NEW YORK — Citi is warning that a single quantum-enabled cyberattack disrupting one of the five largest U.S. banks’ access to the Federal Reserve’s payment system could put as much as $3.3 trillion of U.S. economic output at risk, underscoring what the bank describes as one of the most severe emerging threats facing the financial system.
In a new report, “Quantum Threat: The Trillion-Dollar Security Race Is On,” Citi says the potential economic shock could equal a 10% to 17% decline in annual GDP if a major institution were knocked offline from Fedwire, triggering broader payment and liquidity disruptions across the economy. The scenario highlights how quantum computing risks extend beyond cyber theft to systemic financial stability concerns affecting major banks and payment infrastructure.
The report argues that the most startling risk for large financial institutions is not a sudden future breakthrough but the possibility that attackers are already collecting encrypted data today in so-called “harvest now, decrypt later” campaigns. Once sufficiently powerful quantum computers arrive, that archived data could be deciphered retroactively, exposing sensitive financial and identity information that cannot be protected after the fact.
Citi estimates the probability of quantum computers breaking widely used public-key encryption at 19% to 34% by 2034, rising to as high as 82% by 2044, putting pressure on banks to accelerate upgrades even though the exact timing of “Q-day” remains uncertain. The firm characterizes the threat as a low-probability but high-severity event that could reach boardroom-level urgency well before regulators impose formal mandates.
Financial institutions are especially exposed because payment systems, authentication tools and interbank messaging rely heavily on encryption methods that quantum computers could eventually break. Citi warns that disruption to these systems could cascade across markets, creating contagion well beyond a single institution and amplifying operational and economic damage.
The bank said post-quantum cryptography already exists, but implementation across global banking systems presents a complex, multi-year challenge. Large institutions must inventory where public-key encryption is used, prioritize critical systems and adopt more “crypto-agile” infrastructure that can shift to new algorithms as standards evolve.
Citi compares the coming migration to — and potentially far larger than — the global Y2K remediation effort. While Y2K carried a clear deadline and limited scope, quantum migration could require broad changes across software, hardware, vendor ecosystems and employee skills, potentially becoming the largest cryptography upgrade in history.
The report concludes that for major banks, the central takeaway is that quantum risk is shifting from theoretical science to operational planning. Even without formal regulation today, institutions that delay migration may face higher costs and greater systemic exposure as governments and regulators increasingly push financial firms toward quantum-safe security standards.