TL;DR: Insurance transformation is being pushed by pandemic-era digitisation, cost pressure, and regulatory demands, while legacy systems, fragmented data, and ad hoc overlays keep increasing complexity and slowing change, according to Comarch. The real issue is not whether to transform, but whether insurers can replace brittle operating models with a flexible environment that supports future change.
NHIMG editorial — based on content published by Comarch: insurance transformation and legacy system replacement
By the numbers:
- highly digital insurance agencies develop on average 70% faster than other agencies.
Questions worth separating out
Q: How should insurers govern access when replacing legacy systems with digital platforms?
A: They should tie every system replacement to an access review of the old and new estates.
Q: Why do overlay fixes create more security risk in transformation programmes?
A: Overlay fixes preserve old control assumptions while adding new interfaces, which makes it harder to know where access begins and ends.
Q: How can teams tell whether transformation is actually improving governance?
A: They should look for fewer unmanaged integrations, clearer system ownership, shorter access approval chains, and the ability to remove obsolete privileges as systems are retired.
Practitioner guidance
- Map legacy overlays to identity ownership Inventory every overlay, plugin, and integration layer, then assign a business owner, technical owner, and access lifecycle path for each one.
- Treat API design as governance design Require each exposed API to have documented authentication, authorisation, and data-scope rules before it is put into production.
- Align cloud migration with privilege cleanup Do not move workloads into cloud platforms without removing obsolete accounts, shared admin paths, and environment-specific exceptions in the source estate.
What's in the full article
Comarch's full article covers the operational detail this post intentionally leaves for the source:
- Examples of how insurers sequence transformation from legacy process analysis to implementation planning
- The business cases behind modular insurance products and policy component activation
- Details on cloud adaptation choices across public platforms and ecosystem expansion
- A concrete transformation example showing policy amendment time reduced from nearly two weeks to 15 minutes
👉 Read Comarch's analysis of insurance transformation and legacy system replacement →
Legacy insurance systems: what transformation actually requires?
Explore further
Insurance transformation is an identity governance problem as much as an IT problem. The article describes digital change through customer service, APIs, cloud, and operational efficiency, but each of those shifts changes who or what is allowed to act inside the environment. Once that happens, access scope, approval flow, and accountability become programme-level risks rather than back-office details. Practitioners should treat transformation governance as identity governance with business consequences.
A few things that frame the scale:
- highly digital insurance agencies develop on average 70% faster than other agencies, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: Who should own identity and access controls in a business transformation programme?
A: Ownership should sit with the programme, not only with security. Business leaders define the operating model, application teams implement the integrations, and IAM or PAM teams define control standards and review them. Without shared ownership, identity decisions become fragmented and controls lag behind the transformation schedule.
👉 Read our full editorial: Insurance transformation is forcing legacy system replacement