Cyber insurance applications often include a question that catches small business owners off guard:
Do you maintain immutable, air-gapped, or offline backups of your critical business data?
It sounds simple. But the answer is not always as clear as business owners expect.
Carriers added this question because ransomware operators changed their playbook. Attackers learned that the fastest way to force a payout is to destroy the backups first, then encrypt everything else. CISA, the FBI, and the Internet Crime Complaint Center have all documented this pattern as one of the most common moves in current ransomware attacks.
That matters because backups are supposed to be the recovery path. If an attacker can delete those backups using the same admin credentials they already stole, the business may have no practical option left except paying the ransom.
This is why cyber insurance carriers now ask about immutable, air-gapped, or offline backups. They want to know whether your backups can survive the same attack that compromises the rest of your environment.
For many small businesses, the honest answer is not obvious. A company may have backups. It may pay for a well-known backup platform. It may have a device in the office or retention settings in Microsoft 365. But that does not mean the backups qualify as immutable.
Before you check the box on a cyber insurance form, you need to know what immutable backup really means, which common setups do not qualify, what to ask your IT provider, and what to do if the answer is no.
Immutable Backup, Defined
An immutable backup is a backup that cannot be modified or deleted for a fixed period of time.
That restriction must apply to everyone. It applies to you. It applies to your IT provider. It also applies to anyone using stolen admin credentials.
That last part is the key.
Cyber insurance carriers are not only asking whether you have backup copies. They are asking whether those copies can be destroyed by an attacker who has already compromised your administrative accounts.
Most backup systems can be wiped by someone with enough admin access. That is exactly the problem ransomware groups try to exploit. If the same credentials that manage your network, Microsoft 365 tenant, or backup console can also delete your backup copies, the backups may not provide the protection your insurance form is asking about.
Immutability means the backup platform enforces the lock at the storage layer. During the retention window, no credentials can override that lock, no matter how privileged they are.
Some vendors call this object lock. Others call it write-once-read-many storage, or WORM storage. The words vary between platforms. The core control is the same: the backup cannot be changed or deleted until the lock period expires.
That is what makes immutable backups different from normal backups. They are designed to survive credential theft.
Three Common Backup Setups That Do Not Qualify
Many businesses have backup tools in place. But not every backup setup satisfies the immutability question on a cyber insurance application.
Three setups come up often. Business owners may assume they qualify. In many cases, they do not.
A NAS or External Drive in Your Office
A network-attached storage device, often called a NAS, may be useful. So can an external drive. Both can have a role in a broader backup strategy.
But on their own, they do not satisfy the immutability question.
A NAS sitting in your server room is reachable from your network by design. That is how it works. If ransomware spreads across your environment, it can reach the NAS too. If an attacker has domain admin credentials, they may be able to wipe what is stored there.
An external drive can have the same problem if it stays connected. If someone plugs in a drive once a week and leaves it attached, that drive is exposed to the environment. It may be convenient, but convenience is not the same as ransomware resilience.
These devices may help with local recovery in some cases. They may support part of a layered backup plan. But they do not answer the insurance question unless the data is protected from deletion during a fixed retention period.
Microsoft 365 Retention Treated as a Backup
Microsoft 365 includes retention features. Some businesses treat those features as their backup solution.
That is risky when answering a cyber insurance application.
Microsoft 365 retention is not a backup in the sense the form is asking about. An attacker with global admin access to your tenant can delete data and purge retention holds.
That means native retention may not protect you from the exact scenario carriers are concerned about: an attacker using stolen administrative access to destroy recovery options.
Microsoft’s shared responsibility model also matters here. Under that model, customers remain responsible for backing up and protecting their own data. Microsoft provides the platform, but the customer is still responsible for data protection beyond the platform’s native controls.
If your only protection for Microsoft 365 data is what Microsoft provides by default, the honest answer to the immutability question is no.
A Cloud Backup With Immutability Switched Off
This is one of the most common gaps.
Many reputable cloud backup platforms include immutability as a feature. But the setting is not always enabled by default.
That means a business can be paying for a backup solution that looks credible on paper while the most important protection is not turned on.
The platform may support immutability. The vendor may advertise immutability. The invoice may show a known backup provider. None of that proves your backups are immutable.
Someone has to enable the setting. It must be scoped properly. It must be tied to credentials that are not shared with the rest of your environment.
You cannot confirm this from the outside. You have to check.
Three Questions to Ask Before You Sign the Form
Before you check the box on your cyber insurance application, send these questions to your IT provider.
The goal is not to create friction. The goal is to get a clear answer before the form becomes a warranty statement.
Question One: Are Our Backups Immutable, and How Long Is the Immutability Window?
The first question is direct:
Are our backups immutable, and if so, how long is the immutability window?
The immutability window is the fixed period of time when the backup cannot be changed or deleted.
Carrier guidance has tightened in the past two years. Most insurers want a window of at least 14 days as a floor. A 30-day window is increasingly cited as the preferred minimum.
The length matters because attackers may sit inside a network for weeks before launching ransomware. If that happens, yesterday’s backup may already include compromised data or may not be far enough back to give you a clean restore point.
The window needs to be long enough to give the business access to backups from before the attacker arrived.
Question Two: Could a Stolen Admin Account Delete Our Backups?
The second question tests the real control:
If our domain admin account or Microsoft 365 global admin account were stolen tomorrow, could that account be used to delete our backups?
The correct answer is no.
If the answer is yes, the backups are not immutable in the way the form means. If your provider is not sure, treat that as a warning sign. This question should have a clear answer.
The point of immutability is to protect backups from stolen admin credentials. If the same admin account can manage your environment and delete your backups, the setup does not solve the ransomware problem carriers are focused on.
Question Three: Can You Show That Immutability Is Enabled?
The third question asks for proof:
Can you send me a screenshot or vendor documentation showing that immutability is enabled on our account?
A provider who can send something concrete has likely done the work. A screenshot, vendor configuration page, or written documentation gives you a record to support your answer.
If the provider only offers verbal reassurance, treat that as a no until they can demonstrate otherwise.
This is not about distrust. It is about documentation. Cyber insurance forms matter. If a claim happens later, you need your answer to match the actual setup.
What a Qualifying Backup Setup Looks Like
To honestly satisfy the question on the form, several things need to be true at the same time.
Immutability Must Be Turned On
The backup platform needs immutability enabled. It is not enough for immutability to exist as a feature.
Several major vendors, including Veeam, Datto, Rubrik, and Acronis, offer the capability. Many cloud storage providers also support S3-compatible object lock.
But the vendor name on the invoice does not answer the question. The setting must be turned on. It must be scoped correctly. It must protect the backup copies that matter to the business.
Backup Credentials Must Be Isolated
The credentials used to manage backups should sit outside your regular administrative accounts.
If the same login that manages Microsoft 365 also controls the backup platform, a compromised admin account can reach both. That is the situation immutability is meant to prevent.
A qualifying setup uses isolated credentials outside your day-to-day identity environment. This helps ensure that an attacker who steals one admin account cannot use it to delete the recovery path.
The Retention Window Must Be Long Enough
A backup that overwrites itself every 24 hours may not help if an attacker has been inside your environment for a week.
That is why the retention window matters. Most insurers point to at least 14 days as a floor. A 30-day window is increasingly preferred. Some carriers may want longer.
CISA’s Stop Ransomware Guide lists immutable, tested backups as a baseline control. Most insurers now align with that position.
The goal is not just to have a backup. The goal is to have a clean restore point from before the attacker arrived.
Restores Must Be Tested
A backup is only useful if it can be restored.
A backup nobody has tested in the past 12 months is not something you can rely on when it matters. Many carriers now ask for the date of your last successful restore test. They want to see that recovery has been proven, not just assumed.
Testing restores gives you confidence that the data is usable, the process works, and the team knows what to do during a real incident.
What to Do If Your Honest Answer Is No
If your honest answer is no, do not panic. But do not guess either.
Declare what you actually have on the form. Then use the renewal process as the reason to fix the gap.
The first step is to ask your IT provider whether immutability can be enabled on your existing platform. In many cases, the platform already supports it. Turning it on may be a configuration change rather than a new product purchase.
If the platform supports immutability and no one has enabled it, the issue may be resolved in a few days.
If your provider does not know what you are asking, or cannot clearly answer the three questions above, that response is important. It does not mean every part of your IT setup is wrong. But it does mean this area needs attention before your next renewal date.
There is one thing you should not do: do not check yes just to avoid a premium increase.
Cyber insurance applications function as warranty documents. If a forensic investigation after a claim finds that your backups did not match what you declared, the carrier can rescind the policy.
That means coverage can be treated as if it never existed. Any prior payouts under the same policy term can also be clawed back.
Misrepresentation after a claim is one of the most expensive mistakes a small business can make on an insurance form.
Checking no may cost something at renewal. It may affect the premium or coverage terms. But that is a known cost, and it is manageable. A false yes can create a much larger problem later.
Take the honest answer now. Then use the time before the next renewal to close the gap.
Frequently Asked Questions About Immutable Backups
What Does Immutable Backup Mean in Plain English?
An immutable backup is a backup that nobody can change or delete for a set period of time, even with administrator credentials.
The storage platform enforces the lock at the system level. User permissions cannot override it during the retention window.
Is Microsoft 365 Built-In Retention a Backup?
No. Native retention can be bypassed by a global admin or by anyone who steals one.
Microsoft’s shared responsibility model places backup of your data on the customer. That responsibility is separate from retention features in the platform.
How Long Should the Immutability Window Be?
Most insurers and security frameworks point to a minimum of 14 days. A 30-day window is increasingly the preferred floor, and some carriers want longer.
A longer window gives you more confidence that you can recover from a clean point if an attacker has been inside your environment for an extended period.
Can My IT Provider Just Turn Immutability On?
Often, yes.
If your backup platform supports immutability and it has not been enabled, this may be a configuration change rather than a new purchase. Ask for written confirmation once it is done.
What Happens If I Check Yes When I Should Not?
The carrier can rescind the policy after a claim. That voids coverage retroactively. Any prior payouts under the same policy term can also be clawed back.
Misrepresentation is one of the most common reasons cyber claims are denied.
Before Your Next Renewal, Get a Clear Answer
If you are not sure where your backups stand, raise the question with your IT provider before your next renewal date.
They should be able to walk you through the configuration. They should also be able to answer whether immutability is enabled, how long the retention window lasts, whether stolen admin credentials could delete the backups, and when the last successful restore test occurred.
If you do not have an IT provider, Caldera Cybersecurity can help you sort it out. We can help you review your current backup setup, identify whether it meets the insurance requirement, and build a plan to close the gap before renewal.
Sources and Further Reading
- CISA Stop Ransomware Guide for federal guidance on ransomware prevention, including backup and immutability recommendations.
- Microsoft shared responsibility model for guidance on which protections sit with the platform and which remain with the customer.
- FBI Internet Crime Complaint Center ransomware guidance for current ransomware threats and recommended controls

