Mon – Fri  9AM – 5PM|Client Portal
ITstuffed
IT Management

What Immutable Backup Means on Your Cyber Insurance Form

Your cyber insurance renewal form probably includes a question along these lines: do you maintain immutable or offline backups of your critical business data? A lot of business owners tick yes without being entirely sure what they're confirming. Some tick no and absorb the premium hit without knowing whether the gap is easy to close. Both responses have consequences, and the honest answer requires knowing what the question actually means.

Carriers added this question because ransomware operators worked out a reliable pattern: steal the admin credentials, wipe the backups, then encrypt everything else. A business with no recovery path other than paying the ransom is exactly the outcome attackers are engineering. The insurer is asking whether your backups could survive that sequence.

An immutable backup is one that cannot be modified or deleted for a fixed period of time - including by your own IT team, and including by anyone using stolen admin credentials. That last part is what the question is really testing. Most backup systems can be wiped by anyone with admin access. Immutability means the backup platform enforces a lock at the storage layer that no credentials can override during the retention window. Vendors describe this in different ways - object lock, write-once-read-many, WORM storage - but the underlying control is the same thing.

Three setups come up regularly that do not satisfy the question, even when business owners assume they do. A network-attached storage device in your server room is reachable from your network by design - ransomware can reach it, and an attacker with admin credentials can wipe it. Microsoft 365's built-in retention features are not a backup in the sense the form is asking about; a global admin account - or anyone who steals one - can delete data and purge retention holds. Microsoft's own shared responsibility model places the responsibility for backing up your data on the customer, not on Microsoft. The third gap is the most common: many reputable backup platforms include immutability as a feature, but it is not always switched on by default. You may be paying for a solution that looks credible on paper while the immutability setting sits in the off position.

Before you sign the form, send your IT provider these three questions. First: are our backups immutable, and what is the immutability window? Most insurers want at least 14 days; 30 days is increasingly the preferred minimum, because attackers sometimes sit inside a network for weeks before triggering ransomware. Second: if our domain admin or Microsoft 365 global admin account were stolen tomorrow, could that account be used to delete our backups? The correct answer is no. Third: can you send me a screenshot or vendor documentation showing immutability is enabled on our account? A provider who can send something concrete has done the work. Verbal reassurance without anything to show should be treated as a no until they can demonstrate otherwise.

A qualifying setup has a few things true at the same time. Immutability is turned on, not just available as a feature. The backup credentials are isolated from your regular administrative accounts - if the same login that manages your Microsoft 365 environment also controls your backup platform, a compromised account reaches both. The retention window is long enough to provide clean restore points from before an attacker arrived. And restores are tested - most carriers now ask for the date of your last successful restore test, and they want to see one in the past 12 months.

IT Stuffed ran a full systems cyber security audit for us, which was very eye-opening! They helped us implement the necessary changes and gave us some strategic advice on future steps. Daniel and the team are incredibly dedicated, great communicators and a real pleasure to deal with.

Ruby Williams

Our organisation engaged IT Stuffed a bit over a year ago and we have been very happy with their services to date. We value them being a local small business and appreciate their friendly yet professional interactions. They do not fluster easily and that has a calming effect on people with IT challenges. When faced with a cyber-attack a year ago we greatly appreciated the immediate and ongoing support we received from IT Stuffed. Happy to recommend this service.

Maggy Tai Rākena

If your honest answer to the question is no, declare it on the form and use the renewal process as the reason to fix it. Ask your IT provider whether immutability can be enabled on your existing platform. In many cases the platform already supports it, and turning it on is a configuration change rather than a new product. If your provider cannot give a clear answer to the three questions above, that response is itself worth noting - this area needs attention before your next renewal regardless of how everything else is running. For professional services firms that want this reviewed properly, IT support tailored to professional services is where to start.

One thing to avoid: do not tick yes to dodge a premium increase. Cyber insurance applications function as warranty documents. If a forensic investigation after a claim finds your backups did not match what you declared, the carrier can rescind the policy - voiding coverage retroactively. Ticking no will likely cost something at renewal, either in premium or in coverage terms. That cost is known and manageable. Misrepresentation discovered after a claim is not.

ITstuffed works with professional services businesses across Canterbury on exactly this kind of gap - reviewing what backup configurations actually look like against what insurance forms are asking. If you want a clear picture of where you stand, a 15-minute IT Fit Check is a good place to start.