Boards · QuantaCyber

Fiduciary Framing

Caremark, in a post-quantum world.

Under In re Caremark International Inc. Derivative Litigation (Del. Ch. 1996), and as expanded by Marchand v. Barnhill (Del. 2019), directors have a non-delegable duty of oversight. That duty applies with particular force to mission-critical risks where the board has reason to believe an issue is foreseeable and material.

Cryptography is the foundational control protecting customer data, financial transactions, regulatory disclosures, intellectual property, and operational continuity. The post-quantum migration is now a publicly disclosed, federally mandated, peer-acknowledged transition with documented timelines from NIST, NSA, the SEC, and major cybersecurity authorities.

For a director to conclude that PQC governance is not yet a board-level matter requires affirmative reasoning, not silence. The information environment has changed.

Boards do not need to be technologists. They do need to be able to answer eight questions.

Eight Oversight Questions

The questions every director should be able to answer.

From the QuantaCyber Board Briefing. Eight questions across two governance dimensions: risk and exposure first, execution and ownership second.

Risk & Exposure

What are our liabilities? Caremark exposure, SEC disclosure obligations, the insurance gap on quantum-derived breach, and the National Cyber Strategy all attach to the board now.
What data must stay confidential for decades, and where does that put us on Mosca's X + Y > Z?
Are we ahead of, aligned with, or behind the federal timeline set by the White House, NSA, NIST, and SEC?

Execution & Ownership

Do we have a Cryptographic Bill of Materials (CBOM)? It is the prerequisite for migration planning. Without it, you cannot answer the rest.
How do we verify vendor PQC compliance? Advertised compliance is not verified compliance. Contracts must specify named PQC milestones with delivery verification, not vendor self-attestation.
What is our migration timeline and budget, given a 5 to 15+ year migration depending on enterprise scale?
Who owns quantum risk oversight on this board? NACD reports only 12% of boards have defined quantum oversight. A briefed CISO is necessary but not sufficient.
Are we building crypto-agility, or just PQC compliance? PQC migration is the first cryptographic transition, not the last.

Tabletop Exercise

Stress-test the answers before you need them.

QuantaCyber's tabletop exercise places the board in a controlled scenario approximating a near-future Q-Day disclosure event. Directors are asked to navigate fiduciary, regulatory, and reputational exposure in real time, alongside CISO and General Counsel role players, with structured pause points for governance discussion.

The exercise is designed and facilitated jointly with Robert Taylor, JD, who leads the legal and fiduciary tracks of the QRS Board Training program.

Boards typically run the exercise as a half-day session. Outputs include a board-level governance gap memo, a CBOM coverage assessment, and a 12-month action plan keyed to the federal mandate timeline.

Recommended Commitments

Six commitments for the next 180 days.

From the QuantaCyber Board Briefing. Each commitment has a named owner, a deliverable, and a date. The briefing earns the case; this is what comes out of it.

Day 30

Assign quantum risk oversight role

A named director, in committee minutes, with quantum-risk oversight. Only 12% of boards have done this.

Owner: Nominating & Governance
Day 60

SEC disclosure assessment, in writing

General Counsel and outside counsel deliver a written Rule 33-11216 assessment to the Audit Committee. A briefed board cannot claim unawareness.

Owner: GC + outside counsel
Day 90

Commission Cryptographic Bill of Materials

CEO-sponsored, board-mandated. CBOM is the prerequisite for migration planning. Phase 1 scope, timeline, and budget reported to Audit by day 90.

Owner: CISO + Risk
Day 90–180

Cyber insurance gap review

Most cyber and D&O policies now exclude quantum-derived breach. Coverage gap report delivered before next renewal.

Owner: CFO + Risk
Day 90–180

Vendor PQC readiness and procurement gate

Critical vendors assessed against actual PQC roadmaps. New contracts require quantum-safe capability or a contractual migration commitment.

Owner: CISO + Legal + Procurement
Ongoing

Quarterly reporting and crypto-agility oversight

Quantum risk and migration progress reported with KPIs. Own line on the board agenda. Reporting continues beyond initial PQC migration as standards evolve.

Owner: Board Chair

Cost Framework

What this costs, and what inaction costs.

This is a capital allocation timing decision: early spend versus breach-driven spend. Industry analyst syntheses put migration at roughly 2 to 5% of annual IT security spend, sustained over a four-year migration window. Multi-year transformation, not a single project.

For a Fortune 500 enterprise, Phase 1 discovery and CBOM commission typically anchors in the $300K to $800K range as a fixed cost. Phase 2 migration execution then varies by HSM count, regulated workload density, and legacy load. Without a CBOM the variance is unbounded; with one, the planning range tightens to roughly ±20%.

The cost of inaction is harder to bound. A quantum-attributed breach carries customer notification, Rule 33-11216 disclosure exposure, contractual breach, IP loss, and market cap impact. Most cyber and D&O policies now exclude quantum-derived breach, leaving the exposure unpriced on the balance sheet. Caremark attaches to directors who knew and did not act.

Peer Benchmarking

Where your peers actually are.

Boards consistently underestimate where their peers stand on this. The data on board readiness, and the production deployments your enterprise already depends on, tell the same story.

Board readiness

72% expect a board-level mandate by 2030 IBM Institute for Business Value, "The Enterprise in 2030" (2025).
Only 34% are actively preparing today IBM Institute for Business Value, "The Enterprise in 2030" (2025).
Only 12% of boards have a director with quantum oversight NACD 2026 Governance Outlook.
Federal cybersecurity leadership has shifted the burden of proof PwC, "Preparing for Q-Day," co-authored by Rob Joyce, former NSA Director of Cybersecurity (April 2026).

Production deployments already running quantum-safe

Apple iPhone, iPad, Mac since 2024 Apple PQ3 messaging protocol. Over a billion devices running quantum-safe encryption today.
Google Chrome quantum-safe by default since late 2024 ML-KEM in Chrome 131. Opt-out path being removed.
Cloudflare carries roughly a third of internet traffic with PQ TLS X25519MLKEM768 hybrid key exchange.
AWS in production since 2025 ML-KEM key management since May 2025; ML-DSA digital signatures since June 2025.
JPMorgan Chase: Q-CAN production deployment Quantum-Secured Crypto-Agile Network in production fiber between data centers. Dual remediation strategy of PQC and QKD under Global CIO mandate (Lori Beer).

If your board is not yet asking the eight questions, the most likely explanation is not that the risk is immaterial. It is that the conversation has not yet been initiated by management or by counsel.

The duty of oversight has not been exempted from quantum.

Caremark, in a post-quantum world.

The questions every director should be able to answer.

Risk & Exposure

Execution & Ownership

Stress-test the answers before you need them.

Six commitments for the next 180 days.

Assign quantum risk oversight role

SEC disclosure assessment, in writing

Commission Cryptographic Bill of Materials

Cyber insurance gap review

Vendor PQC readiness and procurement gate

Quarterly reporting and crypto-agility oversight

What this costs, and what inaction costs.

Where your peers actually are.

Board readiness

Production deployments already running quantum-safe

Bring this to your board.