Dear Member of Congress:

On behalf of the National Association of Corporate Directors^® (NACD^®) and the Internet Security Alliance (ISA), we respectfully submit the attachedBoard Discussion Guide on Quantum Computing to help corporate boards and management teams prepare for "Q-Day," the point at which quantum computing can undermine most currently deployed encryption and cybersecurity protections.

The possible implications of Q-Day are widespread, including creating exposure of sensitive data such as intellectual property, personal health data, and financial information. Leading experts anticipate this risk could become material potentially by the end of this decade.

According to new research from Bain & Company, the Information Systems Audit and Control Association and others, 90 percent of companies are unprepared for quantum security threats and lack a roadmap to prepare for such threats. The Board Discussion Guide is a playbook for corporate boards, with practical guidance and questions they can ask executives and of themselves to begin a disciplined transition plan. It includes questions such as:

• What is our risk exposure if all our data can be decrypted by quantum computers and how much will it cost in time and resources to implement post-quantum cryptography?
• What decisions do we need to make to remain competitive in a quantum-enabled marketplace?
• Do we have the right people in place on our executive team to lead the incorporation of quantum technology to support our strategy?
• Are we able to effectively interpret and assess internal and third-party presentations on quantum technologies, as well as their answers to our questions?

The Board Discussion Guide was jointly developed by General (Ret.) Greg Touhill, Director of the CERT Division at the Software Engineering Institute, Carnegie Mellon University, and former Chief Information Security Officer for the U.S. federal government, and Larry Clinton, President and CEO of the Internet Security Alliance. It is a key component of the publicly available Director's Handbook for Cyber-Risk Oversight that helps directors respond to incidents, oversee third-party risks, and work with law enforcement to elevate cybersecurity protections.

We encourage you to share this resource, which you may also download here, with public and private organizations in your state and district so they can begin planning now for the post-quantum transition and help strengthen our nation's preparedness.

Sincerely,
Peter Gleason
President and CEO
National Association of Corporate Directors

Larry Clinton
President and CEO
Internet Security Alliance

About NACD

The National Association of Corporate Directors^® (NACD^®) is the leading member organization for corporate directors who want to expand their knowledge, grow their network, and maximize their potential. For almost 50 years, NACD has helped boards and the business community elevate performance and create long-term value. NACD continues to raise standards of excellence and advance board effectiveness at thousands of member companies. NACD's insights, professional development events, and resources, including the NACD Directors Summit^™ and the NACD Directorship Certification^® program, support boards in navigating complex challenges. With a growing network of more than 24,000 members across more than 20 Chapters, boards are better equipped to make well-informed decisions on critical strategic issues.

Learn more at nacdonline.org.

About the Internet Security Alliance (ISA)

ISA's mission is to integrate advanced technology with economics and public policy to promote a sustainably secure cyber system. The ISA board is composed of cyber leaders, typically chief information security officers, from virtually every critical industry sector. Over the past 25 years, ISA has developed a comprehensive framework for cybersecurity in both enterprise risk management and public policy. ISA's consensus principles and practices, developed in collaboration with NACD and the World Economic Forum, form the foundation of this program and are reflected in ISA's Cyber-Risk Handbooks, now available on four continents and in five languages. The Journal of Cybersecurity has described this body of work as the "de facto international standard for cyber-risk oversight." ISA's companion book, Cybersecurity for Business, translates board-level principles into roles and practices for management teams.

ISA has also called for a broad rethinking of cybersecurity public policy in response to escalating threats from sophisticated actors using AI and other advanced technologies. This approach, articulated in ISA's book Fixing American Cybersecurity: Creating a Strategic Public Private Partnership, advances a market-oriented model that addresses both the economics and technology of cybersecurity. Elements of ISA's proposals are reflected in updated National Cybersecurity Strategies.

More information is available at isalliance.org.

About the Director's Handbook for Cyber-Risk Oversight

The fifth edition of the Director's Handbook on Cyber-Risk Oversight, due to be published on April 16, 2026, continues a decade-long legacy as a leading guide for corporate boards engaged in cyber-risk oversight. The Handbook presents six independently validated oversight principles shown to improve security budgeting and cybersecurity outcomes.

The forthcoming fifth edition includes specialized boardroom tools to help directors respond to incidents, oversee third-party risk, and coordinate with law enforcement, including the FBI, to strengthen cybersecurity across the broader ecosystem. While adaptable to organizational size and industry, these principles apply across public, private, and nonprofit boards.