In today’s market, operational resilience is a significant responsibility. For asset managers and their service providers, one of the most critical operational outputs is NAV production. When that production is disrupted, the consequences ripple far beyond a single calculation.
Trading can grind to a halt, investors are left without transparency, regulators take notice, and reputational trust can be shaken in an instant.
These risks are not theoretical. They are real and they demand that firms treat NAV resiliency as a board-level priority. This means assigning executive ownership, regularly testing contingency plans, and understanding that if the primary NAV system were unavailable, how would teams continue to compute and deliver NAVs?
For many firms, the solution to fixing an unavailable NAV system is complicated by the burden of legacy systems and technical debt. Aging infrastructure may still support critical functions, but it is notoriously vulnerable. Outdated code and slow patch cycles create a perfect storm for cyber attackers. Once compromised, these systems can leave organizations unable to restore normal operations quickly enough to meet regulatory obligations or investor expectations.
Legacy technology is also costly to maintain, difficult to scale, and resistant to innovation. The longer firms rely on these systems, the more operational resilience becomes compromised, and the greater the risk that a cyber incident or system failure will create a prolonged disruption.
Many firms who recognize these disadvantages may look to take a “lift and shift” approach but heed the warning that this could be a risky endeavor.
Unlike cloud-native systems, legacy platforms, even when shifted to the cloud, lack what is required to react quickly to emerging vulnerabilities. They miss out on the key advantages of modern architectures such as continuous updates, built-in disaster recovery, and scalable resilience.
Moreover, this chancy approach can create a false sense of modernization while retaining legacy vulnerabilities.
Without a true cloud-native foundation, firms fail to benefit from the dual-layered defense model that modern cloud infrastructure provides. Older applications can sit unpatched for months, but the best cloud-native solutions are built with security practices baked in from the start. Features like containerization, microservices, and automated patching reduce the potential “attack surface.”
They also benefit from running on hyperscale cloud platforms, which invest billions of dollars annually in DDoS protection, encryption, and continuous monitoring. This level of defense is nearly impossible to replicate in legacy on-premises environments.
Equally important, cloud-native platforms embrace modern identity and access frameworks. Capabilities like single sign-on, multi-factor authentication, and role-based access are built into the architecture as defaults and are very friendly for hybrid and remote work. This stands in stark contrast to legacy systems that rely on outdated perimeter defenses that break down in modern working environments.
Ultimately, switching to cloud-native platforms gives teams a newfound level of preparedness and confidence.
Operational resilience isn’t only about technology, it’s also a governance issue. Boards must recognize that cyberattacks demand a different level of scrutiny than standard system outages.
Even well-prepared fund boards often rely on solutions that are designed for hardware or software failures, not for a calculated cyberattack aimed at rendering systems inoperable. With antiquated technology infrastructure, fund administrators and accounting teams become attractive targets for sophisticated attackers.
So, what questions should boards ask?
They should understand the limits of BCP and challenge management to distinguish between plans designed for hardware failure and those equipped to confront cyber threats. They should also demand contingent NAV solutions rather than relying solely on traditional continuity methods. Boards should push providers to implement a separate, automated contingent NAV system that can operate with minimal human intervention during crises.
Part of a board’s responsibility is clarity. Just as importantly, they should push teams and service providers to go beyond paper assurances and implement a true contingent NAV capability. They must be prepared to hold teams accountable.
Cyber threats aren’t going away and legacy systems won’t suddenly become less fragile. NAV failures will only attract more scrutiny in an environment that demands transparency and accountability.
Resilience requires intentional changes. For the investment industry, that means moving beyond technical debt, embracing cloud-native platforms, and demanding stronger oversight of NAV continuity. When disruption comes, because it will, firms will be judged on how prepared they were to keep systems moving.
About the Author
