When the Global Fintech Institute's Convergence of Emerging Technologies SubCommittee convened its inaugural closed-door roundtable on 3 June, the central question was how institutions should plan around a threat that has already begun. Quantum computing eventually breaking today's cryptography was the certainty under discussion.
The session was hosted at the offices of Drew & Napier LLC, with the firm providing the venue and post-discussion refreshments. The conversation was anchored by Daniel Lee (Chief Executive Officer, Cactus Custody) and Dr. Andy Ting (Founder, Hela Labs & Finapac Capital Pte Ltd), co-chairs of the SubCommittee, with substantive contributions from Shumin Lin (Director, Drew & Napier LLC), Michael Lew (Co-Founder, Aegis Digital Asia), and Jorden Seet (GFI Industry Fellow).
"Harvest now, decrypt later" framed much of the discussion. Adversaries are collecting encrypted data today, anticipating the moment quantum capabilities can defeat the cryptography protecting it. For sectors holding data with five-to-ten year shelf lives, including legal, financial, custody, and healthcare, the implication is direct. Information protected today may not stay protected.
The technical layer is moving. Post-quantum cryptographic standards from NIST, including FIPS 203, 204, and 205, have shifted from research into operational deployment. Singapore government services including SingPass, IRAS, and ActiveSG are already running hybrid post-quantum cryptography at the TLS key exchange layer, using X25519MLKEM768 in combination with classical X25519. Hardware security modules in custody platforms and banks are migrating, and Ethereum has announced a roadmap toward post-quantum cryptographic transitions.
The harder questions, the panel observed, sit above the cryptography. How should institutions inventory their cryptographic exposure and reduce the data they no longer need? Where should crypto agility be deployed so that a broken algorithm does not translate into a breach? And as boards and executives can no longer point to Q-Day as a distant future, how does duty of care evolve when adversaries are already harvesting today's encrypted data?
Adoption remains asymmetric. Regulated institutions are moving. Less regulated entities are slower, partly because the carrot, procurement standards demanding PQC-aligned vendors, has yet to match the stick of formal regulation. The discussion turned to quantum key distribution as an elegant infrastructure-level alternative for defence and critical applications, alongside trusted execution environments as a near-term layer for institutions managing the migration.
The Global Fintech Institute will publish a full insights report drawing on the roundtable, examining quantum readiness across Asian financial institutions, the legal and regulatory frameworks that will need to evolve in parallel, and the practical preparedness actions available today.
Our thanks again to Daniel Lee (Chief Executive Officer, Cactus Custody), Dr. Andy Ting (Founder, Hela Labs & Finapac Capital Pte Ltd), Shumin Lin (Director, Drew & Napier LLC), Michael Lew (Co-Founder, Aegis Digital Asia), and Jorden Seet (GFI Industry Fellow) for anchoring the discussion, and to Drew & Napier LLC for hosting the session and the post-discussion networking over light refreshments.
The Convergence of Emerging Technologies SubCommittee was established to give the ecosystem a forum for moving the conversation from theory toward institutional readiness. This roundtable was its first convening of that mandate.