You’re renewing your cyber insurance, and then you hit this question: “Do you maintain immutable, air-gapped, or offline backups of your critical business data?” If you just stared at the screen wondering what that even means — you’re in very good company. Most small business owners here in Bradenton have the same reaction.
Here’s why that question is there: ransomware attackers figured out that the fastest way to force a payout is to wipe your backups first, then encrypt everything else. CISA, the FBI, and the Internet Crime Complaint Center have all documented this as one of the most common moves in today’s ransomware playbooks. If your backup copies can be deleted using the same admin credentials an attacker just stole, your only recovery option is paying the ransom.
This post breaks down what immutable backup actually means, three common backup setups that don’t qualify (even though most people think they do), the questions to send your IT provider before you sign the form, and what to do if your honest answer is “no.”
What “Immutable Backup” Actually Means
In plain English: it’s a backup that nobody can change or delete for a set period of time. Not you, not your IT provider, and not anyone using stolen admin credentials.
That last part — stolen credentials — is what insurance carriers really care about. Most backup systems can be wiped by anyone with admin access. Immutability means the backup platform itself enforces the lock at the storage layer. No credentials, no matter how powerful, can override it during the retention window.
You might hear terms like “object lock,” “write-once-read-many,” or “WORM storage.” Different vendors use different names, but the underlying protection is the same idea.
Three Backup Setups That Don’t Qualify (Even Though You Think They Do)
These three come up constantly, and they trip up accounting firms, law offices, and financial advisors across Tampa Bay every renewal season.
A NAS or external drive sitting in your office
That network-attached storage device in your server room is reachable from your network by design. If ransomware spreads through your environment, it can reach the NAS. An attacker with domain admin credentials can wipe it clean. An external drive that gets plugged in once a week and left connected has the same problem.
These devices have a role in a broader backup strategy. On their own, they don’t answer the immutability question.
Microsoft 365 retention used as your “backup”
Microsoft 365 has data retention features, and some businesses treat them as their backup solution. They’re not — at least not in the way the insurance form is asking about. An attacker with global admin access to your tenant can delete data and purge retention holds.
Under Microsoft’s shared responsibility model, you — the customer — are responsible for backing up your own data. That’s separate from what Microsoft provides at the platform level.
If your only protection for Microsoft 365 data is what Microsoft gives you out of the box, the honest answer to the immutability question is no.
A cloud backup with immutability switched off
This is the most common gap we see with Florida businesses. Many solid backup platforms include immutability as a feature, but the setting isn’t always turned on by default. The capability exists — someone just needs to flip the switch.
Your business may be paying for a backup solution that looks great on paper while the immutability toggle sits in the off position. You can’t tell from the outside without checking.
Three Questions to Email Your IT Provider Before You Sign
Copy these into an email and send them before you check the box. Whether you’re a CPA firm in Bradenton or a law office anywhere in Manatee County, these are the right questions.
Question 1: “Are our backups immutable, and if so, how long is the immutability window?”
Carrier expectations have tightened. Most insurers want a minimum of 14 days, with 30 days increasingly cited as the preferred floor. Why? Attackers sometimes sit in a network for weeks before triggering ransomware. A backup from yesterday might already be compromised. The window needs to go back far enough to give you clean restore points from before the attacker arrived.
Question 2: “If our domain admin account or Microsoft 365 global admin account were stolen tomorrow, could that account be used to delete our backups?”
The correct answer is no. If the answer is yes — or if your provider isn’t sure — your backups are not immutable in the way the form means.
Question 3: “Can you send me a screenshot or vendor documentation showing that immutability is enabled on our account?”
A provider who can send something concrete has done the work. If they come back with verbal reassurance and nothing to show for it, treat that as a “no” until they can demonstrate otherwise.
What a Qualifying Setup Actually Looks Like
For your backup to honestly satisfy the question on the form, a few things need to be true at the same time.
Immutability must be turned on — not just available. Several major vendors including Veeam, Datto, Rubrik, and Acronis offer the capability, along with most cloud storage providers that support S3-compatible object lock. A vendor name on the invoice doesn’t answer the question by itself. The setting has to be enabled, scoped properly, and tied to credentials that aren’t shared with the rest of your environment.
Backup credentials need to be separate from your regular admin accounts. If the same login that manages your Microsoft 365 environment also controls your backup platform, a compromised admin account can reach both. A qualifying setup uses isolated credentials outside your day-to-day identity environment.
The retention window needs to be long enough. A 24-hour backup that overwrites itself daily doesn’t help if an attacker has been in your environment for a week. CISA’s #StopRansomware Guide lists immutable, tested backups as a baseline control, and most insurers now align with that position.
Restores need to be tested. A backup nobody has tried to restore in the past 12 months isn’t something you can count on when it matters. Most carriers now ask for the date of your last successful restore test — and they want to see one.
What to Do If Your Honest Answer Is “No”
Don’t panic. But don’t lie on the form either.
Declare what you actually have, and use the renewal process as your reason to fix what’s missing. The first step is asking your IT provider whether immutability can be enabled on your existing platform. In many cases, the platform already supports it — turning it on is a configuration change, not a new product purchase.
If your provider doesn’t know what you’re asking, or can’t give a clear answer to the three questions above, that response is itself important information. This area needs attention before your next renewal date, even if the rest of your IT setup is solid.
Whatever you do, don’t check “yes” just to avoid a premium increase. Cyber insurance applications function as warranty documents. If a forensic investigation after a claim finds your backups didn’t match what you declared, the carrier can rescind the policy. Coverage gets treated as if it never existed, and prior payouts under the same policy term can be clawed back. Misrepresentation discovered after a claim is one of the most expensive mistakes a small business can make on an insurance form.
Checking “no” will likely cost you something at renewal — either in premium or coverage terms. That’s a known cost, and it’s manageable. Take the hit on the application, and use the months between now and your next renewal to close the gap.
Frequently Asked Questions
What does immutable backup mean in plain English?
A backup that nobody can change or delete for a set period of time — even with administrator credentials. The storage platform enforces the lock at the system level, so no user permissions can override it.
Is Microsoft 365’s built-in retention a backup?
No. Native retention can be bypassed by a global admin or by anyone who steals those credentials. Microsoft’s shared responsibility model places backup of your data on you, the customer, separate from platform retention.
How long should the immutability window be?
Most insurers and security frameworks point to a minimum of 14 days. 30 days is increasingly the preferred floor. A longer window gives you more confident recovery if an attacker has been inside your environment for an extended period.
Can my IT provider just turn immutability on?
Often, yes. If your backup platform supports the feature and it hasn’t been enabled, this is typically a configuration change rather than a new purchase. Ask for written confirmation once it’s done.
What happens if I check “yes” when I shouldn’t?
The carrier can rescind the policy after a claim, voiding coverage retroactively. Prior payouts under the same policy term can also be clawed back. Misrepresentation is one of the most common reasons cyber insurance claims get denied.
Sources and Further Reading
- CISA #StopRansomware Guide — federal guidance on ransomware prevention, including backup and immutability recommendations.
- Microsoft shared responsibility model — Microsoft’s own documentation on which protections sit with the platform and which sit with the customer.
- FBI Internet Crime Complaint Center: Ransomware — current FBI guidance on ransomware threats and recommended controls.
If you’re not sure where your backups stand — or you just read this and realized you need to have a conversation with your IT provider — that’s a good sign. It means you’re asking the right questions. And if you want a second set of eyes before your next renewal, book a free 15-minute call with us. We’ll tell you where you stand and what to fix first. No pressure, just clarity.


