What do regulated industries need to know about Cherwell EOL and data retention?

Cherwell Service Management reaches end of life December 31, 2026. If your organization is subject to HIPAA, SOX, GLBA, NERC CIP, or state government records mandates, your historical ITSM data doesn't stop being regulated when Cherwell stops being supported. You need a plan for retaining access to that data in its original format, searchable and audit-ready, for years after the platform shuts down. Running unsupported software is not a plan. Exporting to CSV is not a plan. This post covers what each regulation actually requires and what happens if you get it wrong.

Cherwell EOL and Data Retention: What Regulated Industries Need to Know Before December 2026

31 Mar 2026 · By Brian Parks, CEO — Synapse Software
Former Senior Software Engineer at Cherwell Software (2017–2020)

The Problem Nobody Puts in the Migration SOW

I’ve had a lot of conversations with Cherwell customers over the past year. Most of them are mid-migration or actively evaluating a new ITSM platform. ServiceNow, Jira Service Management, HaloITSM, Ivanti Neurons. The platform decision is well underway.

But there’s a question that almost never shows up in the migration project plan: what happens to the historical data that stays behind?

Your migration partner will move your active data. Open incidents, recent changes, current configurations, maybe the last 12 to 24 months of tickets. Everything older stays in the Cherwell database. And after December 31, 2026, that database is sitting on an unsupported platform with no patches, no vendor support, and no clear path to access.

For most companies, that’s an inconvenience. For regulated industries, it’s a compliance exposure.

What Lives in Your Cherwell Database That Regulators Care About

Cherwell isn’t just a ticketing system. At most regulated organizations I’ve worked with, it contains:

IT change management records tied to financial reporting systems (SOX scope)
Incident records with references to protected health information (HIPAA scope)
Access control and provisioning documentation
HR case management data with personally identifiable information
Facilities and physical security request records
Audit trail logs for IT General Controls (ITGC)
Custom business objects unique to your organization’s compliance workflows

If your Cherwell instance touches any of these, you have regulated data that must remain accessible for years after the platform goes dark.

The Regulation-by-Regulation Reality

I’ll go deep on the two that affect the most Cherwell customers, then summarize the rest.

HIPAA (Healthcare)

The HIPAA Security Rule requires covered entities and business associates to retain compliance documentation for six years from the date of creation or the date a policy was last in effect, whichever is later. That’s the federal floor. State medical record retention laws often extend to seven or ten years, and CMS requires ten years for Medicare cost-report providers.

What this means for Cherwell: if your service desk handles tickets involving patient information, if your change management process governs systems that store or transmit PHI, or if your incident records document security events involving healthcare data, those records are in scope.

Enforcement is not slowing down. OCR collected over $9.9 million in penalties across 22 enforcement actions in 2024. The most frequently cited violation was failure to conduct an adequate risk analysis. Running unsupported software connected to a database containing PHI is exactly the kind of gap that triggers an investigation. State attorneys general imposed an additional $19.5 million in HIPAA-related fines in 2024 across nine enforcement actions.

The question an auditor will ask: “Can you produce the original incident record from three years ago showing how your team responded to this PHI-related security event?” If the answer involves firing up an unsupported Cherwell instance or searching through CSV files, you have a problem.

SOX (Public Companies and Financial Services)

SOX Section 802 requires audit-related records to be retained for seven years. That includes IT change management documentation supporting financial reporting, ITGC evidence captured through ITSM workflows, and any records used in the preparation or review of financial statements.

Section 802 makes it a federal crime to knowingly destroy, alter, or conceal records with the intent to impede a federal investigation. The penalty: up to 20 years imprisonment and fines up to $5 million. Section 906 adds personal criminal liability for executives who certify financial reports they know aren’t compliant: up to $1 million and 10 years for knowing violations, up to $5 million and 20 years for willful violations.

No public company wants to explain to the SEC why IT change records supporting financial reporting are trapped on an unpatched platform with no vendor behind it. And “we exported everything to CSV” is not an answer that satisfies an auditor looking for original-format records with intact relationships and audit trails.

The Full Regulatory Landscape

Here’s what every regulation requires at a minimum: that records remain accessible, searchable, and intact for the mandated retention period. Not just stored. Accessible.

Regulation	Retention Period	Who It Applies To	What’s in Your Cherwell DB
HIPAA	6 years (federal); states often 7–10 years	Healthcare providers, health plans, business associates	PHI-related incidents, change records for PHI systems, access logs, breach documentation
SOX (§802)	7 years for audit records	All US publicly traded companies	IT change management, ITGC evidence, records supporting financial reporting
GLBA	6 years; disposal required within 2 years after last use	Banks, insurance companies, financial institutions	Customer financial data in service requests, access provisioning, change management
NERC CIP	3–6 year audit period	Electric utilities, grid operators, energy companies	Cyber security incident records, change management for BES systems, access control evidence
FERPA	3 years (federal); states often 5–7+ years	Educational institutions receiving federal funding	Student-related service requests, IT access records, HR cases
State Govt Records	Varies by state; often 7+ years	State and local government agencies	FOIA-responsive records, citizen-facing service requests, internal operations data
SEC Rule 17a-4	3–6 years depending on record type	Broker-dealers, securities firms	Communications, transaction support records, compliance documentation

The Timeline That Nobody’s Talking About

Here’s the math that should concern every regulated Cherwell customer:

Cherwell EOL: December 31, 2026.
SOX retention window: 7 years from audit conclusion. A 2026 audit means records must be accessible until 2033.
HIPAA retention window: 6 years from creation or last effective date. Records created in 2024 must be accessible until 2030 at minimum.
GLBA retention window: 6 years. Customer financial data from 2023 must be accessible until 2029.

That means the data in your Cherwell database needs to be accessible for three to seven years after the platform loses support. You’re not archiving for convenience. You’re archiving for compliance.

What “Accessible” Actually Means to an Auditor

This is where most organizations get it wrong. “Accessible” doesn’t mean “we have the raw data in a SQL backup somewhere.” It means:

Records can be retrieved without reactivating the retired platform.
Records are in their original format with relationships intact. An incident linked to a change request linked to a configuration item. Not three separate CSV files.
Records are searchable. An auditor says “show me every change request that touched your ERP system in Q3 2024” and you can produce the answer in minutes, not days.
Attachments, journal entries, and audit trails are preserved. The full record, not a summary.

If your archive strategy can’t meet these four criteria, it’s not an archive. It’s a backup. And a backup is not a compliance strategy.

What You Should Do Before December 2026

Every regulated Cherwell customer should be doing three things right now:

Inventory your regulated data. Which Cherwell business objects contain records subject to HIPAA, SOX, GLBA, NERC CIP, or state mandates? How many years of history do you have? Which custom objects are unique to your compliance workflows?
Check your migration SOW. Ask your migration partner explicitly: is historical data in scope? If it’s not, and it usually isn’t, you need a separate strategy for retaining access to that data.
Evaluate your archive options before the deadline. Your retention obligations extend years beyond December 2026. The solution you choose needs to make regulated records accessible, searchable, and intact for the full retention window without depending on unsupported software.

The organizations that handle this well will have their archive strategy in place before the migration is complete. The ones that don’t will find out the hard way, the first time an auditor asks for a record they can’t produce.

Frequently Asked Questions

When is Cherwell Service Management end of life?

December 31, 2026. After that date, historical data that remains only in Cherwell sits on an unsupported platform—no patches, no vendor support, and for cloud customers, no running instance. Regulated retention clocks keep running regardless.

How long must Cherwell records remain accessible after EOL?

It depends on the framework. SOX audit-related IT and change evidence is commonly held to a seven-year standard; HIPAA documentation has a six-year federal floor with longer periods in many states; GLBA-adjacent and other rules add their own windows. The binding constraint is often that data must stay accessible for years after Cherwell itself is unsupported—so your archive strategy must outlive the product, not the project schedule.

Why isn’t a SQL backup or CSV export enough for auditors?

Auditors ask for complete records in context—relationships between incidents, changes, configuration items, journals, and attachments—not disconnected tables. A backup you cannot query without reviving Cherwell, or CSVs that strip structure, usually fails the practical meaning of accessible, searchable, and intact.

Will our ITSM migration SOW cover historical Cherwell data?

Often no. Migration partners typically scope going live on the new platform and a limited history window, not full archival of regulated objects across the retention period. You should confirm in writing what is in scope and plan a separate archival approach if historical data is excluded.

For historical Cherwell data that stays behind after migration, Cortex Archive reads your database backup and preserves the familiar record experience without keeping Cherwell in production. For more context, see what happens to your data after December 2026 and our audit-readiness guide for public companies.