Immutable Backups: What Your Cyber Insurance Form Is Really Asking

There's one question on cyber insurance renewal forms that catches out more small and mid-sized businesses than any other: "Do you maintain immutable, air-gapped, or offline backups of your critical business data?" Most business owners tick yes without thinking twice. Backups run every night, someone's keeping an eye on them, that feels close enough. But the question is more specific than it looks, and getting it wrong doesn't just mean a higher premium next year. It can mean losing your payout entirely at the exact moment you need it most.
This article breaks down what immutable backups actually are, three setups that quietly fail the test, the questions worth putting to your IT provider before you sign anything, and what to do if your honest answer right now is no.
If you haven't looked closely at your own setup before, our earlier post on data backup and disaster recovery is a good place to start, and our walkthrough of what happens if you suffer a cyberattack or data breach covers why backups are only half the recovery story.
What "immutable backups" actually means
An immutable backup is a backup copy that can't be changed or deleted for a set period, by anyone — including you, your IT provider, and an attacker holding stolen admin credentials.
That last part is the whole point. Most backup systems can be wiped by anyone with the right login. Immutability means the storage platform itself locks the data down, and no credentials — however senior — can override that lock until the retention period ends. Depending on the vendor, you'll see this called object lock, WORM (write-once-read-many), or similar. The label changes; the underlying control doesn't.
Three setups that quietly fail the immutability test
These three come up constantly with businesses who assumed they already had this covered.
A NAS or external drive sitting on the network
A network-attached storage box in the server room is reachable from the rest of your network by design. If ransomware spreads through your environment, it can spread to the NAS. Anyone with domain admin access can wipe it, and an external drive that's plugged in and left connected has exactly the same weakness. Both have a place in a wider backup strategy — neither is an answer to the question on the form by itself.
Treating Microsoft 365 retention as your backup
Microsoft 365's retention features are useful, but they're not a backup in the sense the insurer means. Anyone with global admin access to your tenant can delete data and clear retention holds. Under Microsoft's own shared responsibility model, protecting your data sits with you, not with the platform.
Microsoft sets this out clearly in its own documentation on the shared responsibility model — worth a read if you want the detail straight from the source.
A cloud backup with immutability switched off
This is the one we see most often. Plenty of reputable backup platforms support immutability, but it isn't always turned on by default. Someone has to flip that setting. Businesses are frequently paying for a backup product that's fully capable of qualifying, while the one toggle that would make it count sits switched off.
Three questions worth sending your IT provider before you sign
Copy these into an email and get answers in writing before you tick the box.
- "Are our backups immutable, and if so, for how long?" Most insurers now want a floor of at least 14 days, with 30 days becoming the preferred minimum — long enough to cover an attacker who's been sitting quietly in your network before triggering the encryption.
- "If our domain admin or Microsoft 365 global admin account were compromised tomorrow, could that account delete our backups?" The answer needs to be no. "We don't think so" is not the same thing.
- "Can you show me evidence — a screenshot or vendor documentation — that immutability is switched on for our account?" A provider who can show you something has done the work. Verbal reassurance with nothing to back it up is worth treating as a no until proven otherwise.
What a genuinely compliant setup looks like
A few things need to be true at once for your backup to honestly answer yes to the form.
- Immutability is switched on, not just available. Vendors like Veeam, Datto, Rubrik, and Acronis all support it, as do most S3-compatible cloud storage providers — but a vendor name on the invoice doesn't answer the question on its own.
- Backup credentials sit outside your everyday admin accounts. If the login that manages Microsoft 365 also controls the backup platform, one stolen password reaches both.
- The retention window is long enough to matter. A 24-hour rolling backup is no help if an attacker has already been inside for a week.
- Restores are actually tested. A backup nobody has restored in the past year isn't something you can rely on when it counts, and most insurers will now ask for the date of your last successful restore test.
This lines up with the Australian Cyber Security Centre's Essential Eight framework, which lists regular, tested, offline or immutable backups as one of the baseline controls every Australian business should have in place.
If your honest answer right now is no
Answer the form honestly, and use the renewal as the reason to close the gap rather than paper over it.
Start by asking your provider whether immutability can simply be switched on within your existing platform. In a lot of cases the feature is already there and turning it on is a configuration job, not a new purchase. If your provider can't give you a straight answer to the three questions above, that's useful information in itself — it means this needs attention before your next renewal, even if the rest of your IT is well looked after.
One thing not to do: tick yes to avoid a premium bump. Cyber insurance applications work like warranty statements. If a forensic review after a claim shows your backups didn't match what you declared, the insurer can rescind the policy outright — treating it as if it never existed, and clawing back any payouts already made under that policy term. A no on the form will likely cost you something at renewal. That's a known, manageable cost. Discovering the mismatch after a claim is not.
If you'd rather have someone check your backup setup against the actual wording on your renewal form, our team can take a look before you sign.
Immutable backup FAQs
What does immutable backup mean in plain English?
A backup copy that nobody can alter or delete for a fixed period, even with administrator access. The storage platform enforces the lock, so login permissions can't override it.
Is Microsoft 365's built-in retention the same as a backup?
No. A global admin — or an attacker who's stolen those credentials — can bypass native retention. Protecting your Microsoft 365 data is the customer's responsibility under Microsoft's shared responsibility model, separate from what the platform retains by default.
How long should the immutability window be?
Most insurers and security frameworks now point to a 14-day minimum, with 30 days increasingly the preferred floor. A longer window matters if an attacker has been in your network for a while before triggering an attack.
Can our IT provider just turn immutability on?
Often, yes. Where the platform already supports it, enabling immutability is usually a configuration change rather than a new purchase. Ask for written confirmation once it's done.
What actually happens if we tick yes when we shouldn't?
The insurer can rescind the policy after a claim, voiding coverage retroactively and clawing back prior payouts under the same term. Misrepresentation on the application is one of the most common reasons cyber claims get denied.



