Have Questions? Call ParJenn Technologies (409) 684-2517   |   Customer Portal
immutable backup
Cybersecurity IT Best Practices IT Strategy

What Immutable Backup Means on Your Cyber Insurance Form

Cyber insurance applications include a question that catches a lot of Southeast Texas small business owners off guard: “Do you maintain immutable, air-gapped, or offline backups of your critical business data?”

Most owners check yes — they have what they think qualifies as an immutable backup. They have backups, the backups run every night, and someone is paid to manage them. That feels like a yes.

The question is asking something more specific. If an attacker had your admin credentials right now, could they delete your backups before you noticed? A backup sitting on your network under the same admin account doesn’t pass that immutable backup test — and neither does Microsoft 365’s native retention, or most cloud backup setups where the immutability toggle was never switched on.

Checking yes when the honest answer is no isn’t just a rounding error on the form. Carriers treat cyber insurance applications as warranty documents. If a forensic investigation after a claim finds your backups didn’t match what you declared, the carrier can rescind the policy — treating it as if it never existed. Coverage gone, prior payouts clawed back, and the full cost of the incident lands on you.

This post covers what immutable backup means, three common setups that don’t qualify, and the questions to send your IT provider before you sign the form.

Immutable Backup, Defined

An immutable backup is one that cannot be modified or deleted for a fixed period of time — including by you, by your IT provider, and by anyone using stolen admin credentials.

That last part is what carriers care about. Most backup systems can be wiped by anyone with admin access. Immutability means the backup platform itself enforces the lock at the storage layer, and no credentials — however privileged — can override it during the retention window. Some platforms call this object lock, write-once-read-many, or WORM storage. The terminology varies by vendor, but the underlying control is the same.

Carriers added the immutable backup question to renewal forms because ransomware operators have documented a consistent pattern: destroy the backups first, then encrypt production systems. CISA, the FBI, and the Internet Crime Complaint Center have all flagged this as one of the most common moves in current ransomware playbooks. A business whose backups can be deleted using the same credentials an attacker just stole has no recovery path except paying the ransom.

Three Common Backup Setups That Don’t Qualify

Three setups come up regularly that don’t satisfy the immutability question, even though business owners often assume they do.

A NAS or External Drive in Your Office

A network-attached storage device sitting in your server room is reachable from your network by design. If ransomware spreads across your environment, it can reach the NAS. An attacker with domain admin credentials can wipe what’s on it. An external drive that someone plugs in once a week and leaves connected has the same exposure.

These devices have a role in a broader backup strategy, but they do not meet the immutable backup standard. On their own, they do not satisfy the immutability question on a cyber insurance form.

Microsoft 365 Retention Treated as a Backup

Microsoft 365 includes data retention features, and some Southeast Texas businesses use them as their backup solution. They are not a backup in the sense the form is asking about. An attacker with global admin access to your tenant can delete data and purge retention holds.

Under Microsoft’s shared responsibility model, customers retain responsibility for backup and protection of their own data, separate from what Microsoft provides at the platform level. If your only protection for Microsoft 365 data is what Microsoft provides natively, the honest answer to the immutability question is no.

A Cloud Backup with Immutability Switched Off

This is the most common immutable backup gap ParJenn Technologies finds when reviewing backup configurations for Southeast Texas businesses. Many reputable backup platforms include immutability as a feature, but the setting is not always enabled by default. Your business may be paying for a backup solution that looks credible on paper while the immutability toggle sits in the off position. You cannot tell from the outside without checking.

Three Questions to Send Your IT Provider Before You Sign the Form

Copy these into an email and send them before you check the box.

  • “Are our backups immutable, and if so, how long is the immutability window?” Most insurers want a minimum of 14 days, with 30 days increasingly cited as the preferred floor. Attackers sometimes sit in a network for weeks before triggering ransomware, which means a backup from yesterday may already be compromised.
  • “If our domain admin or Microsoft 365 global admin account were stolen tomorrow, could that account be used to delete our backups?” The correct answer is no. If the answer is yes — or if your provider isn’t sure — your backups are not immutable in the way the form means.
  • “Can you send me a screenshot or vendor documentation showing that immutability is enabled on our account?” A provider who can send something concrete has done the work. Verbal reassurance with nothing to show should be treated as a no until they can demonstrate otherwise.

What a Qualifying Setup Looks Like

For your backup to honestly satisfy the question on the form, a few things need to be true simultaneously.

The immutable backup platform needs immutability turned on — not just available as a feature. Several major vendors including Veeam, Datto, Rubrik, and Acronis offer the capability, along with most cloud storage providers that support S3-compatible object lock. A vendor name on the invoice does not answer the question. The setting has to be enabled, scoped properly, and tied to credentials that aren’t shared with the rest of your environment.

The backup credentials need to sit outside your regular administrative accounts. If the same login that manages your Microsoft 365 environment also controls your backup platform, a compromised admin account can reach both. A qualifying setup uses isolated credentials outside your day-to-day identity environment.

The immutable backup retention window needs to be long enough. A 24-hour backup that overwrites itself daily doesn’t help if an attacker has been in your environment for a week. And restores need to be tested — most carriers now ask for the date of your last successful restore test.

What to Do If Your Honest Answer Is No

Declare what you have on the form honestly — if you don’t have a qualifying immutable backup setup, say so — and use the renewal process as the reason to fix it.

The first step is to ask your IT provider whether an immutable backup configuration can be enabled on your existing platform. In many cases the platform already supports it, and turning it on is a configuration change rather than a new product purchase. If your provider can’t give a clear answer to the three questions above, that response is itself important information.

One thing to avoid: don’t check yes on the form to dodge a premium hike. Checking no will likely cost something at renewal — either in premium or coverage terms. That’s a known, manageable cost. Misrepresentation discovered after a claim is not.

If you’d like help reviewing your current immutable backup configuration and answering this question accurately before your next renewal, our managed IT services include backup audits and immutability configuration for Southeast Texas businesses — schedule a free IT checkup to get started.

Frequently Asked Questions: Immutable Backup

What does immutable backup mean in plain English? A backup that nobody can change or delete for a set period of time, even with administrator credentials. The storage platform enforces the lock at the system level, so user permissions cannot override it during the retention window.

Is Microsoft 365’s built-in retention considered an immutable backup? No. Native Microsoft 365 retention can be bypassed by a global admin or by anyone who steals those credentials. Microsoft’s shared responsibility model places backup of your own data on the customer, separate from what Microsoft provides at the platform level.

How long should the immutability window be? Most insurers and security frameworks point to a minimum of 14 days, with 30 days increasingly the preferred floor. A longer window gives you confident recovery points from before an attacker arrived, since ransomware operators often sit in a network for weeks before triggering the encryption.

Can my IT provider just turn immutability on? Often yes. If your backup platform supports the feature and it hasn’t been enabled, this is typically a configuration change rather than a new purchase. Ask for written confirmation — a screenshot or vendor documentation — once it’s done.

What happens if I check yes on the cyber insurance form when I shouldn’t? The carrier can rescind the policy after a claim, which voids coverage retroactively. Any prior payouts under the same policy term can also be clawed back. Misrepresentation is one of the most common reasons cyber claims are denied and one of the most expensive mistakes a Southeast Texas business can make on an insurance form.

Article used with permission from The Technology Press.


Discover more from ParJenn Technologies

Subscribe to get the latest posts sent to your email.

Leave a Reply

Subscribe