Legacy software for financial services: Unpacking the risks

Legacy software is a hidden threat to financial services organisations, quietly posing a risk to security, regulatory compliance, and growth. Yet it’s almost universal. A survey by the Financial Conduct Authority (FCA) revealed that over 90% of surveyed firms rely on legacy technology to deliver services.

IT and software have enabled rapid innovation in financial services firms, but what was once best-in-class soon becomes outdated. That’s why even relatively new organisations must consider the risks that legacy software brings and develop strategies to manage it.

What does this mean in practice? We’ll take a look, using a real-world example from a multi-location financial services organisation where legacy software not only jeopardised data security but put business continuity at risk.

Table of contents

1. The hidden costs of legacy software: A real-world example
2. 4 risks of using legacy systems for financial services
3. A step-by-step plan to mitigate risk
4. A smooth transition to new software

The hidden costs of legacy software: A real-world example

Legacy software may need awkward manual workarounds, but if it’s still getting the job done, it’s tempting to take an ‘if it ain't broke, don’t fix it’ approach. When budgets are tight and finding replacements takes time and resources, delaying seems an easy way to cut costs.

No business wants to undermine customer experience, even temporarily. Organisations worry that replacing software that’s tightly woven into daily workflows will disrupt core operations. For financial services businesses, there’s the added concern that financial data may be corrupted or exposed during migration.

However, the fallout from a data breach in these systems is especially dangerous. Software that’s integral to day-to-day processes holds both sensitive and business-critical information. Persisting with outdated software can pose a severe risk to the entire organisation.

We uncovered this exact issue during a Discovery Phase with a client.

A high-level risk at the heart of operations

A multi-site financial services firm was concerned about the older software systems it relied on for day-to-day tasks. They asked for IT support for financial services for help in identifying any risks this presented to its business.

We began with a Discovery Phase, mapping all the company's software and any potential risks it presented. Our team could then develop a strategy to mitigate threats, prioritising software upgrades in areas with the highest risks.

We soon identified a critical weakness at the heart of the organisation’s operations. The finance and project management software was outdated and had been unsupported by the manufacturer for years.

Why was this software a danger to the organisation and its customers?

Holding customer, payroll, and financial information, a vulnerability in job costing software is a dangerous weak point.

The threats to the firm came from three main areas:

1. Unsupported software: The software had been unsupported since 2021, and no security patches had been issued since then. Any newly discovered flaws could be exploited by cyber criminals.
2. A single point of failure: The software had only been installed on one senior employee’s laptop and wasn’t cloud-based. If the device failed or was lost, there was no alternative way of accessing the information.
3. No backups impacting disaster recovery planning: With no copies of this vital data, the company faced a severe resilience gap. If the laptop failed, was stolen, or became encrypted during a ransomware attack, the data would be permanently lost.

With no way to reassure clients their information was protected, or to restore services in these instances, the firm was exposed to greater risk of operational collapse, regulatory non-compliance and reputational damage.

The company’s entire operating resilience rested on keeping one laptop safe and functioning, putting the company in breach of its own Business Continuity Plan. Without robust data protection or backup processes, the company could have fallen short of UK GDPR and the FCA expectation that members put adequate risk management systems in place.

We’ll look at these compliance risks and other implications in more detail next.

4 risks of using legacy systems for financial services

1. Legacy software increases security vulnerabilities

Flaws are constantly found in even the most widely used software. While vendors issue software updates to fix the issues, it’s a race to apply the patch before cyber criminals can exploit them.

Older software doesn’t have the built-in protections of modern versions, such as multi-factor authentication (MFA).

What continued use of legacy software could mean

Without security updates and the latest protections, high-impact security incidents such as ransomware are easier to carry out and hence more likely.

Before we discovered this critical vulnerability, our client was at severe risk of a cyber security incident. Even a relatively unskilled attacker could hold the company to ransom, simply by accessing a single laptop.

2. Regulatory compliance may be compromised

Firms authorised or registered with the FCA must operate within its Principles for Business (PRIN). They’re also subject to UK GDPR and the Data Protection Act and can be fined by both organisations, with individuals also liable to enforcement action by the FCA The cost of modernisation is almost always less that the cost of a data breach or regulatory fine.

The FCA recommends UK government-backed Cyber Essentials certification. Once organisations have complied with the scheme’s five core technical control areas, they are better protected against the most common cyber threats. Cyber Essentials is also a good starting point for UK GDPR compliance.

What continued use could mean

Risks to FCA Compliance

• With insufficient cyber security measures, our client risked breaching the FCA PRIN. Conducting business with ‘due skill, care and diligence’ (Principle 2), for example, and having  ‘adequate risk management systems’ (Principle 3).
• Most of the FCA’s 27 fines over the last ten years relate to failings in these two Principles.

Risks to GDPR compliance

• Legacy tech may not support the technical measures required by the UK GDPR’s  ‘security principle’, such as adequate firewalls and MFA. If sensitive data were exposed, the firm risked being in breach.
• Before we identified the risk, our client had no backup system or disaster recovery measures in place. UK GDPR requires organisations to ‘restore access and availability to personal data in a timely manner in the event of a physical or technical incident’. If a breach occurred, with no backups, this would be impossible.

Risks to Cyber Essentials accreditation

• Effective patch management is another assessment area. If software is no longer supported, it should be removed from devices and isolated from external networks.
• In our client’s case, the legacy software was on an internet-connected device, presenting a risk to the entire organisation.

3. Operational risks

While organisations may put off updating outdated systems to avoid disruption, operational risk accumulates with the delay. Not only is software failure more likely, but updating older software causes greater disruption when it’s finally changed.

The disruption and cost of a cyber attack is far greater than sourcing and replacing obsolete software.

What continued use could mean

• There’s a fundamental link between effective cyber security and operational resilience. Cyber Essentials accreditation cuts the risk of vulnerabilities and disruption while boosting FCA and GDPR compliance.

In our client’s case, with no backups or disaster recovery measures, they were in breach of their own Business Continuity Plan. Should the worst happen, restoring systems would be a complex process, leading to prolonged downtime. Customers could be left without service for an extended period, potentially leading to considerable business losses.

4. Competitive disadvantage

Legacy software is a drag on any organisation’s competitiveness. It weakens agility, making it harder to adapt to changing customer needs.

This is a particular problem in a rapidly transforming sector like financial services. As the industry becomes increasingly digitalised, data visibility and accessibility are vital for innovation and growth. With legacy software, data becomes siloed, making it hard for organisations to use productivity-boosting automation and technologies like AI.

What continued use could mean

• Less automation and more time-consuming workarounds lead to slower services and more dissatisfied customers.
• In our client’s case, the legacy software was not cloud-based. Accessing information from across the business becomes time-consuming and more challenging, and without real-time information, decision-making and reporting are slower and less efficient.
• In a competitive environment, financial services firms must make full use of data as it becomes available. Without cloud-based software, adding new data streams and scaling become difficult.

A step-by-step plan to mitigate risk

Once we’d identified the legacy software, we developed a plan for our client to mitigate risk while minimising business disruption.

The first step was to outline what we’d found and explain why immediate action was necessary:

1. The risk briefing: We outlined the four vulnerabilities and the implications of retaining the software. We described the specific risks to the business’s security, regulatory compliance, operational resilience, and competitiveness.
2. A tailored recommendation: Our in-depth Discovery Phase gave Texaport’s IT Consultancy team a thorough understanding of how the client’s business operated. As a result, we recommended Xero, a cloud-based, FCA-compliant platform with automatic updates and built-in security features.
3. A seamless transition: Detailed migration planning was essential. Having worked extensively with financial services organisations, we understand it’s critical to keep historical data intact and downtime to a minimum.

A smooth transition to new software

The client quickly agreed to the transition, trusting us to handle both the technical and compliance aspects. Our team guided the client through a secure, future-proof migration process that was also GDPR and FCA compliant.

Throughout the upgrades, we ensured the client could continue serving customers securely, complying with FCA regulations and ensuring business continuity.

The workarounds and lengthy processes that go hand-in-hand with legacy software soon become normalised. It’s tempting to keep kicking the costs and upheaval of a new system further down the road. However, the expense of regulatory fines and data breaches is far more costly – both financially and reputationally.

Upgrading to modern, cloud-based software offers resilience and scalability, while delaying would quietly erode regulatory compliance, the security of your business, and client trust. It’s a strategy that gambles with future business survival.

At Texaport, we specialise in IT support for financial services, helping businesses modernise their systems with secure, compliant, and future-ready technology that strengthens both operations and client confidence.