The Quantum Almanac 2026-2027 sector playbooks cover four industries: Finance and Market Infrastructure (Chapter 14) focusing on HSM bottlenecks and SWIFT exposure, Healthcare and Life Sciences (Chapter 15) focusing on long-horizon patient data and medical device update cycles, Industrial/Cloud and Critical Infrastructure (Chapter 16) focusing on firmware with decade-long replacement cycles, and Government and National Security (Chapter 17) focusing on federal mandates and acquisition as leverage. Each playbook includes key risks, metrics, and leadership questions.
Chapter 14
Finance and Market Infrastructure
Financial services faces the longest confidentiality horizons and the most complex trust dependencies. HSM vendors have no GA post-quantum support—the single most important supply-chain bottleneck in financial-sector PQC transition.
- SWIFT, payment networks, and trading infrastructure exposure
- G7 Cyber Expert Group coordination and regulatory expectations
- HSM bottleneck—no major vendor offers GA PQC support
- Merger and acquisition strategy, position data, and transaction histories
- Key management and certificate authority migration
- Key risk
- HSM bottleneck—no major vendor has GA PQC support yet
- Key metric
- % of critical apps with documented crypto dependency maps
- Key question
- Which transaction or custody systems would create the largest integrity risk if their trust model were weakened?
Chapter 15
Healthcare, Life Sciences, and Regulated Privacy
Patient data collected today will still be sensitive after the patient dies. HIPAA does not mention quantum—but its logic still applies: technical safeguards must remain meaningful for the full confidentiality life of the data.
- HIPAA and long-horizon thinking for genomic and clinical data
- FDA medical device cybersecurity and long deployment cycles
- Distributed care networks and third-party backup exposure
- Research repositories and legal retention constraints
- Separating quickly-patchable app layers from long-lived medical devices
- Key risk
- Medical devices with 10+ year deployment cycles that may be impossible to update
- Key metric
- % of PHI and research repositories with defined confidentiality horizons
- Key question
- Which genomic or clinical datasets would still be sensitive a decade from now?
Chapter 16
Industrial, Cloud, and Critical Infrastructure
Critical infrastructure carries the longest migration tails. Long asset lives, mixed vendor ownership, and deeply embedded trust assumptions mean late preparation is more dangerous—not less urgent.
- Control plane matters more than field devices
- Wrapping frozen systems to reduce exposure without replacing them
- Remote administration, VPNs, and certificate-based access
- Data historians, backup systems, and vendor maintenance channels
- Firmware signing and software supply chain implications
- Key risk
- Firmware update cycles measured in decades, not quarters
- Key metric
- % of OT remote-access paths with documented trust and authentication dependencies
- Key question
- Which vendor relationships are likely to become the pacing item in the program?
Chapter 17
Government and National Security
Federal posture is now explicit. Acquisition is the force multiplier. When public-sector buyers ask for cryptographic inventory, agile design, and PQC product support, the market has to answer.
- EO 14144 and June 2025 amendment—PQC in federal cyber modernization
- DHS memorandum: prepare now, not when ready
- CISA product categories translating the issue into procurement criteria
- DoD pre-shared key replacement deadline: December 31, 2030
- $7.1B White House estimate for civilian federal PQC migration through 2035
- Key risk
- Certification and authorization cycles that prevent rapid movement
- Key metric
- % of mission-critical systems with current cryptographic inventories
- Key question
- Are we using acquisition and source selection as leverage, or treating procurement as separate from security readiness?