Everyone loves a good sunset……. when it's out in nature. 🌄

When IT assets hit their sunset phase, most people would rather be anywhere else. But if you work for a financial institution, managing IT asset end-of-life (EOL) isn't just a good idea; it's a requirement.

How can you handle EOL without the stress? Let's take a look.

What is IT asset end-of-life management?

According to the FFIEC IT Examination Handbook Glossary, EOL is:

"A time frame usually defined by a technology vendor to describe when an asset has reached the end of its useful life cycle or when the vendor will no longer support the asset or continue to sell or license it."

There is a lot of industry jargon for EOL systems, including end-of-support, sunset, retirement, depreciation, obsolescence, legacy status, decommissioning, etc.

Whatever terminology you use, when a vendor says they're done supporting a technology asset (e.g., hardware, software, system, etc.), that's your cue to start the EOL process.

What does guidance say about end-of-life management?

GLBA and the Interagency Guidelines Establishing Information Security Standards require financial institutions to ensure the security of information and systems. Since security cannot always be ensured when systems reach EOL, there has been a significant amount of guidance released on this topic.

The FFIEC IT Examination Handbook discusses EOL management in multiple booklets.

The federal banking regulators continue to focus on EOL management during exams, as well.

Source

Requirement

FDIC Information Technology Risk Examination (InTREx) Program

"Assess the level and quality of oversight and support of acquisition activities by senior management and the Board of Directors. Consider the following: […] Identification and replacement of systems nearing or at end-of-life."

NCUA Information Security Examination (ISE) Program

"The inventory of information assets (software/hardware) includes the following: […] Process to track and report on end-of-life and end-of-support information assets."

OCC Cybersecurity Supervision Work Program (CSW)

"Software Inventory: Evaluate the effectiveness of software inventory management processes to include end of support and end of life situations."

OCC 2025 Bank Supervision Operating Plan

"Examinations also focus on assessing the effectiveness of information technology asset life cycle management, including end-of-life, end-of-support, and patch management processes. These activities are foundational to a bank's ability to reduce cyber risk from software vulnerabilities."


CISA also identified EOL management as a key control in various guidance, including Cybersecurity Advisory AA24-038A. CISA's guidance has been cited by other agencies, including the Texas Department of Banking in Industry Notice 2025-01 on "Cybersecurity Threats: Actions to Take Today."

(Learn more about this threat on our blog: Volt Typhoon: Cybersecurity Risks and Strategies for Financial Institutions.)

In short, guidance is clear. Effective EOL management is required for security.

Why is IT asset end-of-life becoming a big deal right now?

We are reaching a fork in the road with several widely adopted technologies.

  • Operating Systems: Windows 10 remains a commonly used operating system. It is set to reach end-of-support on October 14, 2025.

  • Software Applications: Several popular Microsoft applications are also set to be retired this year, including Skype, Office 2016, Office 2019, Exchange Server 2016, Exchange Server 2019, and SQL Server 2019. Learn more on the Microsoft Blog: Ending Support in 2025.

  • Cybersecurity Frameworks: The FFIEC Cybersecurity Assessment Tool (CAT), used by more than 90% of financial institutions over the last five years, has a sunset date of August 31, 2025. (Learn more about this topic on our blog: What Framework Do I Replace the FFIEC CAT With?)

  • Encryption Algorithms: While an EOL date has not officially been declared for current encryption algorithms, the clock is ticking. Businesses are encouraged to begin the process of transitioning to post-quantum cryptography (PQC) standards today.

What are the risks associated with end-of-life assets?

When IT asset EOL is not managed effectively, this can expose your institution to a wide variety of risks. Failure to manage EOL can result in:

  • Security risks (e.g., vulnerability to cyber-attacks due to a lack of security patches)
  • Operational risks (e.g., increased downtime and performance issues)
  • Financial risks (e.g., maintenance, replacement, insurance, and/or incident costs)
  • Reputation risks (e.g., lost customer trust due to breaches or failures)
  • Legal risks (e.g., noncompliance with laws, regulations, and guidance about EOL)
  • Strategic risks (e.g., reduced competitiveness due to inability to adopt new technology)

The lesson here is that failure to manage EOL can have a holistic net-negative impact on your business.

How should I manage IT asset end-of-life?

Here are seven steps to manage IT asset EOL effectively.

  1. Create an IT asset inventory.
    Your inventory should include all hardware, software, systems, and devices in use at your institution. Be sure to include technology assets that are owned or managed by a third-party vendor on your list. See the FFIEC Architecture, Infrastructure, and Operations Booklet, III.B IT Asset Management for details.

  2. Add EOL dates to your inventory.
    When an EOL date is announced, document the EOL date on your IT asset inventory, so you know what timeframe you are working with.

  3. Perform a risk assessment.
    Identify risks associated with the EOL. For example, risks associated with continuing to use the EOL asset, as well as risks associated with upgrading, replacing, or retiring the asset. Be sure to consider any upstream or downstream dependencies which may be impacted by the sunset.

  4. Create a project plan.
    Develop a project timeline with tasks, milestones, deliverables, and estimated resources (e.g., stakeholders, budgets, etc.). See the FFIEC Development, Acquisition, and Maintenance Booklet, IV.N IT Project Management for details.

  5. Test your project plan.
    Select a pilot group of users and/or systems for testing. Backup critical data and perform the transition. Collect feedback from the pilot group. Identify and resolve any potential compatibility issues.

  6. Carry out the project plan.
    Create a detailed deployment plan. Perform backups, develop and distribute training materials, and communicate the rollout plans to everyone involved. Begin phased rollouts, monitoring progress and addressing hiccups when they (inevitably) happen.

  7. Perform a "lessons learned" review.
    This is not a one-time event. For as long as technology has existed and for as long as it will exist, IT assets will reach EOL at some point. This makes it very important to gather feedback and improve your processes to ensure things go smoother next time.

While your project plans will change depending on the size, risk, and complexity of the EOL project, these seven steps can be a general guide for the process, helping you anticipate and prepare for any issues which may arise.

Want to see an example? Download our sample plan for upgrading from Windows 10 to Windows 11 at Tandem.App/Sample-Project-Management-Plan.

Upgrading EOL systems is expensive. What should I do?

It is expensive. The problem is that in the world of technology, "not paying" is not an option. You can pay for it now or you can pay for it later, if you catch my drift.

If you purchase a software or system, you can only pay for extended support for so long before you have to come up with another option anyways. For example, Microsoft has only promised the Extended Security Update (ESU) Program for Windows 10 for up to three years, at a cost of $61 for the first year, $122 for the second year, and $183 for the third year… per device. That adds up. 🤑

Every budget decision you make comes with tradeoffs. Putting off a decision can be just as painful, and sometimes, even more painful than it would be to make the hard decision today.

I have software that only runs on the EOL system. What should I do?

This is a surprisingly common issue, since technology doesn't always age out at the same rate. When it comes to IT asset EOL, standing still is not an option. Even if nothing changes on the system, the world around it does. Each day that passes, the system becomes less secure, less compliant, and more vulnerable.

That said, when you are faced with this scenario, you have four options.

  • Update: Determine if there's a newer version of the software that works on a non-EOL system and upgrade to that newer version.
  • Migrate: Determine if there are alternative solutions from other vendors which may meet your needs. Of course, migration comes with its own challenges, but it is a viable option.
  • Emulate: Determine if there is a way to run the current software on a newer system (e.g., via emulation, virtualization, compatibility mode, etc.).
  • Compensate: Determine if there are compensating controls which could be implemented to secure the system (e.g., air gapping, network isolation, firewall rules, access restrictions, heightened monitoring, etc.).

In short, if you have an EOL system that you can't upgrade due to upstream or downstream impacts, there are still steps you can consider for securing your current environment.

I can't do any of those things. What should I do?

This happens sometimes, too. There are times when you get into a long-term relationship with a vendor, it would be prohibitively expensive to get out, and it can feel like you have no options. If this is where you find yourself, don't lose hope! There are still things you can do, and it all centers around vendor management.

  • Step 1: Contact the vendor.
    Reach out to the vendor and ask if they're aware of the EOL. While it's unlikely, there's a small chance they may not know or be aware of how the EOL could impact how their system works at your business. Approach the conversation with grace, presuming they might not know and proceed from there.

  • Step 2: Review your agreements.
    Look at your contracts and agreements (like service level agreements (SLAs)) with the vendor to see what they've committed to in terms of ongoing support, updates, and security patches. This will help you understand what you're entitled to and if their support terms align with the situation.

  • Step 3: Negotiate with the vendor.
    If your agreements don't provide sufficient support or solutions, try negotiating with the vendor. Ask if they're open to helping out, whether it's through custom development, transition support, or extended maintenance. Emphasize that you're looking for a solution to keep the relationship strong.

  • Step 4: Update your risk assessment.
    Regardless of how the vendor responds, make sure to update your vendor risk assessment. Document how the vendor's actions (or lack thereof) could impact your business and adjust your risk ratings accordingly.

  • Step 5: Document everything.
    Keep detailed records of all interactions with the vendor regarding the EOL issue, any negotiations, and potential contract breaches. Having these records can be valuable if you need to show your work to auditors or examiners or seek legal advice down the line.

  • Step 6: Explore legal options.
    As a last resort, if negotiations don't go anywhere and the vendor is not meeting their commitments, consider legal options. Review the contract with legal counsel to determine if the vendor is in breach of any terms. If necessary, this could give you grounds to escalate the situation, seek compensation, or even terminate the contract without incurring penalties.

  • Step 7: Update your vendor management program.
    Take some time to review your third-party risk management processes and look at your agreements with similar vendors. Consider renegotiating, if the contracts wouldn't be suitable in future EOL circumstances. This will help you stay ahead of potential issues, so you're not left scrambling later.

Dealing with EOL assets can be frustrating, but by approaching the situation methodically, you can often find a solution that works for you and your vendor. It just needs a little persistence and patience.

Looking for other contract management tips and tricks? Download our Vendor Management Workbook at Tandem.App/Vendor-Workbook.

Don't let the sunset dim your shine!

Every day an EOL system stays in use, the risks increase. The good news is that you have time to get ahead of the problem before the problem gets ahead of you.

At Tandem, we care about security, and we are here to help you with all your IT asset management projects, EOL or otherwise. Our suite of products is designed to help you navigate these challenges with style.

  • Risk Assessment: Create and conduct risk assessments on your IT asset inventory.
  • Policies: Our template IT Asset Management policy is ready and waiting for you to tailor.
  • Vendor Management: Track contracts, due diligence, and reviews for your IT asset service providers.

Watch a demo to see how these Tandem products can help you with your IT asset management processes. If you need help creating and implementing a plan to upgrade your systems, check out our list of Tandem Partners. Learn more at Tandem.App.