Why This Assessment Exists
The executive decision on SharePoint Server 2019 migration cannot be made on feelings. It needs quantified risk numbers that CFOs, CISOs, audit committees, and insurance brokers can act on. This assessment gives you that model.
It sits underneath the July 14, 2026 end-of-support pillar decision guide and complements the migration checklist and migration gotchas reference.
The Four Risk Categories
Post-end-of-support risk for SharePoint Server 2019 breaks into four distinct categories, each with different measurement frameworks and different stakeholders:
- Technical vulnerability risk — CVEs, exploits, and attack-surface exposure. Owned by CISO.
- Compliance and audit risk — HIPAA, SOC 2, PCI, FedRAMP, NIST, CMMC findings. Owned by Chief Compliance Officer or GRC.
- Financial and insurance risk — Cyber insurance erosion, breach loss expectancy. Owned by CFO and Risk Management.
- Operational risk — Unsupported ticketing, ISV compatibility drift, talent shortage. Owned by CIO and Infrastructure.
The mistake most organizations make is focusing on one category and missing the cumulative effect.
Category 1 — Technical Vulnerability Risk
CVE Frequency Baseline
Over the last five years (2021 to 2025), SharePoint Server published CVEs averaged:
- 14 to 22 CVEs per year affecting SharePoint Server 2016/2019
- 3 to 7 of those rated Critical (CVSS 9.0+)
- 5 to 9 rated High (CVSS 7.0 to 8.9)
- At least 2 per year with working exploit code published within 30 days of disclosure
Projecting forward: the first year post-EOS (July 15, 2026 to July 14, 2027) should be expected to produce 14 to 22 unpatched vulnerabilities in your environment. These accumulate — there is no future patch.
The ToolShell Precedent
The ToolShell SharePoint vulnerability chain (disclosed July 2025) is the clearest recent precedent. It affected SharePoint 2016, 2019, and Subscription Edition. The characteristics that matter for your risk model:
- Disclosed publicly with working exploit code.
- Exploited in the wild within 72 hours of disclosure.
- Targeted by multiple nation-state and criminal groups simultaneously.
- Enabled authenticated remote code execution on SharePoint farm servers.
Microsoft patched all supported versions within days. After July 14, 2026, the equivalent future disclosure in SharePoint 2019 will not be patched — ever.
Attack Surface Characterization
SharePoint 2019 farms are attractive targets because they tend to:
- Host high-value content (contracts, HR records, financial reports, PHI, IP).
- Be reachable from the intranet and often from the internet via reverse proxy.
- Integrate with Active Directory, exposing AD credentials and Kerberos delegation paths.
- Run with high-privilege service accounts that give post-exploitation access to SQL Server content databases.
The combination — high-value content, large privilege footprint, and known-unpatched — is the template for a ransomware or data-extortion attacker's ideal target.
Category 2 — Compliance and Audit Risk
HIPAA
45 CFR 164.308(a)(1)(ii)(A) — Risk Analysis. Covered entities must conduct accurate and thorough assessment of risks to ePHI. An unpatched production system is a known risk that cannot be treated.
45 CFR 164.308(a)(5)(ii)(B) — Protection from Malicious Software. Requires procedures to guard against and detect malicious software, which is not satisfiable when no patches exist.
OCR enforcement precedent: in settlement cases where unsupported software contributed to a breach, OCR has imposed six and seven-figure resolution agreements plus multi-year corrective action plans.
SOC 2
Common Criteria CC7.1 — The entity uses detection and monitoring procedures to identify changes to configurations and vulnerabilities. Unpatchable CVEs are undetectable changes to exploitable state from the defender's perspective.
Common Criteria CC7.2 — The entity monitors system components for anomalies indicative of malicious acts or known vulnerabilities. Vendors do not monitor unsupported versions.
A SOC 2 Type II auditor has no clean path to issuing an unqualified opinion when a production system in scope is unsupported. The report becomes qualified, which is a material disclosure to existing enterprise customers.
PCI DSS 4.0
Requirement 6.3.3 — Address all applicable vulnerabilities within 30 days (critical) or 90 days (high). Impossible when no vendor patch exists. Requirement 6.2.4 — Bespoke and custom software reviewed per vendor support lifecycle. An unsupported platform fails the requirement directly.
FedRAMP Moderate and High
Control SI-2 (Flaw Remediation) requires identifying, reporting, and correcting information system flaws. No vendor patch pipeline equals no SI-2 compliance. FedRAMP customers typically require migration or decommissioning within 60 days of vendor EOS.
NIST 800-171 and CMMC Level 2
3.14.1 — Identify, report, and correct system flaws in a timely manner.
3.14.2 — Provide protection from malicious code at designated locations.
3.11.2 — Scan for vulnerabilities in systems and applications periodically.
All three fail when the platform is unsupported. CMMC assessments will cite these directly.
Category 3 — Financial and Insurance Risk
Annual Loss Expectancy Model
Single-loss expectancy (SLE) for a SharePoint-originated breach, by organization size:
- 500 seats: likely data classes — HR records, contracts, financials. SLE range 500,000 to 3,500,000 USD.
- 2,000 seats: the above plus client/customer data. SLE range 1,500,000 to 8,000,000 USD.
- 10,000 seats: the above plus regulated data (PHI, PCI, ITAR). SLE range 4,000,000 to 35,000,000 USD.
Annualized rate of occurrence (ARO) for an unsupported system with high-value content: 0.10 to 0.25 per year in the first year post-EOS.
ALE (Annual Loss Expectancy) equals SLE multiplied by ARO.
For a 2,000-seat enterprise: 150,000 to 2,000,000 USD per year in expected loss — compared to a one-time migration cost in the 310,000 to 625,000 range for the same organization.
Cyber Insurance Erosion
Major carriers updated underwriting between 2023 and 2025:
- Questionnaires now specifically ask about unsupported operating systems and applications.
- Several carriers carry exclusions that deny claims where the initial access vector was unsupported.
- Some policies apply a separate higher deductible (typically 2x to 3x the standard deductible) for unsupported-system incidents.
- Renewal premiums increase 15 to 40 percent for organizations disclosing unsupported production systems.
For a 2,000-seat enterprise carrying a 5M USD cyber policy, renewal in 2027 (post-EOS) could mean: 50,000 to 150,000 USD premium increase annually, plus a 500,000 to 1,000,000 USD higher deductible tier, plus risk that a major claim is denied.
Emergency Migration Premium
Organizations forced into post-deadline emergency migration (by an audit finding, customer contract clause, or near-miss incident) pay a 25 to 40 percent premium over a planned migration, plus:
- Partner capacity cost (senior consultants at rush rates)
- Compressed user impact (less change management, more disruption)
- Reduced negotiating leverage on tooling licenses
- Higher error rate and longer hypercare
Category 4 — Operational Risk
Microsoft Support Cliff
After July 14, 2026, Microsoft Premier and Unified support cannot open break-fix tickets against SharePoint 2019. Historical Premier escalations for SharePoint 2019 have resolved an average of 32 percent of critical incidents within 8 hours — that path disappears.
ISV Compatibility Drift
ShareGate, AvePoint, Quest, Nintex, K2, DocuSign, Colligo, and other ISVs maintain compatibility with supported platforms. Expect public end-of-support announcements for SP2019 connectors from major ISVs within 6 to 12 months of July 14, 2026. This cascades into lost functionality in downstream workflows.
Talent Scarcity
The population of consultants and internal admins with deep SharePoint 2019 expertise is actively shrinking. New SharePoint engineers train on SharePoint Online and SE, not 2019. Replacement cost for a SharePoint 2019 administrator rises steadily from 2026 onward.
The Decision Framework
Present the risk to executive leadership as a three-scenario comparison.
Scenario A — Timely Migration
Migrate before July 14, 2026. One-time cost. No ongoing risk exposure. Insurance and compliance posture preserved.
Scenario B — Run Unsupported for One Year
Continue on SP2019 past July 14, 2026. Annual cost equals ALE (150k to 2M for 2,000 seats) plus insurance premium increase plus audit-finding remediation cost plus eventual forced migration.
Scenario C — Emergency Migration Post-Incident
Do nothing until an audit finding or near-miss incident forces the issue. Cost equals 125 to 140 percent of planned migration plus disruption cost plus reputation cost plus potential breach cost if the forcing event was a real incident.
Scenario A is the economic decision in virtually every case.
Quantifying the Risk for Board-Level Audiences
Board audit committees and risk committees respond best to quantified risk in dollar terms, not technical framing. Translate the model above into three board-ready metrics:
Metric 1 — Annual Loss Expectancy (ALE) in millions of USD. A single number. For a 2,000-seat enterprise running unsupported SharePoint: approximately 0.4 to 2.0 million USD ALE annually in the first year post-EOS. Present alongside the fixed migration cost (0.31 to 0.63 million USD) to show payback period of well under twelve months.
Metric 2 — Cyber Insurance Renewal Exposure. Present as two numbers: incremental premium increase (50 to 150k per year on a 5M policy), and incremental deductible exposure (500k to 1M higher self-insured retention on an unsupported-software claim). Boards understand insurance math intuitively.
Metric 3 — Audit Finding Count. Translate every failing compliance control into a projected audit finding count on the next SOC 2 Type II, HIPAA, or regulatory audit. A board member who has sat through a qualified audit opinion understands what this means without further explanation.
Presenting these three metrics on a single slide, alongside the migration investment and timeline, produces the cleanest board approval path we have seen.
Related Reading
- SharePoint Server 2016 and 2019 End of Support — July 14, 2026 Decision Guide (pillar)
- SharePoint Server 2016 to Online Migration Checklist
- SharePoint Server Migration Gotchas — The Common Mistakes That Kill Projects
- SharePoint Hybrid to Cloud — The Final Phase of the Hybrid Era
Frequently Asked Questions
What is the first-year CVE exposure for an unsupported SharePoint 2019 farm?
Based on five-year averages, SharePoint receives 14 to 22 published CVEs per year, 3 to 7 rated Critical. First-year post-EOS exposure is the full distribution with no vendor patches.
How do I calculate the dollar-value risk of running unsupported SharePoint?
ALE equals probability of breach multiplied by expected loss. Defaults for unsupported SharePoint: 10 to 25 percent annual probability, 1 to 12 million USD expected loss.
Will my cyber insurance pay out after a breach of an unsupported server?
Increasingly no. Major carriers updated underwriting 2023 to 2025 to ask about unsupported software.
Does running SharePoint 2019 behind a WAF mitigate the risk?
It helps but does not eliminate risk. Auditors and insurers generally do not accept WAF as a substitute for vendor patching.
What does HIPAA enforcement look like for unsupported SharePoint?
OCR cites unsupported software as a Risk Analysis control failure under 45 CFR 164.308(a)(1).
How should I present the risk to the CFO and CISO?
Three-column comparison: timely migration cost, one-year unsupported cost, emergency-migration cost. Timely migration is the economic choice.
Is there any defensible reason to stay on SP2019 past July 14, 2026?
One: air-gapped, non-internet-connected environments. Even here, SharePoint Server Subscription Edition is the recommended path.
Written by the SharePoint Support Team
Senior SharePoint Consultants | 25+ Years Microsoft Ecosystem Experience
Our senior SharePoint consultants bring deep expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments. We cover SharePoint Online, Microsoft 365, migrations, Copilot readiness, and large-scale governance.
Expert SharePoint Services
Frequently Asked Questions
What is the first-year CVE exposure for an unsupported SharePoint 2019 farm?▼
How do I calculate the dollar-value risk of running unsupported SharePoint?▼
Will my cyber insurance pay out after a breach of an unsupported server?▼
Does running SharePoint 2019 behind a WAF or reverse proxy mitigate the risk?▼
What does HIPAA enforcement actually look like for unsupported SharePoint?▼
How should I present the risk to the CFO and CISO?▼
Is there any defensible reason to stay on SP2019 past July 14, 2026?▼
Need Expert Help?
Our SharePoint consultants are ready to help you implement these strategies in your organization.
Continue Reading in Security
SharePoint Security Hardening: Protect Your Enterprise...
Comprehensive security guide covering permissions, external sharing, sensitivity labels, and advanced threat protection.
SecuritySharePoint Backup and Recovery: Enterprise Protection Guide
Protect your SharePoint data with comprehensive backup and recovery strategies. Learn about native tools, third-party solutions, and disaster recovery planning.
SecuritySharePoint External Sharing: Secure Collaboration Guide
Enable secure external collaboration in SharePoint while maintaining governance and compliance. Learn sharing policies, guest access, and security best practices.
SecuritySharePoint Extranet Setup Guide: Secure External...
Complete guide to setting up a SharePoint extranet for clients, vendors, and partners. Covers architecture options, security controls, permissions, and governance for B2B collaboration.
SecuritySharePoint Permissions Management
Master SharePoint permissions with this enterprise guide. Covers permission levels, inheritance, groups, unique permissions, broken inheritance risks, auditing, and modern best practices.
SecuritySharePoint External Sharing & Guest Access
Securely configure SharePoint external sharing and guest access for enterprise collaboration. Learn sharing policies, guest user management, conditional access, auditing external activity, and compliance controls.
