Scroll Up Top
Download icon
Download

Authors: Isabelle Mast and Greg Heywood

A cyber attack can erase a year of operating profit in a matter of weeks, making cybersecurity a defensive necessity.

As digitalisation continues, artificial intelligence (AI) accelerates, and geopolitical tensions persist, the frequency, sophistication and financial consequences of cyber attacks continue to rise. Companies across sectors – not only those traditionally viewed as high-risk – are now exposed. For long-term investors, the relevant question is not whether cyber risk exists, but whether companies are prepared to manage it.

In 2025, we applied our proprietary cybersecurity assessment framework to certain portfolio companies that we consider relatively exposed to cyber risk, with the objective of assessing this potentially financially material risk at a corporate level.

The threat landscape
Cybercrime is projected to cost $10.5 trillion in 2025, outpacing cybersecurity investment by nearly 50x.1 Credit bureau Equifax provides an effective illustration of the increasing frequency of attacks: in 2024 it responded to more than 15 million cyber threats - that’s nearly 175 hostile attempts every second and a 25% increase from 2023.2 High-profile incidents continue to illustrate the scale of potential damage. In the UK, ransomware attacks in 2025 disrupted operations at major corporates, contributing to hundreds of millions in lost profit and remediation costs.

At the same time, many executives acknowledge that preparedness gaps remain. A survey of Chief Information Security Officers3 indicate that a majority expect a material attack within the next 12 months, yet a significant proportion feel underprepared to respond.

Widespread digitalisation means that every company is now a data company. As a result, the size of companies’ attack surfaces – the number of possible points where an unauthorised user can access a system and extract data – has increased. Additional factors that may also expand a company’s attack surfaces include:

  • Extensive automation and the Internet of Things (IoT)4
  • Greater reliance on cloud and hybrid infrastructure
  • Increased dependence on third-party vendors
  • More complex global supply chains
  • Larger and more distributed workforces
  • Ongoing M&A5 activity

Human error remains a leading cause of successful breaches, but supply chain vulnerabilities are becoming equally significant. For acquisitive companies in particular, inadequate integration of cybersecurity due diligence can introduce hidden risks.

Game-changing new technologies
AI is reshaping cybersecurity. On one hand, generative AI (GenAI) lowers the barrier to entry for attackers. Phishing campaigns are more convincing, vulnerability scanning can be automated at scale, and malicious activity can be deployed with greater speed and sophistication. On the other hand, AI-enabled defences can significantly reduce the time required to detect and respond to threats. Research suggests that organisations using AI within their cybersecurity defences experience lower average breach costs and faster containment.6 However in our view, companies must also consider the additional security requirements of AI tools, as research identified AI-related vulnerabilities as the fastest-growing cyber risk in 2025.7

Quantum computing presents a longer dated but potentially transformative threat. The prospect of “harvest now, decrypt later” attacks – in which encrypted data is stolen today to be decrypted in future – introduces risk to sensitive data with long shelf lives, including financial records, intellectual property and health information. However, defences are already in development. In 2024 the U.S. National Institute of Standards and Technology (NIST) released its first Post-Quantum Cryptography (PQC) standards and U.S. cyber agencies are already urging organisations to start quantum readiness work. Given that cryptographic transitions historically take many years, we believe early preparation for post-quantum cryptography is prudent, particularly for companies holding long-duration sensitive data.

Proprietary cybersecurity assessment framework
To evaluate cybersecurity in a structured and comparable way, we developed a proprietary assessment framework. The framework assesses positive and negative indicators across six pillars:

1. Governance: In our view, best practice includes cybersecurity oversight at board level, directors with relevant expertise, and clearly defined accountability. We believe cybersecurity must be embedded within enterprise risk management, not treated as a siloed IT function.

2. Resources, Training and Culture: Technology alone is insufficient. In line with our framework, a mature approach includes specialist teams, phishing simulations – with retraining for employees that fail, and a corporate culture built on cyber awareness.

3. Third-Party and M&A Risk: Within our framework, we focus on evidence of a resilient ecosystem, including supply chain due diligence, contractual safeguards, and the integration of cybersecurity analysis into acquisition decisions.

4. Processes and Controls: Positive indicators include alignment with recognised frameworks, as well as signs of controls such as identity and access management, endpoint detection and response, and threat and vulnerability management. AI-enabled defences and awareness and early planning for post-quantum cryptographic standards are also positives.

5. Response Preparedness: The speed of containment often determines financial impact. Our framework considers whether companies conduct regular incident response testing, executive-level simulations and scenario planning.

6. External Assurance: We look for independent audits, certifications (such as ISO 270018), cyber insurance and transparent quantitative disclosure, which provide additional validation of internal controls.

In 2025 we engaged with 10 companies in our portfolios that we deem to be more in the frontline of cybersecurity risk. While a material cyber attack can never be ruled out, our view is that these companies are generally managing the risk appropriately. Examples of best practice include:

  • Deployment of AI-enabled defences, significantly reducing the mean time to detect and respond to incidents.
  • Termination of vendor relationships and even rejection of acquisitions when cybersecurity standards fell short.
  • Adoption of a dual-sourcing strategy to build supply chain resilience.
  • Implementation of controls to limit the “blast radius” of an attack, for example through network segmentation and multi-factor authentication.
  • Learnings from previous incidents, demonstrating a culture of continuous improvement.
  • Obtainment of independent assurance of controls (e.g. with ISO 27001)
  • Disclosure of quantitative metrics to improve investor transparency.
  • Early-stage performance testing of Post-Quantum Cryptography standards.

Investment implication: risks and opportunities
The accelerating threat environment is driving structural growth in cybersecurity spending. Industry forecasts project global cybersecurity expenditure to exceed $200 billion in 2025 and continue expanding at double-digit rates.9 A survey of corporate CIOs indicated that cybersecurity budgets are increasing faster than overall software spend.10

This environment creates both risk and opportunity. From a risk perspective, companies that underinvest in cybersecurity defences face greater risk of a financially material attack. From an opportunity perspective, scaled cybersecurity providers and platforms embedded within enterprise ecosystems may benefit from sustained demand growth.

Within our portfolios, we hold companies with significant cybersecurity exposure, including:

  • Microsoft, which operates the largest cybersecurity business in the world, worth an estimated $30 billion, having more than doubled in the last three years.11
  • Visa, which is leveraging its expertise in payments security and fraud prevention to provide cybersecurity advisory services to clients.
  • Alphabet, which is poised to deepen its exposure to cybersecurity through its pending $32 billion acquisition of Wiz, a leading cloud security platform.
  • Experian, whose identity verification and fraud prevention solutions helped businesses worldwide avoid an estimated $19 billion in fraud losses.12

Cold comfort reality
No cybersecurity system can guarantee complete protection. However, in our view, the distinction between companies that are prepared, and those that are not, is becoming increasingly consequential. Cyber resilience is both a defensive necessity and a potential competitive advantage. Companies that embed strong governance, invest in advanced defensive capabilities and proactively adapt to technological change are, in our view, better positioned to protect their operations and shareholder value.

1 JP Morgan Research, “Digital Future Under Threat: AI, Quantum and Geopolitical Cybersecurity Risks”, November 2025.

2 Equifax Annual Security Report 2024

3 Source: Voice of the Chief Information Security Officer Survey 2025, Proofpoint

4 Internet of Things: physical objects that are embedded with sensors, processing ability, software, and other technologies that connect and exchange data with other devices and systems over the Internet or other communication networks.

5 Mergers and acquisitions

6 IBM Cost of a data breach report 2025, https://www.ibm.com/downloads/documents/us-en/131cf87b20b31c91

7 WEF – Global cybersecurity outlook 2026, https://reports.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2026.pdf

8 International Organisation for Standardisation, 27001 is specific standard for information security.

9 Source: https://www.gartner.com/en/newsroom/press-releases/2025-07-29-gartner-forecasts-worldwide-end-user-spending-on-information-security-to-total-213-billion-us-dollars-in-2025

10 Morgan Stanley Research, “Cybersecurity: Forecast as Large Clouds Move In”, January 2026.

11 Morgan Stanley Research, “Cybersecurity: Forecast as Large Clouds Move In”, January 2026.

12 Experian annual report 2025

International Equity Team

The International Equity team follows a disciplined investment process based on fundamental analysis and bottom-up stock selection. They believe that the best route to attractive long-term returns is through compounding and providing reduced downside participation.

Featured Products

Related Insights

The Author

Featured Insights

Global Equity Observer
The high stakes of cybersecurity

Cyber attacks are becoming more frequent, sophisticated and costly as digitalisation accelerates and AI reshapes the threat landscape. For companies across sectors, cyber resilience is now a core risk management priority. How can investors assess whether companies are prepared? The International Equity Team explores the evolving cybersecurity landscape and the framework it uses to evaluate corporate preparedness.

27-Mar-2026
Global Equity Observer
Video: Agentic commerce - new frontiers

Agentic commerce is transforming online shopping from search-based browsing to AI driven decision-making. In this overview, the International Equity team explains how AI agents are reshaping product discovery, purchasing, and the economics of the digital commerce ecosystem. Watch to find out more.

27-Mar-2026
Press Release
1GT Portfolio Investment Huel to be Acquired by Danone

Morgan Stanley Investment Management announced today that Huel, one of the first investments made by the 1GT climate private equity strategy, has entered into a definitive agreement to be acquired by Danone, a world-leading food and beverage company.

24-Mar-2026
Media Appearance
Head of Morgan Stanley Investment Management: Ben Huneke on CNBC

Speaking on market uncertainty, Head of Morgan Stanley Investment Management’s Ben Huneke, said clients are being encouraged to stay anchored to long-term asset allocations, maintain liquidity, and lean slightly more conservative until geopolitical and energy-related risks become clearer. He noted that while recent market fears, such as the impact of AI on software, have driven dislocations, those concerns appear overstated, creating selective opportunities for long-term investors rather than signaling a broader structural breakdown.

24-Mar-2026

 

Risk Considerations
There is no assurance that a portfolio will achieve its investment objective. Portfolios are subject to market risk, which is the possibility that the market value of securities owned by the portfolio will decline. Market values can change daily due to economic and other events (e.g. natural disasters, health crises, terrorism, conflicts and social unrest) that affect markets, countries, companies or governments. It is difficult to predict the timing, duration, and potential adverse effects (e.g. portfolio liquidity) of events. Accordingly, you can lose money investing in this strategy. Please be aware that this strategy may be subject to certain additional risks. Changes in the worldwide economy, consumer spending, competition, demographics and consumer preferences, government regulation and economic conditions may adversely affect global franchise companies and may negatively impact the strategy to a greater extent than if the strategy’s assets were invested in a wider variety of companies. In general, equity securities’ values also fluctuate in response to activities specific to a company. Investments in foreign markets entail special risks such as currency, political, economic, and market risks. Stocks of small- and mid-capitalisation companies carry special risks, such as limited product lines, markets and financial resources, and greater market volatility than securities of larger, more established companies. The risks of investing in emerging market countries are greater than risks associated with investments in foreign developed markets. Derivative instruments may disproportionately increase losses and have a significant impact on performance. They also may be subject to counterparty, liquidity, valuation, correlation and market risks. Illiquid securities may be more difficult to sell and value than publicly traded securities (liquidity risk). Non-diversified portfolios often invest in a more limited number of issuers. As such, changes in the financial condition or market value of a single issuer may cause greater volatility. ESG strategies that incorporate impact investing and/or Environmental, Social and Governance (ESG) factors could result in relative investment performance deviating from other strategies or broad market benchmarks, depending on whether such sectors or investments are in or out of favor in the market. As a result, there is no assurance ESG strategies could result in more favorable investment performance.

IMPORTANT INFORMATION
There is no guarantee that any investment strategy will work under all market conditions, and each investor should evaluate their ability to invest for the long-term, especially during periods of downturn in the market.

A separately managed account may not be appropriate for all investors. Separate accounts managed according to the particular Strategy may include securities that may not necessarily track the performance of a particular index. A minimum asset level is required.

For important information about the investment managers, please refer to Form ADV Part 2.

The views and opinions and/or analysis expressed are those of the author or the investment team as of the date of preparation of this material and are subject to change at any time without notice due to market or economic conditions and may not necessarily come to pass. Furthermore, the views will not be updated or otherwise revised to reflect information that subsequently becomes available or circumstances existing, or changes occurring, after the date of publication. The views expressed do not reflect the opinions of all investment personnel at Morgan Stanley Investment Management (MSIM) and its subsidiaries and affiliates (collectively “the Firm”), and may not be reflected in all the strategies and products that the Firm offers.

Forecasts and/or estimates provided herein are subject to change and may not actually come to pass. Information regarding expected market returns and market outlooks is based on the research, analysis and opinions of the authors or the investment team. These conclusions are speculative in nature, may not come to pass and are not intended to predict the future performance of any specific strategy or product the Firm offers. Future results may differ significantly depending on factors such as changes in securities or financial markets or general economic conditions.

This material has been prepared on the basis of publicly available information, internally developed data and other third-party sources believed to be reliable. However, no assurances are provided regarding the reliability of such information and the Firm has not sought to independently verify information taken from public and third-party sources.

This material is a general communication, which is not impartial and all information provided has been prepared solely for informational and educational purposes and does not constitute an offer or a recommendation to buy or sell any particular security or to adopt any specific investment strategy. The information herein has not been based on a consideration of any individual investor circumstances and is not investment advice, nor should it be construed in any way as tax, accounting, legal or regulatory advice. To that end, investors should seek independent legal and financial advice, including advice as to tax consequences, before making any investment decision.

Charts and graphs provided herein are for illustrative purposes only. Past performance is no guarantee of future results.

The indexes are unmanaged and do not include any expenses, fees or sales charges. It is not possible to invest directly in an index. Any index referred to herein is the intellectual property (including registered trademarks) of the applicable licensor. Any product based on an index is in no way sponsored, endorsed, sold or promoted by the applicable licensor and it shall not have any liability with respect thereto.

This material is not a product of Morgan Stanley’s Research Department and should not be regarded as a research material or a recommendation. The Firm has not authorised financial intermediaries to use and to distribute this material, unless such use and distribution is made in accordance with applicable law and regulation. Additionally, financial intermediaries are required to satisfy themselves that the information in this material is appropriate for any person to whom they provide this material in view of that person’s circumstances and purpose. The Firm shall not be liable for, and accepts no liability for, the use or misuse of this material by any such financial intermediary.

This material may be translated into other languages. Where such a translation is made this English version remains definitive. If there are any discrepancies between the English version and any version of this material in another language, the English version shall prevail.

The whole or any part of this material may not be directly or indirectly reproduced, copied, modified, used to create a derivative work, performed, displayed, published, posted, licensed, framed, distributed or transmitted or any of its contents disclosed to third parties without the Firm’s express written consent. This material may not be linked to unless such hyperlink is for personal and non-commercial use. All information contained herein is proprietary and is protected under copyright and other applicable law.

Morgan Stanley Investment Management is the asset management division of Morgan Stanley.

DISTRIBUTION
This material is only intended for and will only be distributed to persons resident in jurisdictions where such distribution or availability would not be contrary to local laws or regulations.

MSIM, the asset management division of Morgan Stanley (NYSE: MS), and its affiliates have arrangements in place to market each other’s products and services. Each MSIM affiliate is regulated as appropriate in the jurisdiction it operates. MSIM’s affiliates are: Eaton Vance Management (International) Limited, Eaton Vance Advisers

International Ltd, Calvert Research and Management, Eaton Vance Management, Parametric Portfolio Associates LLC, and Atlanta Capital Management LLC.

This material has been issued by any one or more of the following entities:

EMEA
This material is for Professional Clients/Accredited Investors only.

In the EU, MSIM and Eaton Vance materials are issued by MSIM Fund Management (Ireland) Limited (“FMIL”). FMIL is regulated by the Central Bank of Ireland and is incorporated in Ireland as a private company limited by shares with company registration number 616661 and has its registered address at 24-26 City Quay, Dublin 2, DO2 NY19, Ireland.

Outside the EU, MSIM materials are issued by Morgan Stanley Investment Management Limited (MSIM Ltd) is authorised and regulated by the Financial Conduct Authority. Registered in England. Registered No. 1981121. Registered Office: 25 Cabot Square, Canary Wharf, London E14 4QA.

In Switzerland, MSIM materials are issued by Morgan Stanley & Co. International plc, London (Zurich Branch) Authorised and regulated by the Eidgenössische Finanzmarktaufsicht (“FINMA”). Registered Office: Beethovenstrasse 33, 8002 Zurich, Switzerland.

Outside the US and EU, Eaton Vance materials are issued by Eaton Vance Management (International) Limited (“EVMI”) 125 Old Broad Street, London, EC2N 1AR, UK, which is authorised and regulated in the United Kingdom by the Financial Conduct Authority.

Italy: MSIM FMIL (Milan Branch), (Sede Secondaria di Milano) Palazzo Serbelloni Corso Venezia, 16 20121 Milano, Italy. The Netherlands: MSIM FMIL (Amsterdam Branch), Rembrandt Tower, 11th Floor Amstelplein 1 1096HA, Netherlands. France: MSIM FMIL (Paris Branch), 61 rue de Monceau 75008 Paris, France. Spain: MSIM FMIL (Madrid Branch), Calle Serrano 55, 28006, Madrid, Spain. Germany: MSIM FMIL Frankfurt Branch, Große Gallusstraße 18, 60312 Frankfurt am Main, Germany (Gattung: Zweigniederlassung (FDI) gem. § 53b KWG). Denmark: MSIM FMIL (Copenhagen Branch), Gorrissen Federspiel, Axel Towers, Axeltorv2, 1609 Copenhagen V, Denmark.

MIDDLE EAST
Dubai: MSIM Ltd (Representative Office, Unit Precinct 3-7th Floor-Unit  701 and 702, Level 7, Gate Precinct Building 3, Dubai International Financial Centre, Dubai, 506501, United Arab Emirates. Telephone: +97 (0)14 709 7158). This document is distributed in the Dubai International Financial Centre by Morgan Stanley Investment Management Limited (Representative Office), an entity regulated by the Dubai Financial Services Authority (“DFSA”). It is intended for use by professional clients and market counterparties only. This document is not intended for distribution to retail clients, and retail clients should not act upon the information contained in this document. This document relates to a financial product which is not subject to any form of regulation or approval by the DFSA. The DFSA has no responsibility for reviewing or verifying any documents in connection with this financial product. Accordingly, the DFSA has not approved this document or any other associated documents nor taken any steps to verify the information set out in this document, and has no responsibility for it. The financial product to which this document relates may be illiquid and/ or subject to restrictions on its resale or transfer. Prospective purchasers should conduct their own due diligence on the financial product. If you do not understand the contents of this document, you should consult an authorised financial adviser.

U.S.
NOT FDIC INSURED. OFFER NO BANK GUARANTEE. MAY LOSE VALUE. NOT INSURED BY ANY FEDERAL GOVERNMENT AGENCY. NOT A DEPOSIT.

LATIN AMERICA (BRAZIL, CHILE COLOMBIA, MEXICO, PERU, AND URUGUAY)
This material is for use with an institutional investor or a qualified investor only. All information contained herein is confidential and is for the exclusive use and review of the intended addressee, and may not be passed on to any third party. This material is provided for informational purposes only and does not constitute a public offering, solicitation or recommendation to buy or sell for any product, service, security and/or strategy. A decision to invest should only be made after reading the strategy documentation and conducting in-depth and independent due diligence.

ASIA PACIFIC
Hong Kong: This material is disseminated by Morgan Stanley Asia Limited for use in Hong Kong and shall only be made available to “professional investors” as defined under the Securities and Futures Ordinance of Hong Kong (Cap 571). The contents of this material have not been reviewed nor approved by any regulatory authority including the Securities and Futures Commission in Hong Kong. Accordingly, save where an exemption is available under the relevant law, this material shall not be issued, circulated, distributed, directed at, or made available to, the public in Hong Kong. Singapore: This material is disseminated by Morgan Stanley Investment Management Company and should not be considered to be the subject of an invitation for subscription or purchase, whether directly or indirectly, to the public or any member of the public in Singapore other than (i) to an institutional investor under section 304 of the Securities and Futures Act, Chapter 289 of Singapore (“SFA”); (ii) to a “relevant person” (which includes an accredited investor) pursuant to section 305 of the SFA, and such distribution is in accordance with the conditions specified in section 305 of the SFA; or (iii) otherwise pursuant to, and in accordance with the conditions of, any other applicable provision of the SFA. This publication has not been reviewed by the Monetary Authority of Singapore. Australia: This material is provided by Morgan Stanley Investment Management (Australia) Pty Ltd ABN 22122040037, AFSL No. 314182 and its affiliates and does not constitute an offer of interests. Morgan Stanley Investment Management (Australia) Pty Limited arranges for MSIM affiliates to provide financial services to Australian wholesale clients. Interests will only be offered in circumstances under which no disclosure is required under the Corporations Act 2001 (Cth) (the “Corporations Act”). Any offer of interests will not purport to be an offer of interests in circumstances under which disclosure is required under the Corporations Act and will only be made to persons who qualify as a “wholesale client” (as defined in the Corporations Act). This material will not be lodged with the Australian Securities and Investments Commission.

JAPAN
For professional investors, this material is circulated or distributed for informational purposes only. For those who are not professional investors, this material is provided in relation to Morgan Stanley Investment Management (Japan) Co., Ltd. (“MSIMJ”)’s business with respect to discretionary investment management agreements (“IMA”) and investment advisory agreements (“IAA”). This is not for the purpose of a recommendation or solicitation of transactions or offers any particular financial instruments. Under an IMA, with respect to management of assets of a client, the client prescribes basic management policies in advance and commissions MSIMJ to make all investment decisions based on an analysis of the value, etc. of the securities, and MSIMJ accepts such commission. The client shall delegate to MSIMJ the authorities necessary for making investment. MSIMJ exercises the delegated authorities based on investment decisions of MSIMJ, and the client shall not make individual instructions. All investment profits and losses belong to the clients; principal is not guaranteed. Please consider the investment objectives and nature of risks before investing. As an investment advisory fee for an IAA or an IMA, the amount of assets subject to the contract multiplied by a certain rate (the upper limit is 2.20% per annum (including tax)) shall be incurred in proportion to the contract period. For some strategies, a contingency fee may be incurred in addition to the fee mentioned above. Indirect charges also may be incurred, such as brokerage commissions for incorporated securities. Since these charges and expenses are different depending on a contract and other factors, MSIMJ cannot present the rates, upper limits, etc. in advance. All clients should read the Documents Provided Prior to the Conclusion of a Contract carefully before executing an agreement. This material is disseminated in Japan by MSIMJ, Registered No. 410 (Director of Kanto Local Finance Bureau (Financial Instruments Firms)), Membership: the Japan Securities Dealers Association, TheInvestment Trusts Association, Japan, the Japan Investment Advisers Association and the Type II Financial Instruments Firms Association.

 

Morgan Stanley

Morgan Stanley Careers

    

This is a Marketing Communication.

It is important that users read the Terms of Use before proceeding as it explains certain legal and regulatory restrictions applicable to the dissemination of information pertaining to Morgan Stanley Investment Management's investment products.

The services described on this website may not be available in all jurisdictions or to all persons. For further details, please see our Terms of Use.

 

© 2026 Morgan Stanley. All rights reserved.

Subscriptions

Privacy & Cookies

Your Privacy Choices Your Privacy Choices Icon   

Terms of Use