In 2026, the theoretical threat we once briefed boards on has materialised into a commercial reality across our region. Quantum computing has officially moved from the lab to early commercial pilots across China, Singapore, South Korea, and Japan.
For APAC enterprises, this acceleration intensifies the "harvest now, decrypt later" (HNDL) risk. Today, nation-state actors and sophisticated cybercriminals are intercepting sensitive data as it traverses our fragmented, cross-border networks—financial transactions flowing through ASEAN hubs, healthcare records, and critical infrastructure commands.
This data can be decrypted the moment cryptographically relevant quantum computers (CRQC) scale. The risks are immediate: delayed action renders years of stored intellectual property and personal data indefensible, exposing organisations to future compliance violations and catastrophic reputational loss.
However, the opportunities are equally real. We are entering the era of crypto-agile architectures. Enterprises no longer face a binary choice between a "rip-and-replace" disaster or total exposure. By layering post-quantum encryption (PQC) on top of existing controls, organisations can achieve quantum-safe communications incrementally without business disruption.
The acceleration of the timeline: From 2035 to 2029
The most significant shift in 2026 is the compression of the threat timeline. For years, the industry worked on the assumption that a usable quantum computer was a decade away. That is no longer the case.
"What is changing quite rapidly is the timeline. Where organisations once expected viable quantum computers around 2035, that expectation has shifted forward to as early as 2029", explains Weiling Neo, VP of product management atFortinet.
This five-year acceleration makes HNDL an immediate boardroom liability. Attackers do not need a quantum computer today; they only need to know one is coming. Highly sensitive data is the primary target. This includes federal trade negotiations, central banking reserves, and long-lived healthcare records.
Yet, there is a paradox. According to Gigamon's 2026 Hybrid Cloud Security Survey, while 87% of security leaders globally are concerned about HNDL, 76% still believe their existing encrypted data is inherently secure.
This disconnect is dangerous. In APAC, where a data hoarding culture—keeping everything for AI models—is prevalent, organisations are effectively curating vast libraries for future quantum decryption.
The standardisation milestone (and the catch)
If the threat is accelerating, the defences are finally standardising. Neo points to a critical 2024 milestone: "NIST formalised several post-quantum algorithms, including ML-KEM and ML-DSA, marking a significant milestone in making these technologies usable at scale."
This is the foundation of quantum-safe computing. However, Neo urges caution. These algorithms are the first generation, not the final answer.
"Questions remain around the long-term robustness of these algorithms. New candidates, such as HQC, are expected to be standardised by 2027." Weiling Neo
This evolution is why quantum safety cannot be a "set and forget" checkbox. It must be a living process. As Neo notes, "Because of this, organisations cannot treat quantum safety as a one-time implementation." She posits the journey as an iterative process and introduces the concept of crypto agility, which she argues is becoming critical.
"Enterprises must be able to adapt quickly, integrating new algorithms and replacing older ones as standards mature, without having to redesign their entire infrastructure each time," she elaborates.
The hybrid nightmare: APAC's legacy and sovereignty bind
For CISOs in Singapore, India, or Greater China, the advice to "just upgrade" ignores two brutal realities: legacy systems and data sovereignty. APAC is a region of rapid growth, which means its infrastructure is a patchwork of modern cloud-native platforms and ageing operational technology (OT).
"Legacy systems and hybrid environments present a particularly complex challenge," Neo observes. The issue is interoperability. Most current key exchanges rely on a single standard, like ML-KEM. "If vulnerabilities are discovered in that standard, it could create systemic risk across environments that depend on it."
In this situation, she highlights, interoperability becomes a major barrier, especially in multi-vendor environments. She also reminds us that operational technology environments add another layer of complexity.
In critical infrastructure—think power grids or oil refineries—older devices often lack the processing power to handle the larger digital signatures required by PQC. Neo advises a pragmatic start: "Upgrading edge devices such as firewalls to support quantum-safe connections can help strengthen the security posture of internet-facing infrastructure without requiring a complete overhaul."
Six immediate steps: The crypto-agility roadmap
True crypto-agility is not just about the algorithm; it is about the architecture. Neo outlines a specific, low-disruption roadmap for APAC enterprises: Visibility First.
Weiling Neo
"The starting point for most organisations should not be immediate algorithm replacement, but visibility. Building a comprehensive inventory of cryptographic assets is essential. This means understanding where cryptography is used across the environment, including PKI systems, hardware security modules, certificates, and key exchange mechanisms." Weiling Neo
She notes that this discovery phase is often harder than the actual cryptography. "While deploying quantum-safe key exchanges can be relatively straightforward... identifying where certificates reside across a distributed infrastructure is significantly more challenging," says Neo.
From a visibility perspective, CISOs can implement Hybrid Layering. Neo confirms that organisations do not need to rip out RSA or ECC. Instead, they can layer classical methods with PQC.
"For example, organisations can combine Diffie-Hellman with PQC algorithms within IPsec VPN configurations, strengthening security without disrupting existing operations," she says.
Sector Zero: Finance, government, and the Singapore catalyst
While all sectors will feel the impact, three industries must move first: finance, government, and critical infrastructure. "The 'harvest now, decrypt later' risk is most significant for organisations handling long-lived sensitive data," Neo warns.
In APAC, regulatory leadership is emerging from Singapore. The Cyber Security Agency (CSA) has moved from theory to practice. "The Cyber Security Agency of Singapore has introduced initiatives such as a quantum-safe handbook and a quantum readiness index," Neo notes. This provides a quantifiable way for local CISOs to measure their posture.
Financially, the pressure is mounting. A 2026 academic roadmap published in FinTech stresses that with the EU's DORA enforcing crypto-agility and major browsers deploying hybrid TLS 1.3, cross-border financial hubs like Hong Kong and Singapore must align with global PQC migration deadlines (2030–2031) or risk losing interoperability.
Fortinet's hardware advantage: Solving the performance drag
A major fear for CISOs is that PQC will break network performance. Quantum-safe keys are significantly larger than classical keys, potentially slowing down VPN handshakes from milliseconds to seconds. Neo highlights Fortinet's value proposition here: security-focused ASICs.
Having worked with telecommunications providers since 2018, Fortinet recognised early that software alone wouldn't cut it.
"A key differentiator lies in its use of security-focused ASICs, which are designed to accelerate network traffic without compromising performance. This is especially important in the context of post-quantum cryptography, where more complex algorithms can introduce additional computational overhead," Neo explains.
In 2026, the most dangerous phrase in APAC cybersecurity is "We'll wait until the standards settle." The standards are settled enough, and the harvest is already underway in the South China Sea and across the Straits of Malacca, where undersea cables are bursting with traffic.
"Becoming quantum-ready does not necessarily require large-scale disruption," Neo concludes. "In many cases, existing infrastructure already supports post-quantum cryptographic algorithms, particularly from established vendors."
"One of the most valuable immediate steps is to increase visibility. This visibility allows organisations to identify which applications and systems may already be quantum-safe, and where gaps exist." Weiling Neo
For the APAC CISO, the mandate is clear. Stop building digital landfills of unsecured data. Implement crypto-agile architectures today. You don't need to rebuild the plane while flying it; you just need to upgrade the engine to withstand the coming storm.
Click on the PodChats player to listen to Neo's responses to the following questions:
How is quantum computing changing cryptographic risks for APAC enterprises in 2026?
Why has "harvest now, decrypt later" become a board-level concern across the region?
What exactly are quantum-safe communications, and why do they matter now for CISOs in Asia?
What makes legacy and hybrid environments in APAC especially challenging for this transition?
How can enterprises start adopting quantum-safe encryption without disrupting their current security architecture?
What role does crypto-agility play in protecting mixed legacy, cloud, and cross-border systems?
Which industries—finance, government, healthcare, critical infrastructure—should move first?
Can you outline a practical phased roadmap that balances security, compliance, and continuity?
How can organisations layer quantum-safe methods alongside existing controls today?
What immediate, low-disruption steps should CISOs take to become quantum-ready now?
What's in it for Fortinet along the lines of quantum-safe communications?
Allan is Group Editor-in-Chief for CXOCIETY writing for FutureIoT, FutureCIO and FutureCFO. He supports content marketing engagements for CXOCIETY clients, as well as moderates senior-level discussions and speaks at events.
Previous Roles
He served as Group Editor-in-Chief for Questex Asia concurrent to the Regional Content and Strategy Director role.
He was the Director of Technology Practice at Hill+Knowlton in Hong Kong and Director of Client Services at EBA Communications.
He also served as Marketing Director for Asia at Hitachi Data Systems and served as Country Sales Manager for HDS’ Philippines. Other sales roles include Encore Computer and First International Computer.
He was a Senior Industry Analyst at Dataquest (Gartner Group) covering IT Professional Services for Asia-Pacific.
He moved to Hong Kong as a Network Specialist and later MIS Manager at Imagineering/Tech Pacific.
He holds a Bachelor of Science in Electronics and Communications Engineering degree and is a certified PICK programmer.
