, IT risk heads, compliance officers, and board-level decision-makers who need to build an internal business case today.

Download the Report.

Understand Where Your Institution Stands. Begin the Migration That Cannot Be Delayed.

Unlock critical insights by downloading our
Threat Intelligence
for free.

Frequently asked questions

Request a demo