Harvest-now-decrypt-later (HNDL) is the most common executive misunderstanding in the entire quantum conversation. Most boards I brief assume the quantum threat is years away. The collection threat is not. This is the 30-minute board version.

The frame

An adversary does not need a working quantum computer today to extract value from quantum tomorrow. They need to collect encrypted data today and store it. When a cryptographically-relevant quantum computer (CRQC) becomes operational — five years, ten years, fifteen years — they decrypt what they collected.

For data with a long sensitivity life, that is functionally a present-tense compromise. Defense data, intelligence community data, healthcare records, life-sciences IP, financial long-life records, federal-stewardship data, sensitive personal data — all of these are being targeted now.

Who is collecting

This is the part of the briefing that lands hardest in board rooms because it makes the threat concrete. The public attribution is consistent across multiple intelligence services and confirmed by major Western governments: nation-state-level actors are running HNDL collection at scale. The collection programs are funded, persistent, and not affected by any single defensive product or vendor switch.

For sectors that hold long-life data with strategic value — defense, life sciences, financial services with long-tail records, federal-stewardship data — assume HNDL collection is operational against you today. That is the working assumption every CISO I advise now uses.

Which data classes are most exposed

The simple test is sensitivity-lifetime. If the data still has consequence ten years from now, HNDL is operational against it.

  • Defense and intelligence data — multi-decade sensitivity.
  • Life-sciences IP — molecule and platform IP with multi-decade competitive value.
  • Healthcare records — patient-lifetime sensitivity.
  • Financial long-life records — wealth-management, trust, estate.
  • Federal-stewardship data — citizen records, security-clearance data.
  • Sensitive personal data — biometric, identity, HR records.
  • Trade secrets and proprietary algorithms.

The four prioritization decisions every board now owns

The version of the briefing that produces a clean fiduciary outcome reduces the entire HNDL conversation to four prioritization decisions:

  1. What classes of our data have long enough sensitivity life that HNDL is a present-tense compromise?
  2. For each of those classes, when does the data leave systems we control — partners, vendors, regulators?
  3. Which of those data flows can be migrated to post-quantum cryptography within a 24-month window?
  4. What investment level is the audit committee willing to authorize for the work, given the threat horizon?

Those four decisions are the ones the board owns. Everything else in the migration is execution and reports up.

What the briefing avoids

I deliberately do not run boards through algorithm details. ML-KEM versus ML-DSA versus SLH-DSA versus FALCON is the wrong board conversation. The wrong board conversation is also the one most CISOs default to, because it is the one they are most comfortable with.

The right board conversation is the four prioritization decisions above. Everything else is delegated.

What the briefing produces

A board briefing on HNDL that is doing its job produces three artifacts:

  • A list of data classes with long sensitivity life and their owners.
  • A first-pass prioritization for the migration.
  • A budget envelope for the next 12 months of inventory and vendor evaluation work.

Those three artifacts are sufficient to start the program. The implementation detail is delegated to the CIO and CISO, who already have the migration framework — see the CIO PQC playbook.

Why this matters now

Two reasons. First, the migration takes longer than the threat horizon assumes — multi-year programs against a multi-year threat. Starting late means migrating under regulator pressure rather than ahead of it. Second, vendor leverage is highest right now, while PQC posture is still elective for most categories. That window narrows every quarter.

If you want a board-tailored 30-minute version of this briefing for your audit committee, see quantum cybersecurity board speaker.