I’ve spoken before about the many drivers that are encouraging lenders to implement significant technology change. The need for robust agility and affordable scalable solutions has grown and grown over the last couple of years as SaaS solutions have shown that organisations of any size can now respond to market volatility and challenges in a timely manner.

But another dynamic is also becoming apparent. As the insurance industry continues to wrestle with underwriting significant cyber risks, it is becoming clear that our ever increasing interconnectivity is meaning that legacy systems may find themselves among the exclusions in cover.

Financial Services firms (and mortgage lenders are no exception here) often operate legacy systems that are less readily able to provide an acceptable level of protection against assaults, viruses, and other threats.

It’s far easier to monitor the security of newly deployed systems, but many larger, more established financial services companies have outdated legacy systems with just a few users on back books depending on them. These can end up being neglected and, in the worst circumstances, updates cease as their usability declines.  When these upgrades stop, older systems no longer get vital security updates for the most recent threats, leaving them incredibly exposed whenever they are made knowingly or unknowingly available to the general public.

The issue is that these systems are more expensive to maintain and yet they are often a critical part of daily business productivity. The demands being made of old systems in a digital age when customers expect a digital experience are increasingly at odds with the core reasons for which they were originally built.

Of course, there are times when public access is not the issue. Too frequently, legacy systems do not adapt and become incompatible with access security features like multi-factor authentication, single-sign on, and role-based access, or they do not have enough audit trails or encryption techniques. And occasionally, it’s not just that a legacy application lacks security protections, but also that accessing that legacy application depends on a number of other legacy processes, each of which introduces new security flaws.

Many security products weren’t made to work with old mainframe operating systems and environments. Additionally, legacy applications frequently do not have the real-time security monitoring required to identify and address security intrusions. For instance, legacy systems may monitor performance, but they lack the specifics and contextual data necessary to create the genuine visibility required.

Robust agility is of course important in meeting the challenges that markets throw at firms but it is also key in meeting the challenges of threats. As insurers come to terms with the threats they will and will not insure, legacy systems may prove in due course to be a step too far in getting the cover most businesses and their regulators would expect.

Jerry Mulle, UK Managing Director, Ohpen