Published on Tuesday, 7 July 2026 at 9:00:00 AM

If you've renewed your cyber insurance recently, you've probably noticed the forms are getting longer and more specific. One question that's catching a lot of organisations out is this: do you have immutable backups?

Most business owners tick yes and move on. Some tick yes because they have a NAS in the server room. Others tick yes because they're paying for a cloud backup product with a recognisable name on the invoice. In many of these cases, the honest answer is no, and the gap between what's declared and what's actually in place is one of the most common reasons cyber claims get denied.

Here's what the question is actually asking, and how to answer it accurately.

What immutable backup actually means

An immutable backup is one that cannot be modified or deleted for a fixed period of time, including by you, your IT provider, or anyone using stolen administrator credentials.

That last part is what insurers care about most. Most standard backup systems can be wiped by anyone with admin access. Immutability means the backup platform itself enforces a lock at the storage layer, and no credentials — however privileged — can override it during the retention window. Depending on the platform, this is called object lock, write-once-read-many, or WORM storage. The terminology varies, but the underlying control is the same.

Three common backup setups that don't qualify

A NAS or external drive in your office

A network-attached storage device in your server room is reachable from your network by design. If ransomware spreads across your environment, it can reach the NAS. An attacker with domain admin credentials can wipe it entirely. An external drive that gets plugged in weekly and left connected has the same exposure. These devices have a role in a broader backup strategy — but on their own, they don't satisfy the immutability question.

Microsoft 365 retention treated as a backup

Microsoft 365 includes data retention features, and some organisations rely on them as their backup solution. They're not. An attacker with global admin access to your tenant can delete data and purge retention holds. Under Microsoft's shared responsibility model, customers are responsible for backup and protection of their own data, separate from what Microsoft provides at the platform level. If your only protection for Microsoft 365 data is what Microsoft provides natively, the honest answer to the immutability question is no.

A cloud backup with immutability switched off

This is the most common gap. Many reputable backup platforms include immutability as a feature, but it isn't always enabled by default. Your organisation may be paying for a backup solution that looks credible on paper while the immutability setting sits in the off position. You can't tell from the outside without checking.

Three questions to ask your ICT provider before you sign the form

Send these in an email before you tick the box.

"Are our backups immutable, and if so, how long is the immutability window?" Most insurers want a minimum window of 14 days, with 30 days increasingly cited as the preferred floor. Attackers sometimes sit inside a network for weeks before triggering ransomware, a backup from yesterday may already be compromised. The window needs to be long enough to give you clean restore points from before the attacker arrived.

"If our domain admin or Microsoft 365 global admin account were stolen tomorrow, could that account be used to delete our backups?" The correct answer is no. If the answer is yes, or if your provider isn't sure, your backups are not immutable in the way the form means.

"Can you send me a screenshot or vendor documentation showing immutability is enabled on our account?" A provider who can send something concrete has done the work. Verbal reassurance without supporting documentation should be treated as a no until they can demonstrate otherwise.

What a qualifying setup looks like

For your backup to honestly satisfy the question, a few things need to be true at the same time.

The platform needs immutability turned on, not just available as a feature. Vendors including Veeam, offer the capability, as do most cloud storage providers that support S3-compatible object lock. A vendor name on the invoice doesn't answer the question. The setting has to be enabled, scoped properly, and tied to credentials that sit outside your regular administrative accounts.

The retention window needs to be long enough. A 24-hour backup that overwrites itself daily won't help if an attacker has been in your environment for a week. CISA's StopRansomware Guide lists immutable, tested backups as a baseline control, and most insurers now align with that position.

Restores also need to be tested. A backup nobody has tried to restore in the past 12 months is not something you can rely on when it matters. Most carriers now ask for the date of your last successful restore test, and they want to see one.

What to do if your honest answer is no

Declare what you have on the form, and use the renewal process as the reason to fix what isn't there.

In many cases, your existing backup platform already supports immutability, it just hasn't been switched on. That's a configuration change, not a new product purchase, and it can often be resolved within days.

One thing to avoid: don't tick yes to dodge a premium increase. Cyber insurance applications function as warranty documents. If a forensic investigation after a claim finds your backups didn't match what you declared, the insurer can rescind the policy, retroactively. Coverage is treated as if it never existed, and prior payouts can be clawed back. Misrepresentation discovered after a claim is one of the most expensive mistakes a business can make on an insurance form.

Taking the honest hit on the application is a known, manageable cost. Misrepresenting your position and then making a claim is not.

Not sure where your backups stand?

If you're not confident you can answer the three questions above, now is a good time to find out, before your next renewal date. We work with organisations across metro and regional WA to make sure backup environments are set up the way they need to be, not just the way they appear to be.

Let's Talk.

Call: 6374 8200 email: hello@integratedict.com.au or complete an online form.

Back to All News