Likelihood: HIGH
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is high because cryptographic inventory gaps are documented as the primary blocker to PQC migration across most organizations, OT remediation cycles of 3-7 years mean organizations not yet in discovery are already structurally unable to meet the 2030 deadline, and harvest-now-decrypt-later operations are an active, ongoing adversary behavior requiring no future capability — the collection is happening now. Impact is high because the business consequence spans simultaneous regulatory non-compliance (federal contract loss, operating authorization risk for critical infrastructure operators), near-term confidentiality loss of currently encrypted data targeted for future decryption, and long-lead OT system replacement costs that cannot be compressed through budget alone.
Treatment rationale: The 2030 deadline is fixed, the harvest threat is already active, and avoidance is not viable for organizations that depend on cryptography across IT/OT operations — mitigation through phased cryptographic inventory and prioritized algorithm migration is the only treatment that directly reduces both the regulatory and confidentiality risk on a compressible timeline.
Third-Party / Supply-Chain Risk
Significant supply-chain exposure under NIST SP 800-161: quantum-vulnerable cryptography is embedded in firmware, industrial control system software, communication protocols (TLS, SSH, VPN), and hardware security modules supplied by third-party OT vendors — many of whom have no published PQC roadmap or have roadmaps tied to hardware replacement cycles that exceed the 2030 window. Organizations inherit cryptographic debt from every vendor component they cannot independently patch, and multivendor OT environments compound discovery complexity because no single vendor BOM captures the full cryptographic surface. Third-party dependencies must be enumerated as part of the cryptographic asset inventory, and vendor PQC commitments should be captured in procurement and contract renewal cycles now.
Loss Exposure (illustrative)
Magnitude: High — illustrative $5M-$50M+ for a mid-to-large federal contractor or critical infrastructure operator; range reflects the span between a scoped contract loss or regulatory finding at the lower end and a multi-contract disqualification, OT hardware replacement program, and litigation exposure at the upper end
Frequency: For an organization with confirmed cryptographic inventory gaps and active federal contract exposure: a material compliance-driven loss event is plausible within a 3-5 year window tied to the 2030 deadline; harvest-now-decrypt-later confidentiality loss is a continuous, low-observable exposure with no discrete event frequency — it is accumulating now
Annualized: Insufficient basis for a defensible single ALE figure given the bimodal loss structure: the regulatory/contract loss is a threshold event concentrated near 2030, while the harvest-based confidentiality loss accrues continuously and crystallizes only when adversaries gain quantum decryption capability — treating these as a single annualized figure would misrepresent the risk shape
Basis: Magnitude range derived from: (1) federal contract revenue at risk as a floor for contractor-class organizations, scaled by scope of cryptographic non-compliance; (2) OT hardware and firmware replacement program costs for environments where cryptographic upgrades require physical replacement rather than software patching, which industry engineering estimates place in the $1M-$20M+ range per facility for complex ICS environments; (3) regulatory penalty and remediation cost as an additional additive layer. No third-party report figures cited. All figures are illustrative.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Federal contracts referencing NSM-10 or CMMC-adjacent cryptographic requirements may contain compliance representations that harvest-now-decrypt-later exposure or a missed 2030 migration milestone could implicate — verify with counsel.
• Cyber insurance policies with cryptographic control warranties or encryption-adequacy conditions may face coverage disputes if post-quantum transition failures are deemed a known, foreseeable risk that was not acted upon — verify with broker and counsel.
• Critical infrastructure operators subject to sector-specific regulators (NERC CIP, TSA cybersecurity directives, NRC) may face reportable compliance findings if PQC migration plans are absent or inadequate upon examination — verify with counsel.
