When your cyber-insurance renewal asks about end-of-life software
Carriers want documented evidence about unsupported .NET, SQL Server, and Windows Server -- not a checkbox. Modernization Shield produces that evidence in 7 to 10 business days.
If your renewal questionnaire is asking whether you still run SQL Server 2016, .NET Framework, or an out-of-support Windows Server -- and what you intend to do about it -- a vague answer is a liability. This page is for the security or technology leader who needs a defensible, evidence-backed answer before the renewal date, not after.
Cyber-insurance questionnaires have tightened. Renewal forms that once accepted a self-attested checkbox increasingly ask for specifics: which operating systems, databases, and frameworks are past end of support, how they are patched, what compensating controls are in place, and what the remediation plan and timeline look like. For organizations running legacy Microsoft platforms, those questions land directly on the .NET and SQL Server estate.
The timing is not abstract. SQL Server 2016's extended-support deadline is July 14, 2026 (walked through in the SQL Server 2016 end-of-support guide); for .NET 8 (the long-term-support release partially modernized estates standardized on; .NET 10 is the current LTS) the deadline is November 10, 2026. Older Windows Server and .NET Framework (the older Windows-only generation of Microsoft's developer platform) versions are already there or close behind. After those dates, the vendor stops shipping security fixes -- which is exactly the line a carrier is asking you to draw. The full calendar lives on the Microsoft end-of-support reference.
An unconvincing answer rarely shows up as an outright decline. It shows up as a higher premium, a tighter sublimit, a new exclusion, or -- worst of all -- a coverage dispute at claim time, when the carrier argues you misrepresented the state of your systems. The strongest position on all four is the same: answer with documented evidence.
What the questionnaire is really asking
Most renewal questions about legacy software map cleanly onto what a Modernization Shield engagement already documents in the Legacy Modernization Risk Report (LMRR):
"Do you run unsupported or end-of-life software?" The LMRR is the inventory: the .csproj target frameworks (the project files that record which version of .NET each application is built for) across the estate -- the .NET Framework 4.x apps, and the 3.5 service still running in a corner -- plus the SQL Server and Windows Server versions confirmed from the scoping inventory. Each entry carries its end-of-support date, and each application is listed with the project file it was found in.
"What is your remediation plan and timeline?" A phased sequence, not a wish list: which system moves first (usually the internet-facing one on an unsupported framework), what can wait, and the expected risk trajectory across phases. An underwriter can read it. So can your board.
"How do you manage known vulnerabilities and dependencies?" The diagnostic names them: out-of-date NuGet packages (third-party code libraries the application depends on), BinaryFormatter and other deprecated APIs (built-in features the vendor has flagged as unsafe and stopped maintaining), aging WCF bindings (the older Microsoft technology for connecting applications to each other), and the database access the code itself contains -- inline SQL, stored-procedure calls, and hardcoded connection strings reaching into systems nobody documented -- each tied back to the source file it lives in.
"What compensating controls protect the legacy estate?" Where change is low-risk, where it is high-risk, and where there is no safety net at all -- no test coverage, no rollback path. That is what a security team needs to describe its controls honestly instead of guessing.
None of this is visible from a renewal questionnaire or a status update. Each item is a place where "we're basically fine" turns into a specific, dated exposure -- the kind an underwriter prices, an auditor flags, or a carrier points to at claim time. The result is a single written document, plus an evidence appendix, that you can hand to your broker or your underwriter -- and that your own leadership and engineering teams can act on.
A self-attested checkbox is what gets disputed at claim time
A self-attestation is an opinion. The underwriter has read a thousand of them, and so has your auditor. Independent, evidence-backed documentation is a different thing -- and Evincia has no reason to shade it. We sell no implementation work, so the read is not a migration pitch dressed up as an assessment.
Findings in the LMRR carry supporting artifacts -- source files, stored procedures, schemas, dependencies, or configuration -- and the Modernization Readiness Score (0 to 100, where a low score means high exposure) is traceable to the published methodology: the twelve categories are public, and judgment is labeled as judgment. That is the difference between "we think we're fine" and "here is what's unsupported, here is what's exposed, and here is what we fix first."
This is the kind of document you hand an underwriter. Pages from the SocialGoal sample report: a real public codebase (SocialGoal, an open-source ASP.NET MVC application), scored 44/100 Red. The supporting evidence is checkable against the source.
Modernization Shield is a fixed-scope technical diagnostic of your legacy .NET and SQL Server systems, delivered in 7 to 10 business days as the LMRR, at a fixed fee of $15,000 to $20,000. Its job here is to give you documented, independent evidence that answers the questions underwriters and auditors ask.
It is not insurance advice, it does not replace your broker or your carrier's process, and it does not guarantee any renewal, premium, or coverage outcome. What it removes is the part you actually control: walking into the renewal without a defensible, evidence-based picture of your own systems.
Who this is for (and who it's not)
This work is for teams who need clarity, not reassurance.
Good fit
A renewal or audit date on the calendar and legacy .NET / SQL Server you cannot fully account for.
A questionnaire that now asks for a remediation plan and a timeline, not a checkbox.
A claim-time misrepresentation exposure you want documented before you attest.
Not a fit
You need the renewal underwritten -- that is your broker, not us.
A fully supported, current-platform estate with nothing past end of support.
You want someone to do the migration, not document the risk.
Can you show the carrier evidence, not an attestation?
Modernization Shield documents unsupported .NET, SQL Server, and Windows Server exposure; the dependencies around those platforms; and the remediation order leadership can use in a renewal or audit conversation. It is an independent technical assessment, not insurance advice or a coverage guarantee.
The SocialGoal sample Modernization Risk Report shows the format that evidence takes: a platform inventory, a risk register, and a remediation sequence a security lead can put in front of a carrier.