I have just returned from the year 2029. While I was there, I picked up a copy of The Straits Titan Financial Review. The news headline was striking!
The story is, of course, fictional. But Q-Day is not. Monetary Authority of Singapore (MAS) advised every financial institution in Singapore about it almost seven years ago, in 2024. National Institute of Standards and Technology (NIST) published the standards. Regulators worldwide issued guidelines. The warnings could not have been clearer. And yet, the board deferred. The working group debated. The memo went nowhere. And then Q-Day arrived early. Check the story and judge for yourself how far-fetched it really is.
__________
THE STRAITS TITAN FINANCIAL REVIEW
Monday, 8 October 2029
Year 2029: How Google’s Quantum (Q-Day) Warning Came True Costing One Bank Millions!
Not a single account was hacked. Not one password was cracked. No data was stolen. When Q-Day arrived on September 2029, Sinasia Financial Group was not breached. It was asked a question it could not answer. Besides suffering significant reputational damage, it cost them millions in downtime, in establishing an interim plan and reviving an initiative that had earlier been deferred and had since lost both momentum and board attention.
By Keiko Tan, Senior Correspondent, Financial Investigations
What Singapore’s financial community will remember about Sinasia is a two-page internal memo dated three years ago in September 2026, written by the head of cybersecurity and addressed to the Group Chief Risk Officer.
The memo detailed the requirements for the post-quantum cryptography migration. It referred to the MAS Quantum Advisory from February 2024, and the NIST PQC standards, which were finalised that same year. It warned that a well-structured migration programme could entail more than 120,000 individual tasks across applications, infrastructure, HSMs, certificates, vendor contracts, and operational technology. It cited Mosca’s Theorem, a framework for evaluating whether an organisation has exhausted its migration options. It called for a dedicated budget, a comprehensive cryptographic inventory, and a Cryptographic Bill of Materials (CBOM).
The memo was acknowledged. A working group was formed; however, after several months, the budget was deferred, the scope was reduced, and the working group was absorbed into a broader programme while losing its reporting line to the board.
By September 2029, Sinasia’s PQC migration was only 30% complete.
Q-Day arrived on Monday 17th September.
Two weeks later, by Monday 1st October, Sinasia had voluntarily suspended all transaction processing.
It would not resume for four days.
What Q-Day actually was
Popular imagination had envisioned Q-Day as a Hollywood moment. Every bank drained simultaneously, passwords cracked en masse, and an overnight digital catastrophe was visible in real time.
That is not what happened.
Google’s prediction came true. On Monday 17 September 2029, a research consortium publicly demonstrated that a quantum computer had broken RSA-2048 encryption in a controlled laboratory environment. No institution was attacked. Breaking a single RSA-2048 key required approximately $7.5 million in compute costs, including close to $70,000 in power consumption per key. Mass password cracking was not happening. The quantum apocalypse of popular imagination had not arrived.
What had arrived was something far more insidious. Not a breach. A confidence crisis.
Within six hours of the demonstration, journalists across Asia were filing the same question to every major financial institution in the region. “Is your bank quantum-safe?“
Most could say yes. They had migrated, or were far enough along to demonstrate credible, auditable progress.
The names of the following institutions have been withheld at their request. This publication has independently verified its post-quantum cryptography migration plan and its quantum readiness disclosures.
By September 2029, Bank A had completed migrating its entire interbank settlement infrastructure to NIST-standardised post-quantum algorithms and could present MAS with a fully audited CBOM. Bank B had deployed PQC-capable HSM firmware in 2029 and had been running hybrid encryption across its customer-facing channels for over a year. Bank C had aligned with a global quantum-safe programme and could demonstrate to correspondent banks that its certificate infrastructure had been fully reissued using quantum-resistant algorithms.
Each could answer the question credibly. They could show a current cryptographic inventory, a migration roadmap with completed milestones, and evidence of independent audits.
Sinasia could show only 30% completion and a programme that had lost its board reporting line two years earlier. The difference was not technical. It was governance.
The question that cost more than any breach
By noon of Friday 21st September, Sinasia had received forty-three media enquiries on its quantum readiness. By 3 pm, two correspondent banks in Europe had placed holds on settlement arrangements. By evening, MAS had issued an industry-wide notice requiring all licensed institutions to publicly declare their quantum readiness status within forty-eight hours.
Sinasia’s internal assessment confirmed what the 2026 memo had been trying to say for three years. Only 30% of its critical systems had been migrated to post-quantum algorithms. The remaining 70 per cent, including its core interbank settlement infrastructure, HSMs, and certificate management systems, still relied on RSA and elliptic-curve encryption.
The institution was not under attack. The economics of quantum attacks meant that only the highest-value targets were at meaningful direct risk in the near term. Nation-state intelligence, critical infrastructure, sovereign financial systems.
None of that mattered.
Sinasia could not confidently tell its customers, correspondent banks, and regulators, “Our encryption is quantum-safe.” Without that assurance, the question itself became the crisis.
At 06:00 pm on Monday 1st October, Sinasia’s board convened an emergency session. The bank would voluntarily suspend transaction processing while it completed an emergency assessment and implemented interim quantum-safe controls.
The suspension lasted four days.
Corporate clients with time-sensitive settlement obligations were unable to transact. Trade finance facilities froze. Correspondent banking partners rerouted payment flows. The bank’s share price fell by thirty-one per cent. A ratings agency placed it on negative watch.
The cost was estimated by independent analysts at several hundred million dollars. Not a single account had been hacked. Not one encryption key had been cracked by a quantum computer.
“Q-Day is not mainly a technical event. It is a trust event,” said Viren Mantri , a Singapore-based strategic adviser on AI, Blockchain, Cyber, Digital Currencies, and Quantum, engaged to advise Sinasia in the aftermath. “Sinasia was not hacked. A question was asked. Four days of suspended operations was the cost of not being able to answer it.”
Years of warnings
This is not a story of an institution caught unaware.
Monetary Authority of Singapore (MAS) issued its quantum advisory in February 2024, warning about Harvest-Now-Decrypt-Later attacks and establishing clear expectations for institutions to start migration planning. Soon after in August 2024, MAS signed a Memorandum of Understanding (MoU) with DBS Bank , HSBC , OCBC , UOB , SPTel Pte Ltd and SpeQtral to embark on quantum security collaboration and study the application of Quantum Key Distribution (QKD) in financial services, which can help financial institutions protect the exchange of cryptographic keys to address the cybersecurity threats posed by quantum computing. By September 2025, MAS had taken further steps by publishing results from a live Quantum Key Distribution sandbox with four major Singapore banks. These steps served as a practical demonstration and a clear signal of where the industry needed to progress.
MAS was not alone. Regulators across the United Kingdom (National Cyber Security Centre‘s next steps for PQC), the European Union (European Commission‘s implementation roadmap for PQC), the United States (Cybersecurity and Infrastructure Security Agency‘s guidance product categories for technologies that use PQC standards), and several Asia-Pacific jurisdictions had, by 2026, issued their own quantum readiness guidance and were actively requiring institutions to demonstrate progress in migration. The direction of global regulatory travel was consistent and clear: quantum readiness was no longer optional. It was becoming a condition of operating.
Sinasia’s board received summaries of it all. The quantum risk item was discussed at four board meetings between 2024 and 2028. Each time, it was noted and deferred.
The working group spent a significant portion of its two years debating the wrong question. Whether to pursue Quantum Key Distribution (QKD) or Post-Quantum Cryptography (PQC) as the primary strategy. QKD and PQC are not competing choices. They are complementary. The debate consumed eighteen months that should have been spent building CBOM and migrating critical infrastructure.
Regulators respond
MAS acted decisively. Institutions that showed credible progress in migration were publicly recognised as quantum-ready. Those that did not were placed under enhanced supervision.
At a press briefing the following week, MAS Deputy Managing Director Sandra Oh was direct. It does not take a successful quantum attack to cause serious harm. It only takes the public losing confidence in an institution’s ability to protect them. The institutions that have prepared have shown that preparation was achievable.
She confirmed that MAS is considering mandatory quantum readiness certification for all licensed financial institutions, with specified milestones, independent audit requirements, and public disclosure obligations. Regulators in other major financial centres confirmed that similar frameworks are being accelerated in response to Q-Day, reflecting a coordinated global shift towards treating quantum readiness as a baseline regulatory expectation rather than a forward-looking aspiration.
The memo they should have read differently
The 2026 memo did not predict the timing of Q-Day. It described the gap between what migration required and what was being allocated to address it.
That boundary was not crossed as the memo’s author had expected. Not through a direct breach. Nor through harvested data being decrypted. It was crossed in a conference room at 06:00 pm on a Monday evening, when a board that had delayed the programme for three years had to decide whether to keep the bank open.
“You do not need to be attacked to be destroyed by quantum risk,” Viren Mantri said. “But if you are unable to prove that you cannot be attacked, that is a completely different problem. And it is one that no amount of incident response planning can solve after Q-Day has been demonstrated. The only solution is migration. And migration takes years.”
The vendor that supplied Sinasia’s primary HSM platform confirmed that PQC-capable firmware had been available since 2028. It was never deployed.
The September 2026 memo is now in evidence. It always had the answer. The board was not ready to fund what it actually meant.
Hindsight
Check the timeline. In hindsight, the warnings could not have been clearer.
- February 2024 – MAS advised every financial institution in Singapore about Harvest-Now-Decrypt-Later attacks and establishing clear expectations for institutions to start migration planning.
- August 2024 – NIST released Post Quantum Cryptography standards (PQC).
- August 2024 – National Cyber Security Centre in the UK published next steps for PQC.
- August 2024 – Monetary Authority of Singapore (MAS) signed an MOU with DBS Bank , HSBC , OCBC , UOB , SPTel Pte Ltd and SpeQtral to embark on quantum security collaboration.
- June 2025 – European Commission advised an implementation roadmap for PQC.
- September 2025 – MAS published from a live Quantum Key Distribution sandbox with four major Singapore banks.
- January 2026 – Cybersecurity and Infrastructure Security Agency(CISA) in the United States published guidance product categories for technologies that use PQC standards.
- March 2026 – Google predicted it (https://blog.google/innovation-and-ai/technology/safety-security/cryptography-migration-timeline/).
__________
Additional reporting by Jamie Lee and Idris Stone. The Straits Titan Financial Review contacted Sinasia Financial Group and MAS for comment. Sinasia confirmed it has resumed full operations and is cooperating with all regulatory requirements. It declined to comment on specific financial impacts. MAS confirmed the quantum readiness certification framework will be published within sixty days.
© The Straits Titan Financial Review 2029. All rights reserved.
#Quantum #QDay #PQC #QKD #Cyber #Risk #Encryption #MAS #Singapore #Governance
__________
Much of my thinking on Q-Day has been shaped by Marin Ivezic — Founder of Applied Quantum , author of Post Quantum and instructor of SANS SEC529. His framing of Q-Day as a collapse of trust, not just a technical event, fundamentally changed how I see this threat. His articles — Q-Day Isn’t an Outage, It’s a Confidence Crisis and his latest, Google Just Drew a Line in the Sand: PQC Migration by 2029 — are essential reading.
__________
About the author
Viren Mantri is a cybersecurity advisor and former senior technology leader across Standard Chartered, UBS, McAfee, and KPMG. With 30 years of navigating the intersection of technology, risk, and regulations, he now helps organisations cut through complexity and make better security decisions.
CC-BY Viren Mantri, 2026, licensed under a Creative Commons Attribution 4.0 International License.
Disclaimer: All views expressed here are entirely mine.