JUMP TO
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiI5MzU0ZTAyMC05ZDVkLTRkYjEtOWI1MS01NWVlZWRlOTQ3NTciLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTc3MjQxNjE5OCwiZXhwIjoxNzcyNDE3Mzk4LCJpYXQiOjE3NzI0MTYxOTgsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2xlZ2FjeS1pdC1zeXN0ZW1zLW1hbmFnaW5nLXJpc2tzLWFuZC11bmxvY2tpbmctb3Bwb3J0dW5pdGllcyIsImF1ZCI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2xlZ2FjeS1pdC1zeXN0ZW1zLW1hbmFnaW5nLXJpc2tzLWFuZC11bmxvY2tpbmctb3Bwb3J0dW5pdGllcyJ9.RzDeSrjBo7d9DV-TC29ZGRpf2LibddGVS2MANkCUlHo
    https://www.minterellison.com/articles/legacy-it-systems-managing-risks-and-unlocking-opportunities
    CLOSE
    CONTACT US Search Minter Ellison
    • Insight

    Legacy IT systems: Managing risks and unlocking opportunities

    3 Minute read  02.03.2026 Nick Pascoe, Mark Teys, Philip Marquet

    Heightened cyber risks and CPS 230 requirements make legacy system modernisation a critical business priority. This article outlines how.


    Key takeouts


    • Legacy platforms often lack modern functionality and can be difficult to integrate with contemporary systems, limiting data utilisation and AI adoption.
    • Ageing IT systems are vulnerable due to limited vendor support and unpatched security issues, increasing the likelihood of outages and data breaches.
    • Boards and executives must foster a proactive risk culture, shifting legacy system management from IT to a strategic business priority.

    Organisations today face a heightened cyber risk environment. For the financial sector, the implementation of CPS 230 adds further urgency to address technology vulnerabilities.

    Against this backdrop, our experts have examined one of the most pressing technology challenges facing organisations today: legacy IT systems.

    The key message is clear: legacy systems don't have to be a liability. While these systems may have served organisations well in the past, they now represent liabilities that can be strategically replaced with modern platforms designed for today's regulatory and operational environment. Further, with the right transformation strategy, legacy systems can be replaced with platforms that unlock innovation and long-term value.

    Key points from our experts

    • Cyber security vulnerabilities: Legacy IT systems can be vulnerable in heightened cyber risk environments, as they may lack standard vendor support. Extended support is costly and typically limited to 'best efforts' only, which can lead to prolonged outages and delayed incident response.

       

    • Functional limitations and integration challenges: Ageing systems can also suffer from limitations in functionality and difficulty integrating with modern infrastructure. In particular, it may be difficult to fully leverage data stored in a legacy platform, or to optimise use of the system with the latest AI tools. Organisations that delay modernisation risk ceding competitive ground to rivals who can fully exploit AI capabilities unhindered by legacy constraints.

       

    • Skills shortage and knowledge gaps: Legacy platforms rely on personnel with relevant skillsets who may have retired or moved on. Lost in-house expertise forces dependence on external support specialists, which can slow issue resolution, increase downtime risk and add to costs of maintaining the system.

       

    • Outdated contracts: Legacy vendor contracts and systems weren't built for today's regulatory standards. These contracts often lack modern business continuity provisions, incident reporting obligations, and oversight rights, making it challenging for organisations to demonstrate operational resilience and third-party risk management under CPS 230. These contracts may also lack clauses that CPS 230 requires included in material arrangements.

       

    • Data breach risks: Outdated infrastructure contributes to serious data breaches across sectors. Legacy systems often harbour more data than necessary and carry unpatched vulnerabilities, making them prime targets and exposing organisations to regulatory scrutiny, financial losses and reputational damage.

       

    • Interim security measures: Short of full replacement, organisations can still bolster defences by regularly reviewing and restricting user access privileges, applying security patches, implementing network segmentation, and updating incident response plans to cover legacy components.

       

    • Phased modernisation approach: When upgrading, a phased approach helps maintain resilience. Running new systems in parallel with old ones until thoroughly tested, migrating data in stages, and investing in user training and communication are key. Gradual transitions with strong fallback plans ensure service continuity during modernisation.

       

    • Future-proofing strategies: Approach new system implementation with 'security and compliance by design', maintain up-to-date documentation and team knowledge, and treat operational resilience as an ongoing whole-of-business effort, not a one-off compliance exercise.

    Board and executive oversight requirements under CPS 230

    For boards and senior executives of regulated institutions, CPS 230 fundamentally shifts legacy system management from an IT concern to a strategic business imperative. Leadership teams must demonstrate active oversight of technology risks, with clear accountability for operational resilience. This includes understanding legacy system dependencies and their potential impact on critical business services.

    This requires clear visibility of legacy issues, adequate resource allocation for remediation, and a culture of proactive risk management across the organisation.

    For organisations navigating legacy system risks or CPS 230 compliance challenges, our multi-disciplinary team combines expertise across technology, regulatory affairs, and risk management. Contact us to discuss how we can help you manage these challenges and unlock long-term value.

    Contact

    Tags

    CPS 230 Homepage display Technology, data and digital Cyber security Data management and privacy Technology procurement and supply Technology transactions
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiI5NjdmN2RjZi1lODcwLTRhZTgtOTFlMS00Y2RiZmRhN2EyYTgiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTc3MjQxNjE5OCwiZXhwIjoxNzcyNDE3Mzk4LCJpYXQiOjE3NzI0MTYxOTgsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2xlZ2FjeS1pdC1zeXN0ZW1zLW1hbmFnaW5nLXJpc2tzLWFuZC11bmxvY2tpbmctb3Bwb3J0dW5pdGllcyIsImF1ZCI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2xlZ2FjeS1pdC1zeXN0ZW1zLW1hbmFnaW5nLXJpc2tzLWFuZC11bmxvY2tpbmctb3Bwb3J0dW5pdGllcyJ9.i_fmMInib0FAs9ztZNiRLpBi98w6sqxvjFO8VQF5dKo
    https://www.minterellison.com/articles/legacy-it-systems-managing-risks-and-unlocking-opportunities

    Read next

    © 2026 MinterEllison