Escaping the legacy black hole: How insurers can turn technical debt into agility

The insurance industry has long been defined by its stability, its risk-aversion and — perhaps most significantly — its early adoption of computing power in the 1960s and 70s. But this early lead has led to many of the world’s largest insurers finding themselves trapped in a legacy “black hole.” What began as a foundation of strength has evolved into technical debt, talent scarcity and operational inertia that threatens the competitive edge of even the most established organizations.

 

Here, Nilesh Agrawal, insurance business lead at Thoughtworks, explores how the insurance industry should focus on visibility and reconstruction to escape this black hole and drive successful modernization.

 

 

 

How we got here

 

In the 1960s, the IBM System/360 revolutionized how businesses processed data. Insurers jumped at the chance to move from paper ledgers to digital contract cycle management. Over the next three decades, systems from IBM, Fujitsu, Hitachi and Unisys became the "walled forts" of the industry.

 

The problem wasn't the initial build; it was the decades of incrementalism that followed. As the PC revolution took hold and business requirements evolved, the industry didn't rebuild — it patched.

 

 

• The band-aid effect: Stitching software on top of legacy cores means that today, many systems have so many layers of "bandages" that the original documentation is lost.

• The "it just works" paradox: Many organizations have reached a point where everyone knows the system works, but nobody can explain why it works. This uncertainty feeds into common fear that changing one line of code might collapse the entire system.

• The retirement cliff: The experts familiar with original COBOL and PL/I code are approaching retirement. This transition increases the risk of knowledge hoarding, while the rising cost of retaining these specialists is significantly inflating budgets.

 

 

The stability trap: Why just working isn't enough

 

 

So are legacy systems seen as a stable foundation or a competitive disadvantage? In most cases, they are stable — but only for a specific point in time.

 

Think of a legacy system like a bridge built three years ago. By the time the bridge is finished, the traffic it was designed to carry has already doubled. For organizations that rely on commercial-off-the-shelf (COTS) applications to replace legacy systems,  this bridge analogy is even more stark. A large-scale change program in insurance, such as replacing a Policy core, can take three to five years. By the time of delivery, technology has moved through several cycles and consumer expectations have shifted entirely.

 

While these systems are reliable for batch processing and high-volume transactions, they lack the visibility and agility required for the modern market. Most insurers sit on the "right side of the chasm," waiting for technologies to become hyper-stable before adopting them. But while they wait, competitors who have bridged the gap are changing the rules of the game with real-time APIs and omni-channel experiences.

 

 

The true cost of failure

 

Failing to modernize isn't just a technical oversight; it’s a massive financial and social drain. The costs manifest in three distinct areas:

 

The consumer cost

 

Modernization failures deprive customers of new, flexible products. If it takes 18 months to change a rating algorithm in a legacy COBOL system, the consumer is stuck paying premiums that don't reflect current risks or their specific needs.

 

The operational cost

 

Carriers are trapped in vendor lock-in. Whether it’s MIPS (millions of instructions per second) capacity on a mainframe or a proprietary SaaS roadmap, the insurer is no longer the captain of its own ship. If a vendor decides to sunset a specific platform, as we’ve seen with recent roadmaps from providers like Fujitsu, the insurer faces a frantic, high-risk migration.

 

The risk of the walled fort

 

While mainframes are historically secure, they are no longer isolated islands. To make them work in a digital world, we’ve built countless integration layers — effectively adding "doors" to the fort. Each door is a potential cyber-risk or a point of failure for regulatory compliance.

 

"Compliance is the one area where the board doesn't hold the purse strings. They loosen it fast because no one wants a rap on the knuckles from the regulator. This is often the catalyst for modernization."

 

 

 

AI as the escape pod

 

 

If legacy tech is the black hole, generative AI is the engine that can help insurers escape its pull. We see AI bringing tangible value in three core areas:

 

• Changing software economics: The traditional "code-to-spec" and "spec-to-code" cycle is being disrupted. What used to take a decade of manual refactoring can now be accelerated through AI-driven code analysis which gives visibility into the opaque black box — and CIOs the confidence to commit to two-year journeys instead of 10-year gambles.

   

• The data quality engine: Insurance is data-centric, but much of that data is "junk" trapped in legacy silos. AI can scan oceans of data, identify quality issues (e.g., social security numbers in the wrong fields) and unify records to create a "single source of truth."

   

• Micro-moments of growth: Once data is trusted and unified, AI feeds intelligence into the front office. At the exact moment an agent is talking to a customer, the system can flag a "bad risk" or identify a high-value opportunity based on historical patterns that were previously buried in a batch-processed mainframe.

 

 

Ensuring today’s modernization isn’t tomorrow’s black hole

 

Modernization shouldn’t be a destination, but a constant state of evolution. For insurers, the goal isn't to reach a "finished" system, but to build high-quality systems that update in real time. Without this approach, companies often fall into a new legacy trap by overlooking two critical pillars:

 

• Evolving compliance: Modern compliance requires adaptable systems that accommodate new regulations without total overhauls. The Digital Operational Resilience Act (DORA) exemplifies this shift, moving beyond financial soundness to proactive EU-wide ICT risk management. It mandates strict incident reporting, third-party oversight and rigorous testing, requiring firms to integrate flexible security protocols and robust governance.

   

• Built-in cyber-hygiene: As new threats emerge, security can no longer be a final "layer" added before launch. It must be woven into the code from the start as a fundamental component of the software’s ongoing life cycle.

   

 

Bridging the gap with AI/works™

 

Thoughtworks’ AI/works™ agentic development platform directly addresses these challenges. By providing continuous, automated updates, it ensures systems evolve alongside shifting regulations and emerging security threats, preventing today’s "modern" solution from becoming tomorrow’s legacy burden.

 

Start plotting your roadmap today 

 

Upgrading legacy systems without access to the source code can be a nightmare. Explore the Thoughtworks approach that uses AI/works™ to create functional blueprints from observable evidence, and turns modernization from risk into confident, evidence-driven strategy. Read the white paper