Post-quantum cryptography

Quantum computing represents a new frontier that has the potential to solve highly complex problems far beyond the reach of today’s traditional systems. For GSK, this could unlock new approaches to drug discovery, molecular modelling, and optimisation  that are critical to developing potential new medicines and vaccines. 

However, as with many transformative technologies, quantum computing presents both opportunity and responsibility. The same capabilities that could drive scientific breakthroughs like the identification of novel compounds, optimising clinical trial design, and enhancing how we understand complex biological systems may also challenge the foundations of today’s digital security. That is why our approach is balanced — exploring how quantum can support future innovation, while ensuring we continue to protect sensitive research and patient data to the highest standards. 

The majority of online communications relies heavily on cryptography. At its core, cryptography ensures four key aspects:

• Confidentiality – Converting plaintext into ciphertext, ensuring information remains unreadable to anyone without the appropriate cryptographic key. 
• Integrity – Enabling systems and data to be trusted through cryptographic hashing and digital signatures, allowing organisations to detect whether information has been altered in transit or at rest.
• Authentication – Verifying the identity of users, systems, devices, or services involved in a communication or transaction.
• Non-repudiation – Preventing an individual or entity from denying their actions by using cryptographic signatures tied to their identity, such as digitally signed documents or transactions. 

Ultimately, these mathematical techniques protect sensitive data across systems, from clinical trials to global supply chains. A large portion of the cryptographic methods widely used today could become vulnerable in the future with the development of sufficiently powerful quantum computers.

While these quantum systems — often referred to as Cryptographically Relevant Quantum Computers (CRQC)— do not yet exist at scale, the underlying equation to break existing cryptography has already been established, leveraging Shor’s and Grover’s Algorithm. This means organisations must begin preparing now, rather than waiting until the technology is fully realised. 

One of the key risks is known as “harvest now, decrypt later”. This is where encrypted data is captured today by adversaries and stored, with the intention of decrypting it in the future when quantum capabilities mature. For GSK, where sensitive scientific data and patient information must remain secure for many years, this risk is a driving force in our proactive approach to addressing this threat.  

Cryptography is intentionally invisible to most of the organisation. However, when change is required, that invisibility becomes architectural opacity, introducing complexity and limiting visibility into where and how cryptography is implemented. 

Preparing early allows us to safeguard long-term data confidentiality, while ensuring we are ready to operate securely in a future where quantum technologies are more prevalent. 

GSK is approaching the transition to a post-quantum future through a phased, risk-based strategy. This includes evaluating quantum-resistant algorithms, identifying priority use cases, and developing repeatable implementation approaches to support future migration. 

We recognise that quantum computing holds real promise for advancing science and this approach allows GSK to build long-term capability, ensuring it can respond to an evolving threat landscape and transition cryptographic algorithms as needed. By acting now, we are not only protecting today’s data but also positioning GSK to responsibly explore and benefit from future quantum-enabled innovation. 

This dual focus — security and scientific opportunity — reflects our broader commitment to delivering innovation that ultimately benefits patients. 

Our focus is driven by three key long-term commitments.  

• First, long-term data protection. Patient data, clinical research, and intellectual property must remain secure for decades, not just years.  
• Second, evolving regulatory expectations, as governments and standards bodies begin to define timelines for transitioning to quantum-safe cryptography.  
• And third, the evolving within a dynamic, matrixed environment and the complexity of change — cryptography is deeply embedded across our digital environment, requiring careful planning, testing, and coordination. 

While there is no definitive timeline for the availability of CRQCs, . delaying preparation increases future risk and reduces the organisation’s ability to respond effectively.  

GSK also views this as more than a one-time migration. Cryptography has continually evolved, and algorithms do not have an indefinite lifespan, particularly as advancements such as AI may accelerate change. While post-quantum cryptography is the catalyst, the broader objective is to achieve cryptographic agility, enabling the organisation to adapt to future developments. 

Preparing for a quantum future is an opportunity to strengthen GSK’s overall cyber resilience. 

A key focus is building “crypto agility” — the ability to adapt and update cryptographic controls quickly as technologies and threats evolve. This reduces the need for reactive, large-scale changes in the future and helps ensure our systems remain secure over time. 

This work also reinforces trust across the healthcare ecosystem. GSK collaborates with a wide range of partners, including regulators, research organisations, suppliers, and technology providers. Protecting sensitive data — from patient information to scientific research — is fundamental to these relationships. 

By investing in quantum readiness today, we are demonstrating our commitment to strong data stewardship and to maintaining the highest standards of security. 

For GSK, this is about responsibility — to patients, partners, and regulators. Protecting sensitive data over the long term is critical to maintaining trust and ensuring continuity in how we deliver medicines and vaccines. 

This work is not only about managing risk. Quantum computing also represents a potential step change in scientific capability. By preparing now, we are ensuring that GSK is both secure and ready to explore how future quantum technologies could help advance research, accelerate discovery, and ultimately improve patient outcomes. 

Acting early is essential because the transition to quantum-safe cryptography will take time. If organisations delay modernising their cryptographic foundations, they may face increased risks to the confidentiality and integrity of sensitive information in the future. 

At the same time, regulatory expectations are evolving. Governments and international standards bodies are already establishing guidance for quantum-safe approaches.