Post-quantum finance is a business law problem

The financial sector is beginning to prepare for the post-quantum era. The usual discussion focuses on cybersecurity: when sufficiently powerful quantum computers arrive, widely used cryptographic systems may become vulnerable, and financial institutions will need to migrate to post-quantum standards. That is true, but it is not enough.

Post-quantum finance is not only a technical cybersecurity problem. It is a business law problem. It concerns market integrity, institutional governance, investor protection, operational resilience and the legal duties of firms that depend on digital infrastructure to execute trades, clear transactions and preserve trust in financial markets.

Modern financial markets are no longer organised around human decision-making alone. They rely on electronic trading platforms, automated execution, algorithmic strategies, clearing houses, digital records, encrypted communications and time-sensitive data flows. In this environment, cryptography is not a back-office technical detail. It is part of the legal and institutional architecture that makes markets possible.

A trade is not merely an economic instruction. It is also a legally meaningful act that depends on authentication, integrity and reliable sequencing. Orders must be genuine. Records must be accurate. Settlement must be final. Market participants must trust that the infrastructure through which transactions are transmitted and recorded has not been compromised. If that infrastructure becomes vulnerable, the problem is not only technological. It affects the legal foundations of market confidence.

This is why the transition to post-quantum cryptography should be understood as a governance obligation. Once a material technological vulnerability is known, boards, senior managers, exchanges, clearing houses and regulated financial firms cannot treat preparation as optional indefinitely. The issue becomes one of diligence, risk management and institutional responsibility.

The challenge is especially acute in highly automated markets. High-frequency trading and algorithmic strategies already operate at speeds that make traditional supervision difficult. These systems submit, cancel and modify orders in extremely short intervals, often reacting to changes in market conditions faster than any human can observe. Their efficiency depends on secure and reliable infrastructure. Their risks also depend on it.

If post-quantum vulnerabilities affect authentication, message integrity or transaction records, the consequences could extend beyond individual institutions. A failure in market infrastructure can create uncertainty about the validity of transactions, the reliability of trading data or the security of settlement systems. In stressed conditions, that uncertainty may quickly become a financial stability issue.

The business law dimension is not limited to cybersecurity duties. It also includes competition and market fairness. Algorithmic trading has already shifted part of market competition from analysis of fundamentals to technological capacity. Speed, connectivity, co-location and processing power can determine who captures trading opportunities first. Quantum computing could intensify that asymmetry by expanding the computational advantages available to the most technologically advanced participants.

This does not mean that innovation should be discouraged. Financial markets benefit from faster processing, better risk models and more efficient execution. But business law has never treated markets as purely private technological arenas. It is concerned with the conditions under which competition takes place. If access to computational power becomes a structural source of market advantage, regulators and courts may need to think more carefully about the boundary between legitimate innovation and technologically entrenched market power.

Hedge funds and other technology-intensive market participants are central to this debate. They often adopt advanced trading tools earlier than traditional institutions and operate across markets, asset classes and jurisdictions. Their strategies may be lawful and economically valuable, but they can also expose gaps in regulatory architecture. When high-speed strategies, leverage, derivatives, collateral and cyber-physical infrastructure interact, risk may emerge in places that are not fully captured by rules designed for slower and more institutionally bounded markets.

The legal problem, therefore, is one of regulatory architecture. Securities regulators focus on market abuse, disclosure and investor protection. Banking regulators focus on prudential safety. Cybersecurity agencies focus on technical standards. Central banks and financial stability bodies focus on systemic risk and market infrastructure. Each mandate is legitimate. The difficulty is that post-quantum risk cuts across all of them.

A cryptographic vulnerability in a trading or clearing system is not only a technology issue. It may affect disclosure obligations, operational resilience, market conduct, fiduciary duties, systemic risk and investor protection at the same time. If responsibility is fragmented, the response may be delayed or incomplete.

A better approach would treat post-quantum readiness as part of financial market governance. Regulated firms and infrastructures should be expected to identify cryptographic dependencies, assess exposure to ‘harvest now, decrypt later’ risks, plan migration to post-quantum standards and test operational resilience under plausible disruption scenarios. Supervisors should not wait for a fully developed quantum threat to ask whether critical systems are prepared.

This does not require premature or rigid regulation. Quantum technology is still developing, and legal rules should not freeze technical choices too early. But the absence of certainty is not the same as the absence of responsibility. Where the potential consequences are systemic, governance should begin before the shock materialises.

Three practical principles follow.

First, post-quantum transition plans should become part of the operational resilience agenda for exchanges, clearing houses, payment systems and major financial institutions. They should be treated as infrastructure plans, not only as IT projects.

Second, algorithmic trading governance should include technological resilience. Testing an algorithm’s market behaviour is important, but so is testing the security and integrity of the systems through which the algorithm operates.

Third, regulators should adopt an activity-based view of technological risk. The relevant question is not simply whether an entity is a bank, broker-dealer, fund or infrastructure provider. It is whether its activities depend on systems whose failure could impair market integrity or transmit systemic stress.

The post-quantum transition will not arrive as a single legal event. It will unfold through technical standards, private investment decisions, supervisory expectations and market practices. Business law should not be a passive observer of that process. It should help define the duties of governance, preparation and accountability that financial institutions owe when technological change threatens the foundations of market trust.

Post-quantum finance is therefore not just about replacing cryptographic tools. It is about preserving the legal conditions under which financial markets can function: authenticity, integrity, fairness, resilience and confidence.

Gustavo Pessoa is a professor of economics at Fundação Getulio Vargas, Escola de Administração de Empresas de São Paulo (FGV-EAESP), and holds a PhD in finance. His research focuses on financial regulation, systemic risk, market-based finance, high-frequency trading and macrofinancial stability.