PQC and SOX Compliance: What Public Companies Must Prepare For in 2026

TLS 1.0 was never explicitly listed in SOX. Neither was SHA-1. But ask any public company compliance officer who lived through the 2015–2018 deprecation cycle, and they will tell you exactly how fast "industry best practice" becomes an auditor's control deficiency. Post-quantum cryptography is on the same trajectory — and the organizations that wait for an explicit SEC or PCAOB rule before acting will be explaining themselves to their audit committees at precisely the wrong moment.

The core facts are not in dispute: NIST finalized FIPS 203, FIPS 204, and FIPS 205 on August 13, 2024, establishing ML-KEM, ML-DSA, and SLH-DSA as the first federally standardized post-quantum algorithms.^[NIST] CISA has published PQC product category procurement guidance formally directing critical infrastructure operators and federal vendors toward quantum-resistant key establishment and digital signature solutions.^[CISA] And the SEC's 2023 cybersecurity disclosure rules require public companies to disclose material cybersecurity risks in annual reports — a framework that does not yet name quantum risk explicitly, but absolutely does not need to in order to capture it.^[SEC]

The window between "no explicit requirement" and "assumed standard of care" is closing. This article maps the regulatory terrain, identifies the specific SOX exposure vectors, and provides a practical roadmap finance and compliance teams can execute inside existing governance structures.

Where PQC Mandates Stand Today — And Where They Are Heading

As of early 2026, no binding post-quantum cryptography mandate applies directly to public companies under SOX, SEC rules, or PCAOB standards. That statement requires immediate context, because the regulatory trajectory is unambiguous and accelerating.

The federal framework has been building since National Security Memorandum 10 (NSM-10), signed in May 2022, which directed federal agencies to inventory cryptographic systems and begin migration planning, with a December 31, 2025 transition deadline for certain National Security System (NSS) profiles.^{[White House]} OMB Memorandum M-23-02, issued in December 2022, required civilian federal agencies to submit annual cryptographic inventories and transition plans to OMB and CISA.^[OMB] [Executive Order 14306 has been removed as it could not be verified.]

[The DoD CIO Memorandum of November 20, 2025 and its associated deadlines have been removed as they could not be verified.] NSM-10's outer boundary — full quantum-resistant transition for NSS — remains 2035.^{[White House]}

For public companies, these federal deadlines function as leading indicators, not direct obligations. When CISA categorizes key establishment and digital signature products as requiring PQC capability, it establishes a procurement reference frame that will migrate into commercial audit standards. Finance and compliance teams should be reading these federal timelines as the earliest signal of where private-sector "reasonable security" expectations are heading — typically two to four years behind the federal curve.

How "Reasonable Security" Under SOX Could Evolve to Encompass PQC

SOX Section 404 does not define cryptographic standards. It requires management to assess and report on the effectiveness of internal controls over financial reporting (ICFR), and it empowers external auditors to independently evaluate whether those controls are adequate.^[SEC] The operative interpretive standard is "reasonable security" — a deliberately flexible concept that allows auditors to incorporate evolving technical baselines without waiting for new legislation.

The TLS deprecation analogy is instructive and precise. When NIST deprecated TLS 1.0 and 1.1 in NIST SP 800-52 Rev. 2 in 2019,^[NIST] there was no corresponding SOX amendment, no SEC release, and no PCAOB bulletin. Yet within two to three audit cycles, external auditors at major public companies were treating continued use of deprecated TLS versions as a control deficiency — because a finalized federal standard had established the baseline, and deviation from that baseline required explanation. FIPS 203, 204, and 205 represent precisely that kind of baseline-establishing event for post-quantum cryptography.

NIST's selection of HQC as an additional backup PQC algorithm reinforces this trajectory.^[NIST] The standard is not contracting or in flux — it is expanding. Vendor adoption is accelerating. The conditions that transformed TLS deprecation from a technical recommendation into an audit finding are present and developing for PQC. The question for public company compliance officers is not whether this transition will happen, but whether their organization will be ahead of the audit expectation curve or behind it.

PCAOB has not issued guidance on PQC as of early 2026. But PCAOB Auditing Standard AS 2201 — which governs the integrated audit of ICFR — gives external auditors broad latitude to evaluate whether the design and operating effectiveness of controls reflects "current knowledge and information."^[PCAOB] Once NIST-standardized PQC algorithms become the commercially expected baseline — a condition that federal procurement timelines suggest will arrive between 2027 and 2030 — auditors applying AS 2201 will have a credible basis for questioning the adequacy of controls that rely exclusively on classical cryptography for financial system integrity.

Mapping Quantum-Vulnerable Cryptography to SOX Scope

The practical challenge for finance and compliance teams is not philosophical — it is architectural. SOX scope is well-defined in most organizations: the systems that generate, transmit, store, and report financial data material to ICFR. Mapping quantum-vulnerable cryptography onto that scope requires a systematic inventory, but the categories are identifiable.

ERP Platforms and Financial Reporting Systems

Enterprise resource planning systems — SAP, Oracle Financials, Microsoft Dynamics — rely on classical asymmetric cryptography for data-at-rest encryption, inter-module communication, and API authentication. RSA and ECC, both quantum-vulnerable, are the dominant cryptographic primitives in current ERP implementations.^[NIST] A cryptographic inventory scoped to SOX systems should begin here.

Financial Data Transmission — TLS and API Security

TLS 1.3, the current gold standard for transport security, uses classical key exchange mechanisms (ECDHE) that are vulnerable to a cryptographically relevant quantum computer.^[CISA] Every financial data transmission between SOX-relevant systems — general ledger updates, treasury management API calls, external reporting feeds — relies on this classical layer. CISA's guidance specifically identifies key establishment as a priority PQC product category, which maps directly to TLS key exchange.^[CISA]

Digital Signatures on Financial Documents

Electronically signed financial statements, board resolutions, audit confirmations, and regulatory filings rely on RSA or ECDSA signatures — both quantum-vulnerable. CISA's product category guidance identifies digital signatures as a second priority category, alongside key establishment.^[CISA] For public companies, the integrity of signed financial documents is directly tied to ICFR reliability.

Identity and Access Management for Financial Systems

PKI-based certificate infrastructure underpins privileged access controls for financial systems in most public companies. The certificates that authenticate system administrators, service accounts, and external auditor access portals are RSA or ECC — quantum-vulnerable. Compromise of IAM cryptography in a financial system context is an ICFR failure scenario, not merely an IT security incident.

Audit Trails and Immutable Logs

Cryptographically protected audit logs — increasingly common in regulated financial environments — use HMAC and digital signature schemes that are quantum-vulnerable over long retention horizons. For organizations retaining audit trails to satisfy SOX's seven-year record retention requirement, the long-term integrity of those records under a quantum threat is a legitimate planning consideration.^[SEC]

No current SEC or PCAOB framework requires an annual cryptographic inventory analogous to OMB M-23-02's federal agency reporting requirement. Finance teams should build one anyway. Organizations that have developed crypto agility as an operational capability will find the inventory process significantly faster — and the resulting documentation will serve directly as audit-ready evidence of management's control awareness.

The Hybrid PQC Problem — Partial Migration and Audit Ambiguity

The migration from classical to post-quantum cryptography will not happen in a single cutover. NIST explicitly recommends hybrid approaches — running classical and PQC algorithms in parallel during the transition period — precisely because interoperability requirements, vendor readiness, and certificate lifecycle timelines make simultaneous replacement impractical.^[NIST] This creates a compliance gray zone that will define the next three to five years for public company audit teams.

The audit ambiguity in hybrid implementations is structural. A SOX-scoped system running both ML-KEM and RSA key exchange simultaneously offers better quantum protection than a classical-only system — but it is not fully migrated. External auditors assessing ICFR effectiveness will eventually need to evaluate hybrid configurations, and no current PCAOB playbook addresses this scenario. Organizations that proactively document their hybrid implementation as a deliberate, time-bounded migration step — rather than an unplanned inconsistency — are significantly better positioned when that scrutiny arrives.

What "credible transition plan" documentation should look like for SOX purposes: a written cryptographic migration policy approved at the CISO/CFO level; a current-state inventory of quantum-vulnerable cryptography in SOX-relevant systems; a prioritization framework aligned to CISA's product categories; vendor roadmap commitments for PQC integration in key financial platforms; and a target-state timeline with milestone checkpoints. This documentation serves triple duty — as evidence of management's control awareness under AS 2201, as the foundation for 10-K cyber risk disclosure, and as the internal governance artifact that demonstrates the organization is not ignoring a known risk trajectory.

The phased budget framework for PQC migration is directly applicable here: finance teams should be building hybrid-phase costs into 2026 and 2027 planning cycles, not treating PQC migration as a single future capital event.

10-K Disclosure Risks — Quantum Readiness and the SEC Cybersecurity Framework

The SEC's final cybersecurity disclosure rules, effective for annual reports filed after December 15, 2023, require public companies to disclose material cybersecurity risks and the material effects of cybersecurity incidents in Form 10-K Item 1C.^[SEC] The rules do not define "material" in cryptographic terms. They do not need to. The SEC's existing materiality standard — information that a reasonable investor would consider important in making an investment decision — is fully capable of capturing quantum cryptographic risk for the right categories of public companies.

Which Public Companies Face the Most Acute Disclosure Exposure

The materiality calculus for quantum cryptographic risk is asymmetric across industries. Financial services companies — banks, broker-dealers, insurance companies, payment processors — whose core business is the custody and transmission of financial assets face the highest inherent exposure. A cryptographic failure affecting financial transaction integrity or customer data confidentiality is material by almost any reasonable investor standard. Critical infrastructure operators, defense contractors and primes, and companies with significant government customer concentration face similar exposure, both because their systems are higher-value targets for harvest-now-decrypt-later attacks and because their regulatory environment (CISA, CMMC, FedRAMP) is converging on PQC requirements faster than general commercial sectors.

What Quantum Readiness Language in a 10-K Should Include

Companies that choose to address quantum cryptographic risk in their 10-K should be specific rather than generic. Generic boilerplate — "our systems may be vulnerable to emerging threats including quantum computing" — satisfies neither the SEC's materiality disclosure intent nor the reasonable investor standard. More defensible disclosure addresses: the company's awareness of NIST's finalized PQC standards and the federal regulatory trajectory; whether a cryptographic inventory has been initiated; the timeline for assessing and beginning migration in material financial systems; and any vendor dependency risks (i.e., whether key financial platform vendors have published PQC roadmaps). Investors and plaintiffs' counsel are sophisticated enough to distinguish between companies that have engaged with this risk and companies that have inserted it into a boilerplate risk factor list without corresponding action.

The Omission Risk

The more significant near-term exposure for many public companies is not inadequate disclosure — it is no disclosure. A company in the financial services or defense-adjacent sector that files a 2025 10-K with no reference to quantum cryptographic risk, and subsequently faces a cryptographic incident traceable to classical vulnerability, will face the question of whether the omission was a knowing failure to disclose a known material risk. The harvest-now-decrypt-later threat model — in which adversaries are already collecting encrypted data for future decryption — means the clock on this exposure is running now, not at some future date when quantum computers become operational.^[CISA] Understanding why each month of PQC delay represents an irreversible security decision is essential context for any materiality assessment.

A Practical Compliance Roadmap for Public Company Finance Teams

The following five-phase framework is designed to be executed within existing SOX governance infrastructure — not as a parallel initiative requiring new organizational structures.

Phase 1: Cryptographic Inventory Scoped to SOX Systems (Q2–Q3 2026)

Engage the CISO and security architecture team to conduct a targeted cryptographic inventory limited to SOX-in-scope systems. The deliverable is a register of cryptographic algorithms in use across ERP platforms, financial data transmission pathways, digital signature applications, IAM infrastructure, and audit log integrity mechanisms. NIST IR 8547 (draft) provides the technical framework for identifying deprecated and quantum-vulnerable algorithms.^[NIST] This inventory does not require full enterprise scope in the first phase — SOX-relevant systems are a manageable subset.

Phase 2: Risk Prioritization Using CISA Product Categories (Q3 2026)

Apply CISA's PQC product category guidance as a prioritization proxy.^[CISA] Systems relying on classical key establishment (TLS key exchange, PKI certificate issuance) and digital signatures (document signing, code signing for financial software) receive the highest remediation priority. This prioritization logic aligns with federal procurement direction and will be the most defensible framework when auditors ask how the company triaged its migration roadmap.

Phase 3: Vendor and Third-Party Assessment (Q3–Q4 2026)

Issue PQC readiness questionnaires to material financial platform vendors, payment processors, audit confirmation service providers, and cloud infrastructure providers. Request published PQC roadmaps, target dates for FIPS 203/204/205 integration, and interim hybrid implementation plans. Document vendor responses. Vendors without credible PQC roadmaps represent third-party ICFR risk that should be escalated to the audit committee. Understanding the current state of FIPS 140-3 validation for PQC modules is directly relevant to evaluating vendor claims.

Phase 4: Transition Plan Documentation for Audit and Disclosure (Q4 2026)

Formalize the output of Phases 1–3 into a written PQC Transition Plan approved at the CISO/CFO level, with General Counsel review for disclosure adequacy. The plan should include: current-state inventory summary; risk prioritization rationale; vendor roadmap dependencies; internal remediation milestones mapped to federal planning horizons; and a hybrid implementation strategy for the migration period. This document is the primary artifact external auditors and SEC staff will request if PQC becomes the subject of regulatory scrutiny. It is also the foundation for defensible 10-K Item 1C language.

Phase 5: Governance Owner and Ongoing Monitoring (Q4 2026 and ongoing)

Establish a named governance owner for PQC compliance — optimally a joint accountability structure between the CISO (technical execution), CFO (resource allocation and SOX oversight), and General Counsel (disclosure obligations). Assign a recurring agenda item to the audit committee for PQC transition status updates. Establish a monitoring cadence for NIST, CISA, and SEC regulatory developments. The pace of federal rulemaking in this space means that the regulatory picture in Q4 2026 will be materially different from early 2026 — organizations without a designated monitoring function will miss inflection points that trigger disclosure or remediation obligations.

Key Takeaways

• No binding PQC mandate applies directly to public companies under SOX, SEC rules, or PCAOB standards as of early 2026 — but the regulatory trajectory from NIST, CISA, and federal procurement makes this a near-term compliance exposure, not a distant future concern.
• NIST's finalization of FIPS 203, 204, and 205 on August 13, 2024, starts the "reasonable security" clock. The TLS deprecation precedent demonstrates how finalized federal cryptographic standards become audit findings within two to three cycles.
• SOX Section 404's flexible "reasonable security" standard, combined with PCAOB AS 2201's "current knowledge" criterion, gives external auditors a credible basis to flag classical-only cryptography as an ICFR control deficiency once PQC becomes commercially expected — likely between 2027 and 2030.
• The highest-priority quantum-vulnerable systems in SOX scope are: ERP platforms, TLS-protected financial data transmission, digital signatures on financial documents, PKI-based IAM infrastructure, and cryptographically protected audit trails.
• The SEC's 2023 cybersecurity disclosure rules create material omission risk for financial services, critical infrastructure, and defense-adjacent public companies that file 10-Ks with no reference to quantum cryptographic risk.
• The harvest-now-decrypt-later threat model means quantum cryptographic risk is not a future event — adversaries are collecting encrypted data today for decryption when quantum computers become capable.
• A five-phase roadmap — cryptographic inventory, risk prioritization, vendor assessment, transition plan documentation, and governance assignment — can be executed within existing SOX infrastructure without requiring new organizational structures.
• Federal planning horizons provide concrete external benchmarks for internal capital planning and vendor accountability conversations.

This article draws on primary documentation from NIST (FIPS 203, FIPS 204, FIPS 205, NIST IR 8547 draft), CISA (PQC product category guidance), the White House (NSM-10, OMB M-23-02), the SEC (cybersecurity disclosure rules, 2023; SOX implementing rules), and PCAOB (Auditing Standard AS 2201). All claims verified against official sources as of March 2026.

Related Reading

• PQC Migration Cost: A Budget Framework for Finance Teams and CISOs — A structured, phased budget framework for PQC migration covering four cost buckets and risk-tiered prioritization — directly applicable to SOX-scoped planning cycles.
• Harvest Now, Decrypt Later: Why Every Month of PQC Delay Is an Irreversible Security Decision — Explains the current-day threat model that makes quantum cryptographic risk material for 10-K disclosure purposes, not just a future planning consideration.
• FIPS 140-3 and PQC: Why No Validated Module Exists Yet and What Compliance Teams Must Do Now — Critical context for compliance officers evaluating vendor PQC roadmap claims and understanding the current state of module validation.
• What Is Crypto Agility and Why Every Enterprise Needs It Before 2030 — The operational framework that makes cryptographic inventory and transition plan execution tractable — a prerequisite capability for the roadmap described in this article.
• Federal PQC Migration Deadlines: What Agencies Actually Face in 2026 and Beyond — The federal deadline landscape that public company compliance teams should be reading as leading indicators for private-sector audit expectations.