Legacy systems emerge as insurers’ biggest resilience risk

FMA review finds ageing technology underpins the sector’s weakest resilience capabilities

Legacy systems emerge as insurers’ biggest resilience risk

Transformation

By Roxanne Libatique

The most consequential finding in the Financial Markets Authority’s (FMA) thematic review of insurer operational resilience is not a governance gap or a policy shortfall. It is the technology running underneath both.

Published July 8, 2026, the FMA – Te Mana Tātai Hokohoko review drew responses from 67% of insurers licensed under the Conduct of Financial Institutions (CoFI) regime, which came into force on March 31, 2025. The survey assessed maturity across governance, outsourcing, incident management, business continuity planning (BCP), technology and information security, and incident notification. Responses were self-reported and not independently verified.

Nearly three-quarters of respondents (74%) use legacy systems – defined as technology more than 10 years old – for core operations. Of those, 43% said more than 30% of their business functions depend on that infrastructure. More than 70% rated replacing their critical technology systems as difficult, citing investment costs, limited vendor availability, and incompatibility between modern platforms and legacy insurance policies. Technology and information security recorded the lowest maturity scores of any area assessed: 2.8 to 4.5 out of 5.

The board training deficit meets the AI risk

The survey found that 77% of insurer boards receive no regular operational resilience training, with development occurring on an ad hoc basis. Fewer than half of respondents had a long-term operational resilience strategy, while 13% indicated no strategy exists at all.

The FMA states in the report that advancements in frontier AI are likely to amplify existing technology risks – increasing both the speed at which vulnerabilities can be exploited and the scale of potential disruption. That warning has a documented cross-Tasman counterpart. On April 30, 2026, the Australian Prudential Regulation Authority (APRA) published a letter to industry warning that current governance, risk management, assurance, and operational resilience practices are not sufficiently keeping pace with the scale, speed, and complexity of AI adoption. The letter, which followed targeted engagement with large banks, insurers, and superannuation trustees, set explicit expectations for boards to maintain AI literacy and oversee AI strategy aligned to risk appetite – including for third-party dependencies.

That regulatory pressure is not abstract for New Zealand. The Reserve Bank of New Zealand (RBNZ) reports that foreign-owned insurers account for approximately 85% of private insurance sector assets in New Zealand. The majority of those foreign parents are Australian groups subject to APRA’s requirements, including its April 2026 AI expectations. A board in Auckland overseeing legacy policy administration systems through offshore providers is sitting at the intersection of two regulators now explicitly focused on the same problem.

The FMA has itself been building its AI oversight position. Its 2024 research into AI use across New Zealand financial services – which included insurers – found that all respondents had either integrated AI or planned to do so, while taking a cautious approach focused on risk identification before deployment. The FMA has since signalled it will build on that work through dedicated roundtables and direct firm engagement, examining how AI tools are being used and how risks are being managed. “For many insurers, progress in operational resilience has been stronger at a policy level than in operational execution. There remains a need to further embed resilience practices in a consistent manner, supported by effective governance and clear accountability,” said Michael Hewes, FMA director of deposit taking, insurance and advice.

Offshore dependency, limited contractual protection

More than 90% of respondents outsource key functions to external providers, with 75% rating their reliance at 4 or 5 out of 5. Seventy-one percent rely on overseas-based providers for key functions – a material concentration given that service disruptions offshore may sit beyond an insurer's direct ability to remediate quickly.

Despite that dependency, many formal outsourcing agreements lacked provisions for performance monitoring, remedial actions for non-performance, or termination procedures. Thirteen percent of respondents review outsourcing arrangements only at contract renewal, not meeting the risk-appropriate review frequency required under FI standard conditions 4 – Outsourcing. Due diligence procedures were described as basic by 17% of participants. EY’s 2026 operational resilience analysis found that across financial services globally, cyber threats increasingly exploit shared infrastructure – allowing a single event to cascade across multiple institutions – while legacy technology further amplifies that fragility.

Outsourcing maturity scores ranged from 3.1 to 5.0 out of 5. Governance scores ranged from 3.2 to 4.9 out of 5.

BCP gaps and what the data shows

All respondents reported having documented BCPs, and 97% conducted scenario walkthrough testing. However, only 42% extend BCP training to board members against 90% who provide it to senior management. Thirteen percent indicated no remediation actions were taken following communication of test results to boards or senior management. Nine percent did not include outsourcing arrangements in their BCPs, as required under FI standard conditions 5 – Business continuity and technology systems. Incident management and BCP scores ranged from 3.0 to 4.8 out of 5. Incident notification was the strongest-performing area at 4.2 to 5.0 out of 5.

What comes next

The insurance survey is one of five sector reviews the FMA is conducting in 2025-26. Financial advice providers and managed investment schemes follow in 2026-27. The first CoFI regulatory returns – covering July 1, 2025, to June 30, 2026 – are due September 30, 2026, after which the FMA has indicated it will release thematic findings and progressively expand supervisory activity to include desk-based, thematic, and on-site monitoring. The FMA’s Financial Conduct Report 2026, released this month, confirms resilient markets and providers remain a priority for the year ahead. For professionals at firms still running core operations on decade-old infrastructure, the signals from Wellington and Sydney are now pointing in the same direction.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!