Immutable Backups for Ransomware Protection: Your Cyber Insurance Requirement
Your cyber insurance renewal just arrived. On page three, there's a checkbox asking if your backups are immutable.
You're not sure what that means. Your IT provider says you have good backups. But the question is specific, and cyber insurance carriers are increasingly making the answer a condition of coverage.
Here's the problem: many businesses think they have immutable backups when they actually don't. The backup system looks solid. The vendor invoice looks credible. But the critical setting—immutability—sits disabled in the background.
At Lewis IT, we help education institutions, financial services firms, mortgage and title companies, and construction businesses across Maryland understand exactly what cyber insurers are asking for when they require immutable backups. We've also discovered that most organizations fail this requirement without realizing it.
Getting this wrong doesn't just create a cybersecurity gap—it can void your cyber insurance coverage when you need it most.
What Immutable Backups Actually Mean
An immutable backup is one that cannot be modified or deleted for a fixed period of time—including by you, by your IT provider, and by anyone using stolen administrator credentials.
This is the critical distinction. Most backup systems can be wiped by anyone with admin access. Immutable backups are different: the backup platform itself enforces the lock at the storage layer, and no credentials—however privileged—can override it during the retention window.
Different vendors use different terminology:
- Object lock (AWS S3)
- Write-Once-Read-Many (WORM) storage
- Immutable snapshots (various vendors)
- Protected backups (some platforms)
The terminology varies. The underlying control is the same: the storage platform prevents deletion or modification regardless of who's asking.
Why Cyber Insurers Require This
Ransomware typically follows this progression:
- Initial access via phishing, compromised credentials, or unpatched systems
- Privilege escalation gaining domain admin or global admin access
- Reconnaissance mapping systems and identifying backup locations
- Backup destruction deleting or encrypting backup systems to force ransom payment
- Encryption deploying ransomware across production systems
The backup deletion step is critical. If attackers can delete your backups using stolen admin credentials, recovery becomes impossible without paying ransom or rebuilding from scratch.
Cyber insurers view immutable backups as a baseline ransomware defense. If your backups can be deleted by anyone with admin access—stolen or otherwise—you don't actually have ransomware protection. You have a hope.
Three "Backup" Setups That Don't Actually Qualify
Lewis IT regularly discovers that businesses have protection gaps they didn't know existed. These three setups appear secure but don't satisfy cyber insurance immutability requirements:
Setup 1: NAS or External Drive in Your Office
The Setup: A network-attached storage (NAS) device sitting in your server room. An external hard drive someone plugs in once a week. A backup appliance connected to your local network.
Why It Doesn't Work: Network-attached storage devices are reachable from your network by design. If ransomware spreads across your environment—which it will—it can reach the NAS. An attacker with domain admin credentials can wipe what's on it.
An external drive sitting connected to the network has the same exposure. A drive plugged in once a week that remains connected has the same problem. The moment ransomware reaches your network, it reaches any locally-connected storage.
What Cyber Insurers Say: "Your backups are on the same network as your production systems. During a ransomware attack, both can be destroyed simultaneously."
Lewis IT Recommendation: Network-attached storage has a role in a broader backup strategy—it's excellent for local, quick recovery of accidentally deleted files. On its own, it does not satisfy the immutability requirement for cyber insurance.
Setup 2: Microsoft 365 Retention Treated as Backup
The Setup: You're using Microsoft 365 for email, documents, and collaboration. Microsoft 365 includes data retention features. Some businesses treat these retention features as their backup solution.
Why It Doesn't Work: Native Microsoft 365 retention features are not backups in the sense cyber insurers mean it. An attacker with global admin access to your Microsoft 365 tenant can delete data and purge retention holds.
Under Microsoft's shared responsibility model, Microsoft is responsible for keeping the platform running. You are responsible for protecting and backing up your own data, separate from what Microsoft provides natively.
Real-world scenario: A cybercriminal gains global admin access to your Microsoft 365 environment through credential compromise. They delete email, documents, and SharePoint content. They purge retention holds. Microsoft has no obligation to recover data an authenticated global admin intentionally deleted.
What Cyber Insurers Say: "Microsoft 365 retention is a compliance feature, not a ransomware defense. An attacker with tenant admin access can bypass it."
Lewis IT Recommendation: Microsoft 365 data—especially for education institutions managing student records, financial services firms protecting client communications, mortgage/title companies with closing documents, and construction firms with project information—requires separate, immutable backup protection outside the Microsoft 365 tenant.
Setup 3: Cloud Backup with Immutability Switched Off
The Setup: You're paying for a reputable backup platform like Veeam, Datto, Rubrik, Acronis, or a cloud provider with S3-compatible object lock. The platform supports immutability. The invoice says you have enterprise backup protection.
Why It Doesn't Work: Immutability is a feature that must be enabled. It's not enabled by default on most platforms.
You're paying for a Cadillac with turbo. But someone needs to switch turbo on. If the immutability setting sits disabled, you have a capable backup system with no ransomware protection—and you won't know it until you try to recover after an attack.
The nightmare scenario: After a ransomware attack, you discover your "immutable" backups were deleted because immutability was never switched on. Your cyber insurance denial letter arrives shortly after.
What Cyber Insurers Say: "The capability may exist, but if it's not enabled, the protection doesn't exist."
Lewis IT Recommendation: Many businesses are paying for enterprise backup capability they don't actually have. You must verify that immutability is not just available as a feature—it's actively enabled and configured on your account.
Three Critical Questions to Ask Your IT Provider Right Now
Lewis IT recommends sending these three questions to your IT provider before you renew cyber insurance or verify your backup setup. Copy them directly into an email:
Question 1: "Are our backups immutable, and if so, how long is the immutability window?"
Why this matters: Cyber insurers increasingly require a minimum 14-day immutability window. Many prefer 30 days. Some require longer.
Why 30 days matters: Ransomware attackers often spend 2-4 weeks inside a network before triggering encryption. They're mapping systems, stealing data, identifying backups. A backup from yesterday may already be compromised by an attacker who's been inside your environment for weeks.
A 30-day immutability window gives you a higher probability of finding a clean restore point from before the attacker arrived.
The correct answer sounds like: "Yes, our backups are immutable with a 30-day retention window. No credentials can modify or delete them during that period."
Red flags:
- "We have native Microsoft 365 retention."
- "Our NAS can't be accessed by ransomware."
- "We have daily backups to the cloud."
- Vague answers ("We're pretty secure")
- No mention of a specific retention window
Question 2: "If our domain admin account or Microsoft 365 global admin account were stolen tomorrow, could that account be used to delete our backups?"
Why this matters: This is the immutability test. If stolen credentials can delete backups, immutability doesn't exist.
Why attackers test this: Ransomware campaigns specifically target domain admin and global admin credentials because they want to know if they can wipe backups. If they can, recovery is impossible without paying ransom.
The correct answer is: "No. Stolen admin credentials cannot delete or modify backups. The backup platform enforces immutability at the storage layer, independent of any credentials in your environment."
Answers that mean no:
- "Yes, an admin could delete them if needed."
- "I'm not sure—let me check."
- "They're protected but we can override it if necessary."
- No clear answer
Why this answer matters for cyber insurance: If admins (or stolen admin credentials) can delete backups, you don't have immutable backups. You have backups. There's a critical difference for cyber insurance purposes.
Question 3: "Can you send me a screenshot or vendor documentation showing that immutability is enabled on our account?"
Why this matters: A provider who can send concrete evidence has done the work. Verbal reassurance is not sufficient for cyber insurance verification.
What to expect:
- Screenshot from backup management console showing immutability enabled
- Vendor documentation specific to your account
- Written confirmation signed by an authorized representative
- Configuration details showing immutability scope and retention window
What not to expect (and should treat as a red flag):
- "I'm sure it's on"
- Generic marketing materials
- References to the vendor's capabilities without proof yours is enabled
- Verbal reassurance without documentation
- "We'll turn it on after you renew"
What a Qualifying Immutable Backup Setup Actually Looks Like
Lewis IT has reviewed hundreds of backup configurations for education, financial services, mortgage/title, and construction clients. Here's what actually qualifies for cyber insurance immutability requirements:
1. Immutability Is Actively Enabled
The backup platform has immutability turned on—not just available as a feature.
Qualifying platforms include:
- Veeam with immutable snapshots enabled
- Datto with immutable backups configured
- Rubrik with object lock enabled
- Acronis with immutable snapshots
- AWS S3 with object lock enabled
- Azure Blob Storage with immutability policies
- Google Cloud Storage with retention policies
- Most enterprise cloud backup providers with immutability features
What doesn't qualify:
- Backups where immutability can be overridden
- Platforms where the setting is available but not enabled
- Generic "we use cloud backups"
2. Backup Credentials Are Isolated
Backup platform credentials are completely separate from your day-to-day administrative accounts.
Why isolation matters: If the same login that manages your Microsoft 365 environment also controls your backup platform, a compromised admin account can reach both. An attacker with your global admin credentials can access the backup system and attempt deletion.
What isolation looks like:
- Backup system uses different credentials than your active directory
- Backup credentials have zero connection to your Microsoft 365 or domain environment
- Backup system uses service accounts that can't be used for any other purpose
- Multi-factor authentication specific to backup access
For your industries:
- Education: Backup credentials separate from student information system access
- Financial Services: Backup credentials separate from account management systems
- Mortgage/Title: Backup credentials separate from loan origination system access
- Construction: Backup credentials separate from project management system access
3. Retention Window Is Long Enough
The immutability window is at minimum 14 days, preferably 30 days or longer.
Why length matters: A 24-hour backup that overwrites itself daily does not help if an attacker has been in your environment for a week. CISA's #StopRansomware Guide lists immutable, tested backups as a baseline control.
NIST and CISA recommendations:
- Minimum 14-day retention window
- 30-day retention increasingly preferred
- Some insurers requiring 60+ days
- Consider how long attackers typically dwell in your network
For your industries:
- Education: Minimum 30 days (student records are high-value)
- Financial Services: Minimum 30 days (regulatory requirements often demand this)
- Mortgage/Title: Minimum 30 days (closing documents have long-term value)
- Construction: Minimum 30 days (bid information remains valuable for months)
4. Backups Are Tested Regularly
A backup nobody has tested in 12 months is not something you can rely on when it matters.
What testing looks like:
- Monthly: Automated verification that backups are functioning
- Quarterly: Test restore of random files to verify recoverability
- Annually: Full system restore to isolated environment
- Documentation: Date and results of last successful restore test
Why insurers ask about this: A backup can be configured perfectly but fail silently. You won't know until you try to restore. Cyber insurers want evidence that your backups actually work.
What cyber insurers want to see:
- Date of last successful restore test
- What was restored and how long it took
- Who performed the test
- Any issues discovered and remediated
Implementation for Your Industries
Lewis IT customizes immutable backup solutions for each industry's specific requirements:
Education Institutions
Critical Data at Risk:
- Student records (FERPA-protected)
- Financial aid information
- Grades and transcripts
- Staff personal information
- Enrollment data
Lewis IT Immutable Backup Approach:
- Azure or AWS immutable backup with 30+ day retention
- Isolated backup credentials outside student information system
- Quarterly restore testing to isolated environment
- Documentation for accreditation audits
- Compliance with state education data protection laws
Cyber Insurance Alignment: Most education insurers require immutable backups. Lewis IT helps institutions prove compliance during renewals.
Financial Services and Advisors
Critical Data at Risk:
- Client account information
- Transaction records
- Portfolio data
- Regulatory communications
- Compliance documentation
Lewis IT Immutable Backup Approach:
- Enterprise backup platform with object lock
- Isolated credentials with no access to account systems
- 30+ day immutability window (often 90+ days recommended)
- Monthly automated verification, quarterly test restores
- SEC-aligned documentation and audit trails
Cyber Insurance Alignment: SEC-regulated firms face specific backup requirements. Lewis IT ensures cyber insurance coverage aligns with regulatory obligations.
Mortgage and Title Companies
Critical Data at Risk:
- Closing documents
- Customer financial information
- Title search results
- Loan documents
- Bank routing information
Lewis IT Immutable Backup Approach:
- State lending regulation-compliant backup solution
- Immutability enforced at storage layer
- Isolated backup credentials
- 30-day minimum retention (often 90 days for compliance)
- Regular testing and documentation
Cyber Insurance Alignment: Mortgage industry cyber policies increasingly require immutable backups. Lewis IT helps title companies meet these requirements and maintain state compliance.
Construction Companies
Critical Data at Risk:
- Project plans and specifications
- Budget and bid information
- Subcontractor agreements
- Safety protocols and incident reports
- Client contracts and project details
Lewis IT Immutable Backup Approach:
- Cloud-based immutable backup with 30+ day retention
- Isolated credentials for construction management systems
- Monthly verification, quarterly restore testing
- Project-specific backup documentation
- Mobile access to backup status for field teams
Cyber Insurance Alignment: Construction firms often underestimate data value. Lewis IT helps contractors understand ransomware risk and meet cyber insurance requirements.
The Insurance Reality: What Happens If You Check "Yes" When You Shouldn't
Lewis IT sees this scenario regularly: businesses check "yes" on the cyber insurance immutability question when they shouldn't.
Here's what happens next:
During the Claim Process
A ransomware attack hits your organization. Your operational systems are encrypted. You file a cyber insurance claim for recovery costs.
The insurance company begins their investigation. They ask specific questions about your backup setup. They request documentation showing immutability was configured.
You contact your IT provider and discover:
- Immutability wasn't actually enabled
- Your backups were deleted during the attack
- Recovery will take weeks or months
- Your setup doesn't match what you declared on the application
Policy Rescission
The insurance carrier reviews your application and the investigation findings. They discover you misrepresented your backup setup.
The carrier can rescind your policy retroactively. Coverage is treated as if it never existed. Any prior payouts under the same policy term can be clawed back.
The Financial Impact
Let's say you filed a $250,000 claim for recovery costs from the ransomware attack. The carrier denies the claim due to misrepresentation. But they go further:
Any other claims paid under the same policy year are now subject to clawback. If you had a prior claim for $50,000, they can demand repayment of both amounts.
The total financial exposure could be $300,000+ when you thought you had insurance protection.
Why This Matters More in 2026
Cyber insurers have tightened application requirements significantly. They're investigating backup setups more thoroughly. Forensic investigators specifically look for immutability evidence during claims investigations.
Checking "yes" when you mean "we hope so" is increasingly expensive.
What to Do If Your Honest Answer Is "No"
Lewis IT recommends this approach if your current setup doesn't qualify:
Step 1: Declare What You Actually Have
Check "no" on the cyber insurance form. Be honest about your backup setup. Your premium may increase or coverage terms may adjust, but you're being truthful.
Why this matters: Honesty now is far cheaper than denial after a claim. A known cost is manageable. A claim denial is catastrophic.
Step 2: Ask Your IT Provider One Simple Question
"Can immutability be enabled on our current backup platform?"
Likely answer: "Yes, it's a configuration change."
In many cases, you already have a capable platform. Enabling immutability is switching on a setting, not purchasing new software. This conversation often resolves in days.
Step 3: If Your Provider Can't Answer Clearly
If your provider doesn't understand the question, can't give a clear answer to the three questions earlier, or seems defensive about backup configuration, that's important information.
This area needs attention before your next renewal date—even if other parts of your IT setup are handled well.
Step 4: Plan for the Renewal Cycle
You now have 6-12 months (until your next insurance renewal) to close the gap. Use that time:
- Month 1: Enable immutability on your existing platform (if possible)
- Months 2-3: Test restore procedures and document results
- Months 4-6: Establish quarterly restore testing
- Months 6-12: Prepare documentation for the next renewal application
You'll renew with honest answers and likely better insurance terms.
What NOT to Do
Do not check "yes" on the form to dodge a premium hike.
This is tempting. Premium increases hurt. Coverage restrictions sting. But misrepresentation discovered after a claim is one of the most expensive mistakes a small business can make on an insurance form.
Cyber insurance applications function as warranty documents. If a forensic investigation after a claim finds your setup doesn't match your declaration, the carrier can rescind coverage retroactively.
Take Action: Verify Your Immutable Backup Setup Now
Lewis IT helps education, financial services, mortgage/title, and construction organizations verify—and fix—their immutable backup configurations before cyber insurance renewals.
We'll:
- Review your current backup setup and documentation
- Ask your IT provider the three critical questions
- Verify immutability is actually enabled and configured correctly
- Document findings and provide remediation roadmap
- Prepare evidence for cyber insurance applications
Email: info@lewisit.io
Phone: 240-784-1221
Website: www.lewisit.io/contact-us
Don't let backup gaps void your cyber insurance coverage. Contact Lewis IT today and ensure your immutable backup setup actually qualifies for coverage.
Frequently Asked Questions About Immutable Backups
What does immutable backup mean in plain English?
A backup that nobody can change or delete for a set period of time—including you, your IT provider, and anyone using stolen administrator credentials. The backup platform enforces the lock at the storage system level, so user permissions cannot override it. An attacker with domain admin credentials cannot delete an immutable backup during the retention window. A disgruntled employee cannot delete it. Even the backup system administrators cannot delete it before the retention period expires.
Is Microsoft 365's built-in retention feature a backup?
No. Native Microsoft 365 retention is a compliance feature, not a backup. A global admin—or anyone who steals global admin credentials—can delete data and purge retention holds. Microsoft's shared responsibility model places backup responsibility on the customer, separate from what Microsoft provides natively. For education institutions, financial services firms, mortgage and title companies, and construction businesses, Microsoft 365 data requires separate, immutable backup protection outside the Microsoft 365 tenant.
How long should the immutability window be for my cyber insurance?
Most cyber insurers cite a minimum 14-day immutability window. 30 days is increasingly the preferred floor for new policies. Some carriers require 60+ days depending on industry and risk profile. The window should be long enough that you can find a clean restore point from before an attacker arrived in your environment. Since ransomware attackers often dwell for 2-4 weeks before triggering encryption, 30 days provides meaningful protection.
Can my IT provider just turn immutability on to our existing backup platform?
Often, yes. If your current backup platform supports immutability and it hasn't been enabled, this is typically a configuration change rather than a new purchase. Ask your provider in writing: "Is immutability supported on our current platform?" If yes, ask them to enable it and provide written confirmation with a screenshot showing the setting is active. This often takes a few days and costs nothing additional.
What happens if I check "yes" on the cyber insurance form when my backups aren't actually immutable?
The carrier can rescind your policy after a claim is filed, voiding coverage retroactively. Any payouts made under the same policy term can be clawed back. Misrepresentation is one of the most common reasons cyber insurance claims are denied. If you're unsure whether your backups are truly immutable, check "no" on the form and use the renewal period to close the gap.
How do I know if immutability is actually enabled on our backup account?
Ask your IT provider for a screenshot from the backup management console showing immutability is enabled, the retention window length, and the specific configuration. Request vendor documentation specific to your account—not generic marketing materials. Ask for written confirmation signed by an authorized representative. A provider who can send concrete evidence has done the work. Verbal reassurance is not sufficient for cyber insurance verification.
What's the difference between our NAS backup and immutable cloud backup?
A NAS (network-attached storage) in your office is reachable from your network. If ransomware spreads to your network, it can reach and delete the NAS. An attacker with domain admin credentials can wipe NAS backups. Immutable cloud backup uses a storage platform that enforces immutability at the system level—no credentials, however privileged, can delete backups during the retention window. For ransomware protection and cyber insurance, only immutable cloud backups qualify.
Lewis IT provides immutable backup solutions and cyber insurance alignment services for education institutions, financial services firms, mortgage and title companies, and construction businesses throughout Maryland and the Mid-Atlantic region. From backup platform selection and configuration to immutability verification and insurance documentation, we help organizations meet cyber insurance requirements and protect against ransomware threats.