If you've renewed a cyber insurance policy recently, you've likely run into a question that stops a lot of Ontario business owners cold:
"Do you maintain immutable, air-gapped, or offline backups of your critical business data?"
It sounds technical, but the answer determines whether your policy pays out or whether a claim gets denied after a ransomware attack. Here's what the question actually means, why insurers started asking it, and how to find out where your business really stands before you sign the form.
If your backup can be wiped using the same administrator credentials an attacker just stole, you're left with one option: pay the ransom. That's the exact scenario insurers are trying to screen out with this question, and it's a major reason cyber premiums and application scrutiny have both climbed across the Ontario market over the past two renewal cycles.
An immutable backup can't be changed or deleted for a set period, not by you, not by your IT provider, and not by someone using stolen admin credentials. The protection is enforced by the storage system itself, so no login, however privileged, can override it during the lock period.
You'll see this called object lock, WORM (write-once-read-many), or immutability, depending on the vendor. The label differs; the underlying guarantee doesn't.
A NAS or external drive at your office. If it's reachable from your network, ransomware that spreads through your systems can reach it too. A device someone plugs in weekly and leaves connected is just as exposed. Useful as part of a layered strategy not sufficient on its own.
Microsoft 365 retention settings. Retention and recovery features built into Microsoft 365 are not a backup in the sense insurers mean. Someone with global admin access to your tenant can delete data and clear retention holds. Under Microsoft's shared responsibility model, protecting your own data is on you, not on Microsoft. If Microsoft 365's native tools are your only safety net, the honest answer on the application is no.
A cloud backup with immutability turned off. This is the most common gap by far. Many well-known backup platforms support immutability, but it's frequently not switched on by default. Someone has to enable it. Your business could be paying for a reputable-looking backup service that offers zero real protection because the setting was never turned on — and you can't tell from the outside without checking.
A few things need to be true at once:
Don't leave the question blank or guess. Misrepresenting your security controls on an insurance application is one of the fastest ways to get a claim denied after the fact — insurers routinely audit backup configurations following a ransomware payout request.
Instead:
The right IT partner can make sure the paperwork in your hand is accurate — so when your broker or the carrier asks a follow-up question, you're not caught flat-footed with a "we'll check and get back to you."
We'll audit your current backup setup, confirm whether immutability is actually enabled, and give you the documentation — screenshots, vendor reports, restore-test dates — to hand straight to your broker. Book a backup assessment and walk into your next renewal with answers instead of guesses.