Ensure Your Cyber Insurance Pays: The Importance of Immutable Backups
IT Services Manufacturing Construction Accounting Jul 9, 2026 9:00:03 AM Attitude IT 4 min read
If you've renewed a cyber insurance policy recently, you've likely run into a question that stops a lot of Ontario business owners cold:
"Do you maintain immutable, air-gapped, or offline backups of your critical business data?"
It sounds technical, but the answer determines whether your policy pays out or whether a claim gets denied after a ransomware attack. Here's what the question actually means, why insurers started asking it, and how to find out where your business really stands before you sign the form.
Why Insurers Started Asking
If your backup can be wiped using the same administrator credentials an attacker just stole, you're left with one option: pay the ransom. That's the exact scenario insurers are trying to screen out with this question, and it's a major reason cyber premiums and application scrutiny have both climbed across the Ontario market over the past two renewal cycles.
What "Immutable" Actually Means
An immutable backup can't be changed or deleted for a set period, not by you, not by your IT provider, and not by someone using stolen admin credentials. The protection is enforced by the storage system itself, so no login, however privileged, can override it during the lock period.
You'll see this called object lock, WORM (write-once-read-many), or immutability, depending on the vendor. The label differs; the underlying guarantee doesn't.
Three Setups Ontario Businesses Often Mistake for "Immutable"
A NAS or external drive at your office. If it's reachable from your network, ransomware that spreads through your systems can reach it too. A device someone plugs in weekly and leaves connected is just as exposed. Useful as part of a layered strategy not sufficient on its own.
Microsoft 365 retention settings. Retention and recovery features built into Microsoft 365 are not a backup in the sense insurers mean. Someone with global admin access to your tenant can delete data and clear retention holds. Under Microsoft's shared responsibility model, protecting your own data is on you, not on Microsoft. If Microsoft 365's native tools are your only safety net, the honest answer on the application is no.
A cloud backup with immutability turned off. This is the most common gap by far. Many well-known backup platforms support immutability, but it's frequently not switched on by default. Someone has to enable it. Your business could be paying for a reputable-looking backup service that offers zero real protection because the setting was never turned on — and you can't tell from the outside without checking.
Three Questions to Send Your IT Provider Before You Sign
- "Are our backups immutable, and if so, for how long?" Guidance has tightened. A 14-day floor is common, with 30 days increasingly the preferred minimum insurers want to see. Attackers often sit inside a network for weeks before triggering an attack, so a backup from yesterday may already be compromised. You need clean restore points from before the intrusion started.
- "If our domain admin or Microsoft 365 global admin account were stolen tomorrow, could that account delete our backups?" The answer needs to be no. If it's yes — or your provider isn't sure — the backups aren't immutable in the way the insurance form means.
- "Can you show me documentation or a screenshot confirming immutability is actually enabled?" A provider who did the work can show you proof. Verbal reassurance with nothing to back it up should be treated as a no until proven otherwise.
What a Qualifying Setup Looks Like
A few things need to be true at once:
- Immutability is switched on, not just technically available. Veeam, Datto, Rubrik, Acronis, and most S3-compatible cloud object storage all support it — but the vendor name on your invoice doesn't answer the question by itself.
- Backup credentials are isolated from your everyday admin accounts. If the login managing your Microsoft 365 environment also controls your backup platform, one compromised account puts both at risk.
- The retention window is long enough to outlast dwell time. CISA's #StopRansomware Guide lists tested, immutable backups as a baseline control, and Canadian insurers are increasingly aligning with that standard.
- Restores are actually tested. A backup no one has restored from in the last year isn't something you can count on when it counts. Most carriers now ask for your last successful restore test date — and expect a real one.
- Ask your IT provider to close the gap and give you documentation proving it — screenshots, vendor configuration reports, or a signed attestation showing immutability is enabled, scoped correctly, and tied to isolated credentials.
- For many businesses this is a configuration change on an existing platform, not a full switch to a new vendor.
- Hand that documentation to your broker. Your IT provider's job is to make the controls real and prove it in writing; your broker's job is to translate that into what the carrier needs to see. Neither one should be guessing at what the other does.
If Your Honest Answer Is "No"
Don't leave the question blank or guess. Misrepresenting your security controls on an insurance application is one of the fastest ways to get a claim denied after the fact — insurers routinely audit backup configurations following a ransomware payout request.
Instead:
The right IT partner can make sure the paperwork in your hand is accurate — so when your broker or the carrier asks a follow-up question, you're not caught flat-footed with a "we'll check and get back to you."
Need Proof, Not Promises?
We'll audit your current backup setup, confirm whether immutability is actually enabled, and give you the documentation — screenshots, vendor reports, restore-test dates — to hand straight to your broker. Book a backup assessment and walk into your next renewal with answers instead of guesses.
Attitude IT
Since 2003, Attitude IT has been helping businesses in Ontario keep their technology on course.