March 21, 2022


With the top 10 insurers worldwide currently still relying on mainframes, legacy systems continue to be the heartbeat of insurance processing. Increasingly, insurers are looking to modernize existing infrastructure, move to cloud, or both, to support business transformation initiatives. But security often poses potential roadblocks on the way to technology modernization in insurance.

To be sure, the latest mainframes from IBM — the sole remaining mainframe provider — incorporate modern security features such as data encryption and user authentication. But many insurers continue to use older mainframe hardware and even older application code. Many of these legacy systems were designed for batch processing, not today’s 24×7 real-time demands for data from customers, brokers and employees.

Not surprisingly, nearly half of insurers (43 percent) plan to increase spending on legacy systems, and an overwhelming 80 percent of insurers are investing more in information security — and privacy will increase, according to a 2021 survey by Computer Economics.

However, before making huge investments in modernization, insurance companies need to fully understand their security posture and invest in security skills, threat intelligence and a solid security architecture — one that addresses the realities of operating in a hybrid cloud environment, with unprecedented access for remote workers and partners.

Today’s cybercriminals are focused on monetizing data through ransomware attacks and the sale of confidential policyholder data. Attacks are growing in sophistication, with a focus on stealing user credentials and exploiting vulnerabilities.

However, the insurance industry’s legacy systems were designed with very different kinds of security risks in mind. One of the biggest changes relates to identity and access management. In traditional mainframe environments, users worked in the office, even in the data center itself, and gained access to systems using authorized terminals.

In contrast, today’s mainframe systems and data must be available to users anywhere in the world, connecting to the network using a wide variety of PCs, tablets and smartphones. The organization’s ability to ensure the identity of each and every remote user, and to limit their access to only those systems they’re authorized to use, is absolutely vital. It’s also complicated.

The upshot? Insurers now need to reassess and monitor this risk constantly and iteratively. The types of risks can change over time, meaning security isn’t a once-and-done process. Instead, security needs to be continual and on a 24×7 basis.

That means insurers need to understand the risks involved in the various types of services they offer. How many downstream systems can access billing information? How well are those systems patched and monitored? How will the organization respond to a ransomware attack?

As organizations answer these questions, insurers also need to embrace the tooling and expertise needed to deploy robust security.

At this point you might be wondering, “What else is new?” After all, insurers already know security protections for their legacy systems need to be continuously and iteratively strengthened. But — and this is a big but — many insurers aren’t actually doing enough. As organizations look to technology modernization in insurance, key areas of focus should include:

  • Security operations. Enterprise organizations need to be organized for 24×7 security operations, with continuous monitoring, vulnerability testing, threat intelligence and a strong focus on basic cybersecurity hygiene.
  • Security expertise. As IT environments become more complex with workloads straddling traditional and cloud infrastructure, security organizations need to build up security skills to address emerging threats. Embed security throughout operations, from software development (DevSecOps) to workplace services to analytics.
  • Assess cyber maturity. Transformation programs should start with a candid assessment of risk and the organization’s cyber maturity. Moving forward swiftly requires well-documented security risk management and monitoring capabilities, end-to-end cybersecurity capabilities and full situational awareness.

DXC Technology, which has provided applications and infrastructure services to the global insurance industry for 40-plus years, advises customers to start with simplifying security environments and creating consistent practices across legacy and cloud-native systems as they pursue technology modernization in insurance.

If you’re serving today’s real-time insurance customers with yesterday’s legacy systems, don’t let your security protection fall behind.


Learn more about DXC Security and DXC Insurance.

About the author

About the author

Mark Hughes is president of security for DXC Technology. He’s responsible for DXC’s cyberdefense, digital identity, secured infrastructure and security risk management.

About the author

Callum Gibson is the BPaaS/BPO global offering lead at DXC. He focuses on helping organizations modernize and transform themselves to achieve business outcomes.