Why Harvest Now Decrypt Later changes board-level risk

Harvest Now, Decrypt Later (HNDL) is often described as a technical threat: attackers collect encrypted data today to decrypt it when quantum computers become available. But its real impact is strategic. It reframes long-term confidentiality as a board-level risk that executives must acknowledge and govern.

From technical to strategic

When confidentiality must extend beyond the next five to ten years, today's public-key cryptography (RSA, ECDH, ECDSA) may not hold. That applies to intellectual property, strategic plans, sensitive personal data, and regulated records. The risk is not that something is broken today; it is that decisions taken today—what to encrypt, how, and for how long—affect exposure in a future we cannot fully predict.

Why boards should care

• Accountability: Regulators (e.g. NIS2, DORA) expect documented risk management and resilience. PQC and long-term confidentiality are part of that picture.
• Irreversibility: Once data is exfiltrated, you cannot "un-leak" it. Delaying visibility and governance increases the chance that today's assets become tomorrow's liability.
• Resource allocation: Migration takes years. Boards that treat PQC as a strategic risk are more likely to fund inventory, pilots, and crypto-agility—instead of reacting under pressure later.

What to do

Treat HNDL as a governance topic: assign ownership, add it to risk registers, classify data by confidentiality horizon, and align roadmaps with standards (e.g. NIST PQC). The goal is preparedness, not panic. A structured maturity assessment (such as the Qubixor Post-Quantum Maturity Model) helps organizations see where they stand and where to focus first.