As Windows 10 enters an End of Life (EOL) status on 14 October 2025, organisations worldwide face a critical decision that extends far beyond simple IT upgrades: heightened cyber risk. Early preparedness becomes critical, along with securing valid insurance coverage for risk prevention and mitigation.
Getting your Trinity Audio player ready...

Authors: Johnty Mongan Sam Cheshire

null

Windows 10 EOL: Understanding the magnitude of risk

The Windows 10 EOL status is leaving many businesses standing on increasingly unstable ground. Operating systems (OS) will no longer receive security patches, feature updates and technical support, ultimately turning them into static targets for cybercriminals worldwide.

Despite Windows 10 entering the risk radar, nearly 43% of users were still running on it as of July 20251, making systems more vulnerable.

Cyber gangs actively scan for outdated systems and operating systems in EOL status, which provides an added advantage. A lack of regular security patches will provide permanent entry points for repeated exploitation.

The consequences are severe — ransomware attacks where encryption malware paralyses entire business operations within hours, data breaches exposing sensitive customer information and regulatory compliance issues resulting in legal repercussions.

According to the IBM Cost of a Data Breach 2024 report, the global average cost of a data breach in 2024 reached USD4.88 million (GBP3.6 million)2, but for businesses still running Windows 10 post-EOL, the risk multiplies as the attack surface becomes permanently compromised.

Insurance policies present another consideration. Many cyber insurance providers now require policyholders to maintain current, supported operating systems. Moreover, not upgrading to the latest version could invalidate coverage, leaving businesses financially exposed.

Beyond immediate costs, reputational damage and operational disruption can also impact the brand and the effective running of an organisation.

Lessons from the Windows 7 EOL legacy

When Windows 7 support ended in January 2020, businesses that delayed migration and postponed their upgrades experienced a surge in successful cyberattacks. The threat pattern was predictable yet largely avoidable. Within months of Windows 7's EOL, ransomware groups specifically targeted organisations running the unsupported system.

There are plenty of other examples where unpatched, legacy systems have left organisations vulnerable to attack. For instance, the WannaCry ransomware attack in May 2017 that affected the Windows OS of over 200,000 computers worldwide by exploiting a common security weakness3.

The cyberattack disproportionately impacted healthcare providers due to the sector's prevalence of unpatched, legacy systems at the time. This included the National Health Service (NHS) which had its ambulance service screen disabled, tertiary centres left with no access to CT/MR scans and primary care IT providers unable to transfer automated blood results.

Furthermore, official warnings were issued about increased cyber risks following the Windows 7 EOL, with security experts highlighting that hundreds of millions of unpatched systems worldwide had become prime targets for cybercriminals. Local government bodies were identified as particularly vulnerable, with cybersecurity experts warning that budget-constrained councils often delayed critical system upgrades, leaving them exposed to emerging threats targeting legacy systems4,5.

“Windows 10 is now at the same crossroads as Windows 7 was five years ago. But history does not have to repeat itself. Smaller, less sophisticated digital suppliers could provide an entry point for cybercriminals. A successful compromise could generate substantial losses for the insurance market, potentially exceeding existing market caps and having profound implications on pricing frameworks. This can significantly impede market re-entry and reduce competition.”

- Sam Cheshire, Cyber & Technology Practice Group Managing Director.

Cyber risk mitigation: Strategising secure migration to Windows 11

As the Windows 10 EOL countdown clock ticks toward the zero hour, businesses face a simple choice: update operating systems and invest in comprehensive cyber defence now or face the increased likelihood of successful cyber intrusions down the road.

“Today, vulnerability scanning is presented as an essential daily ‘hygiene process’ that many IT providers neglect unless specifically requested by a client — a concerning gap in duty of care. I strongly advocate for daily vulnerability scanning, particularly for external-facing assets, as networks can change rapidly.”

- Johnty Mongan, Global Head of Cyber Risk Management.

Effective cyber risk management requires a multi-layered approach that extends beyond simple system upgrades. This includes:

  • Asset discovery and assessment: Maintain a complete IT asset register to identify devices running Windows 10 across the organisation. Systematic security evaluations and penetration testing assist in uncovering exposure risks and strengthen defences for a secure migration to Windows 11.
  • Layered cybersecurity controls: Integrate multiple barriers against system intrusion, such as advanced firewalls, endpoint detection and response (EDR) systems and multi-factor authentication (MFA). This will reduce risk during the transition period, especially for legacy systems.
  • Migration strategy development: Prioritise system migrations based on risk assessment. Network segmentation can help isolate legacy systems, internet-connected devices and customer-facing systems processing sensitive data. Comprehensive backup and disaster recovery procedures are vital during migration.
  • Employee education and awareness: Regular employee training and awareness programmes are essential to reduce human error. Implement ongoing security awareness training focusing on social engineering tactics, phishing recognition and incident reporting procedures.
  • Insurance policy review: Engage with insurance providers to understand specific requirements around supported operating systems. Ensure policies provide adequate coverage for potential incidents and consider whether additional protection is needed during migration periods.

The way forward: A dual strategy for cyber resilience

Windows 10 EOL scenario perfectly illustrates why forward planning is non-negotiable in cybersecurity. The most effective cybersecurity approach is that prevention is invariably more cost-effective than remediation.

Avoid the risk with proactive cyber defence strategies

Future cyber resilience depends on viewing Windows 10 EOL beyond an IT upgrade. It is imperative for companies to leverage tools like Microsoft Copilot and behaviour analytics platforms with proper safeguards to cleanse, classify and protect sensitive data.

Central to Gallagher's cyber defence capabilities is the Gallagher Cyber Defence Centre, which provides ongoing monitoring services combined with regular threat intelligence and specialist insights to deliver real-time protection and defence strategies for your organisation.

Insure the risk for long-term protection

While robust cyber defence significantly reduces risk exposure, having the appropriate cyber insurance can prove critical. Our cyber specialists provide relevant guidance on cyber insurance placement and claims trends.

Our deep understanding of the evolving threat landscape ensures businesses can secure appropriate coverage that reflects their risk profile and provides adequate protection should the worst happen.

Partnering with Gallagher means businesses are not only securing appropriate coverage insurance but also transforming cyber vulnerability into a competitive advantage, ensuring they emerge stronger while others may fall behind.

Author Information

Sources

1 "Desktop Windows Version Market Share Worldwide," Statcounter Global Stats, accessed 20 August 2025.

2 Bonderud, Doug. "Cost Of A Data Breach 2024: Financial Industry," IBM, 13 August 2024.

3 "NHS England Business Continuity Management Toolkit Case Study: WannaCry attack," NHS England, 21 April 2023.

4 Shead, Sam. "Microsoft ends Windows 7 support: What should you do," BBC, 13 January 2020.

5 Hossain, Sk Tahsin. Et al. "Cybersecurity in local governments: A systematic review and framework of key challenges," Science Direct, 2 January 2025. PDF file.

Disclaimer

The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited trading as Intasure accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.

Stay connected with the company that’s connecting the dots with what’s happening in the industry and around the world
Related Articles