By Jayant Manglik, Partner, Fortuna Asset Managers LLP
For decades, investors evaluated risk through familiar lenses like market cycles, competitive intensity, leverage, governance, and regulatory change. From the vantage point of someone who has spent years leading large teams which were onboarding clients, managing expectations through market cycles, and overseeing portfolios across their full investment journey, cybersecurity, until recently, sat outside this framework, treated as a technical or operational issue delegated to IT teams and rarely debated in investment committees. That separation is no longer tenable. Today, cybersecurity has emerged as a core investment risk, one that can permanently impair enterprise value, disrupt cash flows, and erode investor trust within hours.
The shift is driven by three structural realities
First, cyber risk has become systemic rather than episodic. Enterprises are now deeply digital: customer acquisition, payments, supply chains, data storage, and even core IP sit on interconnected platforms. A single vulnerability can cascade across vendors, partners, and customers. High-profile breaches over the last few years have shown that cyber incidents are no longer isolated events with limited financial impact; they increasingly trigger prolonged operational shutdowns, regulatory scrutiny, class-action litigation, and reputational damage that outlasts the immediate crisis. Clearly, we are not talking only of retail apps or banks, this is true across industries. And it goes beyond just worrying about the safety of your own data with vendors.
For investors, this means cybersecurity risk is no longer diversifiable in the traditional sense. Just as liquidity or governance failures can contaminate portfolios during stress periods, cyber failures can propagate across sectors, particularly in financial services, healthcare, technology, and consumer platforms.
Second, the financial consequences of cyber incidents are now material and measurable. The immediate costs, including system recovery, ransom payments, forensic audits, are only the visible tip of the iceberg. Longer-term impacts include customer attrition, higher insurance premiums, regulatory penalties, delayed product launches, and management distraction. In many cases, cyber incidents force companies to revise growth assumptions, reallocate capital expenditure, or defer strategic initiatives.
From a valuation perspective, cybersecurity failures can compress multiples as investors reassess the durability of earnings and the credibility of management. Importantly, markets are beginning to distinguish between companies that experience a breach and those that demonstrate weak preparedness, poor disclosure, or inadequate governance around cyber risk.
Third, cyber governance has become a boardroom and fiduciary issue. Regulators globally are tightening disclosure norms around data protection and cyber resilience. Boards are increasingly expected to demonstrate oversight through cyber risk frameworks, incident response plans, and periodic stress testing. For investors, this elevates cybersecurity from an operational checklist to a governance signal.
Serious investors are therefore asking different questions today. Does the company treat cybersecurity as a strategic investment or a cost centre? Is cyber risk embedded into enterprise risk management and capital allocation decisions? Are there clear accountability structures at the board and senior management level? How quickly and transparently has the company responded to past incidents?
What does this mean for portfolio construction, high-trust structures like PMS, and due diligence? Cybersecurity analysis must now sit alongside financial, legal, and ESG due diligence. This does not require investors to become technologists, but it does require a structured assessment of cyber maturity. Here we’re talking about policies, leadership ownership, third-party risk management, employee awareness, and incident response readiness. In discretionary structures such as PMS, where trust, transparency, and data integrity are foundational to client relationships, these considerations become even more critical.
Over time, we believe cyber resilience will increasingly influence cost of capital. Companies that demonstrate strong cyber hygiene, transparent disclosure, and rapid recovery capabilities are likely to command greater investor confidence, particularly in sectors where data is the primary asset.
In an environment where intangible assets drive a growing share of market value, cybersecurity is no longer just about preventing loss; it is about protecting future cash flows. This is particularly relevant in India, where rapid digitisation, UPI-led payments, platform-based businesses, and data-intensive financial services have become central to economic growth. As Indian companies scale faster than their control frameworks mature, cyber resilience will increasingly differentiate sustainable compounders from fragile growth stories.
For serious investors, cyber risk must therefore be priced, questioned, and monitored with the same discipline as leverage or governance. Companies that embed cybersecurity into strategy and capital allocation will earn trust, command premium valuations, and lower their long-term cost of capital. Those that treat it as an afterthought risk permanent value impairment. This shift is already reflected in the evolving expectations of Indian regulators, where resilience, disclosure, and board-level accountability around technology risk are no longer optional. In a market where trust is currency, cyber resilience can become an investor’s edge.