When the Backbone Breaks: Real-World Risks of Mainframe Bugs on the Insurance Industry

By: Jennifer Nelson | August 17, 2025

Jennifer Nelson has spent the bulk of her career in mainframe space, including 15 years at Rocket Software and five years at BMC. In 2019 she left Rocket to work in senior engineering roles at global technology companies outside of the Z world. In early 2024 Jen began working on what would become Izzi Software, which is currently acquiring software companies on the Z Systems and IBM Power platforms.

Topics: Cyber

Mainframes have powered the critical infrastructure behind insurance companies for decades. And they’re still the backbone of modern insurance operations today, reliably handling millions of transactions per second–including policy claims, premium transactions, customer records, and more–to keep the global insurance ecosystem running smoothly.

While the hardware remains rock-solid, there are real vulnerabilities creeping in from other angles. And when one of these mainframes does go down, the impact on both insurers and their policy holders can be immediate and severe.

Mainframes don’t go down often–these systems are purpose-built for dependability and are generally immune to the instability of modern software environments. This means that they don’t need constant rebooting, and they rarely crash. But what they can’t do is protect themselves from flawed code, sloppy integrations, or simple human mistakes.

Fortunately, there’s a way to mitigate these threats, and it all comes down to properly training the people overseeing these sturdy super machines. Because most of the time, problems with mainframes don’t come from the systems themselves–they come from errors made by the people managing them.

Fundamental Security Principles

Let’s start with mainframe software used in insurance systems. A critical vulnerability in modern mainframe systems isn’t the hardware, but the level of discipline software engineers have for adhering to best practices. For example, insurance IT developers often need to elevate program permissions at run-time, but leaving those elevated permissions running for longer than is necessary is risky.

Known as “auth code zero,” this elevated access leaves the door open for malicious code to sneak in and take advantage of higher-level privileges.

That’s not a theoretical risk: it’s one of the most common ways that malicious software attacks succeed. One of the first things required in any mainframe environment is for developers to revise any code that operates in an authorized state so that it rigorously documents all actions performed–what was happening, for how long, and why–then drops back down to normal privilege levels as soon as possible.

Basically, whenever that door of auth code zero is open, the virtual security cameras are on to record everything that happens before the door automatically shuts and locks itself again. This kind of proactive practice prevents bugs from becoming breaches.

Integration: Where Clean Systems Get Messy

Mainframes in insurance companies don’t operate in a vacuum; instead, they are core components of
complex hybrid environments where third-party applications and microservices constantly share data
across the network’s servers. And this is where security can often get murky.

Imagine a scenario where a cloud-based CRM app queries a mainframe database. The system recognizes
the request and returns data based on permissions. But who’s actually seeing that data? The application? The developer who built it? An intern on a VPN? Or someone who just happens to be looking over the shoulder of an authorized user working remotely from a public space?

This ambiguity is where risk thrives.

Insurance security experts recommend treating these integrations with the same rigor used for direct mainframe access. That means enforcing multi-factor or two-factor authentication, even if it feels redundant. It also means closely monitoring what happens after the data leaves the mainframe. Is it stored securely? Is it handled in compliance with regulatory standards such as HIPAA or GDPR? Is it deleted properly?

Essentially, ensuring the security of your mainframe systems means ensuring the security of your mainframe data, no matter where it is or where it gets consumed.

Human Error: The Most Persistent Threat

To understand how quickly things can unravel, consider the CrowdStrike incident. A flawed software update took down servers across the world. It didn’t start as a massive, malicious breach. Just a small bug that made it into production. But the ripple effect was enormous–critical systems failed and many businesses halted operations. All because some developers were lax about the final round of testing.

Was this a technology problem? Not really. It was more of a process problem. Someone failed to follow the proper procedures, and there were consequences. The uncomfortable truth is that most vulnerabilities don’t come from external hackers or rogue malware. They come from within. From employees who click on phishing links.

From teams that forget to revoke access after someone changes jobs. From departments that hang onto sensitive reports without securing or deleting them properly. It’s rarely about bad intent–it’s about bad processes, outdated habits, and a lack of proper oversight.

One of the biggest offenders? Failure to clean up user credentials in RACF (Resource Access Control Facility) groups when someone leaves or changes departments. When that user’s elevated access lingers behind, it creates a ticking time bomb for compliance violations or internal breaches.

What Actually Works?

Solving insurance mainframe vulnerabilities, by and large, isn’t about solving technical issues. It’s about training staff and instilling discipline around security protocols. As we like to say: trust technology, train people.

Here are some practices that really make a difference when it comes to protecting your systems:

Employee Training: Top of the list is ensuring your team knows not just how to protect data on the mainframe, but what to do with data after they access it. That means secure storage, proper deletion, and zero sharing outside approved channels. Plan regular refresher sessions to stay on top of trends and prevent complacency.
Access Hygiene: Follow IBM-recommended practices for managing user permissions. Audit access regularly and revoke access aggressively.
Cross-Team Awareness: Your mainframe team can’t live in a silo. Everyone in IT, from Unix admins to Windows server pros, needs to understand and respect mainframe protocols. This is all a matter of training.
Network Segmentation: Isolate critical systems so that if one part gets compromised, the others stay safe.
Rigorous Patching: Patches must be tested thoroughly before rollout, especially in hybrid environments where one bug can break integrations across platforms. Remember, CloudStrike was the direct result of someone not doing this properly.

These aren’t revolutionary ideas. They may even seem like basic protocols, but too many organizations are failing at the basics. And in a mainframe world, basic failures can bring down everything.

It’s important to remember that a single lapse in security can introduce vulnerability to your system, as there are plenty of bad actors out there looking for just such a way inside the gates.

You need to practice constant vigilance, and make sure your employees do as well. Because at the end of the day, the backbone of any insurance company is only as strong as the team maintaining it. &

Wide-Ranging Risks

The miscellaneous professional liability market is comprised of hundreds of different professions. Westfield Specialty makes a point of being an insurance solution for the professions with unique and specialized risk.

Miscellaneous professional liability insurance covers hundreds of professional classes facing evolving risks from artificial intelligence, remote work arrangements, and changing trade conditions, according to industry experts. While this coverage area remains somewhat insulated from nuclear verdicts compared to other liability lines, carriers are experiencing increased claim frequency driven by heightened societal expectations.

The miscellaneous professional liability market encompasses an expansive range of professional classes, each presenting unique risk profiles. “There are literally hundreds of different classes that fall under that realm,” explains Dan Mogelnicki, Senior Vice President and Professional Liability Product Leader at Westfield Specialty. “Each one of them has a potential for loss, but some are greater than others.”

Certain professional classes demonstrate higher vulnerability to legal actions. Real estate agents and brokers consistently show elevated claim frequency, primarily due to failure-to-disclose allegations if professionals don’t reveal all potential property conditions to buyers or renters. Consultants represent another significant exposure category, with claims typically stemming from failure to advise clients properly regarding compliance requirements, business operations, or financial matters.

Recent global trade developments have spotlighted customs house freight forwarders as an emerging concern.

“This has been on our mind recently because of changes in worldwide trade patterns and tariff policies,” Mogelnicki notes. “Part of the emerging exposure relates to whether the customs house can properly calculate higher import duties.” This represents an exposure that existed previously but now carries potential for increased claim frequency.

Even traditionally lower-risk professionals can face substantial exposures. Interior decorators and space planners, considered relatively low-hazard classes, can encounter significant claims involving incorrect measurements or unforeseen utility conditions requiring costly corrections.

New Ways of Working

Dan Mogelnicki, Senior Vice President and Professional Liability Product Leader, Westfield Specialty

The shift toward remote and hybrid work arrangements is creating new professional liability exposures, particularly affecting younger workers who are missing out on crucial face-to-face training opportunities.

“Professional liability exposures come from two bases: knowledge based, and execution based,” Mogelnicki explains. The reduced collaboration inherent in remote work mirrors challenges experienced in education when the Covid pandemic pushed students into taking their classes remotely.

“The learning was not the same,” Mogelnicki said.

“There was an inability to interact, a lack of training, and a diminished ability to communicate and collaborate,” he said.

Artificial intelligence usage presents another emerging exposure area. While carriers have experienced only a handful of AI-related miscellaneous professional liability claims to date, industry experts anticipate that the number of claims in this area is going to grow.

“We know that these will increase tremendously over the next months and years,” Mogelnicki states, though no significant settlements have emerged yet from this developing risk area.

Unlike some other liability coverage areas, such as casualty, miscellaneous professional liability is relatively insulated from nuclear verdicts. Mogelnicki explains that most nuclear verdicts involve bodily injury components found in products liability, auto liability, medical malpractice, and architects and engineers professional coverage, while miscellaneous professional liability claims typically address pecuniary or economic losses.

However, exceptions exist where policies include contingent bodily injury or property damage coverage. Real estate property managers represent the primary example, where failure to perform duties can result in bodily injury claims that potentially invite larger verdicts.

Like any line of insurance, MPL faces increasing loss frequency due to evolving societal expectations that are leading to more frequent and potentially expensive legal actions.

“There’s an assumption that no one ever makes a mistake, and if something bad happens, people feel entitled to a huge amount of compensation,” Mogelnicki explains. This trend reflects broader cultural shifts that are affecting professional services exposures.

The remote work dynamic compounds these challenges by reducing organic learning opportunities.

Mogelnicki illustrates this with a personal example of an early-career underwriter who spontaneously asked a crucial question during a casual office encounter. “If we were not in the same place, he may never have asked me that question,” he notes.

Virtual meetings, on the other hand, often have a chilling effect on questions due to technical limitations and social dynamics, leading professionals to make potentially problematic assumptions.

Communication and Quick Turnaround

In response to these evolving challenges, leading carriers are emphasizing personalized service and rapid response times.

Westfield Specialty differentiates itself through direct broker communication and problem-solving approaches rather than standardized procedures. ” We have conversations with our brokers to gain an understanding of the risks they are trying to find solutions for,” Mogelnicki emphasizes. “We don’t have a cookie cutter approach.”

The company’s service model prioritizes quick turnaround times, with the majority of submissions receiving quotes within 24 hours. “We’ve built a timely review process that enables a very quick turn around on a large majority of the risks that are submitted,” Mogelnicki said.

“Challenging or complex exposures are going to take a little bit more time, but we’re happy to work with brokers to place such risks,” he said.

This approach extends beyond speed to encompass creative coverage solutions addressing unique broker and client needs. “We strive to be the solution for the challenging situations that our broker customers face,” Mogelnicki states. The strategy focuses on providing comprehensive coverage at fair prices while maintaining flexibility for non-standard risks.

A combination of responsive service, creative problem-solving, and competitive pricing puts Westfield Specialty in a good position to address the evolving miscellaneous professional liability landscape effectively. As new exposures from the use of AI and remote work arrangements continue to develop, carriers emphasizing adaptability and broker relationships appear best positioned to navigate these emerging challenges.

To learn more, please visit https://www.westfieldspecialty.com/.

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Westfield Specialty. The editorial staff of Risk & Insurance had no role in its preparation.

Westfield Specialty is a prominent specialty insurance carrier, leveraging the financial strength of Westfield, a leading U.S.-based property and casualty insurance company and the well-established Lloyd’s of London Syndicate 1200. Westfield Specialty currently underwrites in the U.S., U.K., and Dubai, and has 400 employees globally. Our experienced team brings deep expertise to the specialty market and offers unique insurance solutions for specialized risks that helps protect businesses, recover losses, and assist in driving growth for clients.