March 21, 2022


With the top 10 insurers worldwide currently still relying on mainframes, legacy systems continue to be the heartbeat of insurance processing. Increasingly, insurers are looking to modernise existing infrastructure, move to cloud, or both, to support business transformation initiatives. But security often poses potential roadblocks on the way to technology modernisation in insurance.

To be sure, the latest mainframes from IBM — the sole remaining mainframe provider — incorporate modern security features such as data encryption and user authentication. But many insurers continue to use older mainframe hardware and even older application code. Many of these legacy systems were designed for batch processing, not today’s 24×7 real-time demands for data from customers, brokers and employees.

Not surprisingly, nearly half of insurers (43 percent) plan to increase spending on legacy systems, and an overwhelming 80 percent of insurers are investing more in information security — and privacy will increase, according to a 2021 survey by Computer Economics.

However, before making huge investments in modernisation, insurance companies need to fully understand their security posture and invest in security skills, threat intelligence and a solid security architecture — one that addresses the realities of operating in a hybrid cloud environment, with unprecedented access for remote workers and partners.

Today’s cybercriminals are focused on monetising data through ransomware attacks and the sale of confidential policyholder data. Attacks are growing in sophistication, with a focus on stealing user credentials and exploiting vulnerabilities.

However, the insurance industry’s legacy systems were designed with very different kinds of security risks in mind. One of the biggest changes relates to identity and access management. In traditional mainframe environments, users worked in the office, even in the data centre itself, and gained access to systems using authorised terminals.

In contrast, today’s mainframe systems and data must be available to users anywhere in the world, connecting to the network using a wide variety of PCs, tablets and smartphones. The organisation’s ability to ensure the identity of each and every remote user, and to limit their access to only those systems they’re authorised to use, is absolutely vital. It’s also complicated.

The upshot? Insurers now need to reassess and monitor this risk constantly and iteratively. The types of risks can change over time, meaning security isn’t a once-and-done process. Instead, security needs to be continual and on a 24×7 basis.

That means insurers need to understand the risks involved in the various types of services they offer. How many downstream systems can access billing information? How well are those systems patched and monitored? How will the organisation respond to a ransomware attack?

As organisations answer these questions, insurers also need to embrace the tooling and expertise needed to deploy robust security.

At this point you might be wondering, “What else is new?” After all, insurers already know security protections for their legacy systems need to be continuously and iteratively strengthened. But — and this is a big but — many insurers aren’t actually doing enough. As organisations look to technology modernisation in insurance, key areas of focus should include:

  • Security operations. Enterprise organisations need to be organised for 24×7 security operations, with continuous monitoring, vulnerability testing, threat intelligence and a strong focus on basic cybersecurity hygiene.
  • Security expertise. As IT environments become more complex with workloads straddling traditional and cloud infrastructure, security organisations need to build up security skills to address emerging threats. Embed security throughout operations, from software development (DevSecOps) to workplace services to analytics.
  • Assess cyber maturity. Transformation programs should start with a candid assessment of risk and the organisation’s cyber maturity. Moving forward swiftly requires well-documented security risk management and monitoring capabilities, end-to-end cybersecurity capabilities and full situational awareness.

DXC Technology, which has provided applications and infrastructure services to the global insurance industry for 40-plus years, advises customers to start with simplifying security environments and creating consistent practices across legacy and cloud-native systems as they pursue technology modernisation in insurance.

If you’re serving today’s real-time insurance customers with yesterday’s legacy systems, don’t let your security protection fall behind.

About the author

About the author

Mark Hughes is president of security for DXC Technology. He’s responsible for DXC’s cyberdefense, digital identity, secured infrastructure and security risk management.

About the author

Callum Gibson is the BPaaS/BPO global offering lead at DXC. He focuses on helping organizations modernize and transform themselves to achieve business outcomes.