Credit: the_lightwriter/Adobe StockAd
For insurers, MGAs and insurance agencies, legacy security systems rarely fail in obvious ways. They tend to stay in place because they still work, just about, and because replacing them feels harder than managing the risk they carry. The issue is less about age and more about the compromises required to keep those systems running.
In practice, legacy platforms end up driving security decisions long after they should have stopped doing so. I have been in situations where a security team asks for a sensible change, the change is made, and a critical integration immediately breaks. The response is not to modernize the integration but to undo the control, and over time security policy starts to bend around the system rather than reducing exposure.
Encryption is a common example. Teams know which standards they should be using, but older connections cannot support them. The change goes in, the system fails, and it has to be rolled back. From that point on, the oldest component in the environment dictates what is possible, and what began as a technical compromise ends up shaping how the organization operates.
Loss of visibility before loss of control
The risk increases once systems reach end of life. Patches stop, vulnerabilities remain open, and the bigger problem often becomes visibility rather than exposure itself. Many modern security tools simply do not run on older platforms, which means they cannot scan them, monitor them or reliably confirm whether they have already been compromised.
That creates blind spots. You do not know whether the system is vulnerable, and you do not know whether it has been breached. In many cases, the first sign of trouble is when something else connected to it starts behaving badly.
This lack of visibility makes incident response far harder. With newer platforms, there is usually enough logging to reconstruct what happened. With legacy systems, that trail is often incomplete or missing altogether, and after years of incremental changes, few people can clearly map how data flows through the environment or what depends on what.
When ransomware hits in that situation, recovery becomes slow and disruptive. In the worst cases, there is no practical way to clean up what is already there, so teams end up rebuilding from scratch because they cannot be confident about what is safe to restore. Backups offer limited reassurance, particularly when attackers may have been present for long periods without detection.
Why legacy systems magnify incidents
Most incidents still start in familiar ways, with people clicking on emails or entering credentials into fake sites. Legacy systems do not cause those mistakes, but they magnify the impact when they occur.
For agencies in particular, this often means an outdated application or server sitting behind core workflows, connected to multiple internal tools and third-party services. Once an attacker gains access, it is easier to move laterally and harder to spot what is happening, so what could have been contained escalates quickly.
There have been several recent examples of companies being unable to recover after ransomware attacks, not because they lacked backups, but because their systems were too old and too opaque to restore with confidence. Customers were affected immediately and the damage could not be undone.
Travelex provides a well-known example. After a ransomware attack in late 2019 forced its online services offline for several months, the business was pushed into manual operations while systems were rebuilt. The disruption contributed to significant financial strain during an already difficult period for the company.
In Germany, Einhaus Gruppe, a mobile phone insurance and logistics provider, entered insolvency following a ransomware attack that left it unable to restore systems reliably. Despite paying a ransom, prolonged outages and recovery costs ultimately proved unsustainable.
In many cases, those environments were held together with fixes and exceptions that made sense at the time but collectively increased fragility. There is no such thing as a temporary fix; whatever is put in place becomes the solution until it fails.
Insurance systems are particularly exposed because of how customized they tend to be. Years of integrations tie agencies and carriers to platforms that no longer make sense from a security perspective. The cost of change feels high, so the organization absorbs the risk instead. That hesitation is understandable, because replacing a core system is disruptive: processes change, people have to learn new ways of working, and integrations need to be rebuilt. What is often missing is a clear view of the exposure being carried.
A legacy system might only support a small part of the business directly but still be connected to systems supporting far more. A breach in one place can affect revenue and operations well beyond the original system, and at that point this stops being a technology decision and becomes a governance issue.
Moving away from legacy systems does not eliminate risk, but it does make it more manageable. Visibility improves, response is faster, and incidents are easier to contain. The real danger with legacy security systems is not that they eventually fail, but that they encourage organizations to accept levels of exposure they would not tolerate anywhere else in the business.
Tanner Randolph, Global CIO and CISO of Applied Systems, leads Applied's information security and data services organization. He has held various senior roles in the field of information security and technology, with experience ranging from working in the public sector to leading tech companies.
(Photo credit: FGC/Shutterstock.com)
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.