Backup Evidence for Cyber Insurance: Why Having Backups Isn’t the Same as Proving Backups

Most Canadian small businesses have backups. Almost none of them can prove it in a way that satisfies a cyber insurer — and that gap is quietly costing them coverage, exclusions, and denied claims.

This is not a story about having the wrong backup tool. It is a story about the difference between a backup that exists and a backup that counts.

The Assumption That’s Leaving SMBs Exposed

When a Canadian SMB owner answers “yes” to the backup question on a cyber insurance application, they typically mean: we have a backup solution running somewhere. Maybe it’s a cloud sync through Microsoft 365. Maybe it’s a nightly copy to an external drive in the server room. Maybe it’s a managed backup service their IT provider set up three years ago.

When an underwriter reads that “yes,” they are thinking about something very different: a backup that is isolated from the primary environment, versioned against ransomware encryption, tested with a documented restore result, and recoverable within a timeframe that matches the business’s stated RTO.

These are not the same thing. And when a claim happens, the gap between them is where disputes live.

Why Insurers Changed What They Accept

The shift happened between 2021 and 2023. After a series of high-profile ransomware events where attackers specifically targeted backup systems before deploying encryption — knowing that a successful backup restore would cut the ransom leverage — insurers started seeing something disturbing in their claims data: businesses with backup solutions were still paying ransoms because their backups had been compromised, corrupted, or had never actually worked.

A backup that lives on a network share reachable by a compromised credential is not a backup in any meaningful sense. A backup that has never been restore-tested has an unknown failure rate. A backup that syncs continuously but lacks versioning can replicate ransomware encryption across all copies before anyone notices.

Canadian insurers responded by tightening backup requirements in underwriting questionnaires. They did not announce this loudly. But the questions changed, and the evidence bar rose.

The Standard Your Insurer Is Now Using: 3-2-1-1-0

The industry benchmark that many underwriters now reference — whether they name it or not — is the 3-2-1-1-0 rule:

• 3 copies of data
• 2 different storage media types
• 1 copy offsite or in a separate cloud environment
• 1 copy immutable (write-once, cannot be encrypted or deleted by ransomware)
• 0 backup errors verified by a tested restore

The original 3-2-1 rule was designed for hardware failure. The additions — immutability and zero-error verification — were added specifically because ransomware made the old standard insufficient.

Most SMBs are somewhere between 3-2-1 and 3-2-1-1-0. The gap is almost always on immutability and on the restore test record. Those are precisely the two items underwriters now specifically ask about.

What Cyber Insurance Applications Now Ask About Backups

Here are the backup-related questions that appear across major Canadian cyber insurance carriers’ applications and renewal questionnaires. You may be answering them correctly but without evidence to support your answers:

• Are backups stored in a location that is logically or physically separate from your production environment?
• Are backups immutable (write-protected against modification or deletion)?
• Are backups tested via restore at least annually? Quarterly?
• What is the date of your most recent successful restore test?
• What is your recovery time objective (RTO) and has it been validated?
• Are backups encrypted in transit and at rest?
• Does backup access require MFA?

The question that most often creates a gap between what SMBs answer and what they can support is: what is the date of your most recent successful restore test?

If you cannot name a specific date and describe what was restored, your “yes” to the backup question is effectively unsupported.

The Restore Test Problem

Restore testing is the single most common backup evidence gap for Canadian SMBs. It is also the gap that matters most to insurers and, in a real incident, to the business itself.

An untested backup is an assumption. It may work. It may not. Backup solutions fail silently — a misconfigured job, a permissions change, a storage limit hit — and the failure only surfaces when you need a restore. By then, the incident is already happening.

Insurers know this. Their actuaries have the claims data. Businesses that can demonstrate restore testing have materially better outcomes in ransomware events. Insurers price this into both underwriting decisions and post-claim disputes.

A restore test does not need to be a full system restore. It needs to be a documented test of your ability to recover a specific data set from your backup, with a record of: the date, what was restored, who performed it, how long it took, and whether it succeeded.

What a Complete Backup Evidence Package Contains

When an insurer’s underwriter or a broker working on your renewal asks for backup evidence, this is what a well-organized submission includes:

• Backup solution documentation: Screenshots or reports from your backup platform (Veeam, Acronis, Azure Backup, Backblaze, Datto, etc.) showing scope, frequency, and retention settings
• Offsite/isolation confirmation: Evidence that at least one copy is stored in a separate environment — cloud tenant, separate account, air-gapped device — unreachable from your primary network with a single compromised credential
• Immutability configuration: Screenshots showing immutable storage settings (e.g., Azure Blob immutability policy, Veeam immutable backups, S3 Object Lock)
• Restore test record: A documented record of your most recent restore test — date, what was restored, duration, result, who performed it. A simple signed document is sufficient if the date is recent and the record is specific.
• MFA on backup access: Confirmation that access to backup management consoles requires MFA
• Encryption confirmation: Statement or screenshot confirming backups are encrypted in transit and at rest

None of this documentation requires specialized tools to produce. All of it is obtainable from your existing backup platform. The gap is almost never capability — it is organization.

The Practical Problem: Pulling This Together Under Renewal Pressure

Cyber insurance renewals in Canada typically arrive with 30 to 60 days’ notice. Your broker sends the application, you need to return it with supporting documentation, and the renewal date is fixed.

Most SMBs are assembling this evidence package for the first time, under deadline, while also running a business. Their IT provider may or may not respond quickly. The backup console may require someone with admin access who is unavailable. The restore test hasn’t been run in 18 months.

This is the moment when “we have backups” runs into “we cannot prove what our backups look like.” The insurer either accepts the application with backup-related exclusions, applies a premium loading, requests a supplemental questionnaire that extends the timeline, or in some cases declines to renew on favourable terms.

The answer to this problem is not a new backup tool. It is an organized evidence practice that runs year-round — so that when the renewal arrives, the documentation already exists.

How Readiness AI Helps

Readiness AI helps Canadian SMBs organize cyber control evidence — including backup documentation — into a structured, broker-ready format before the renewal deadline arrives.

Rather than scrambling to pull screenshots and logs under pressure, your backup evidence is maintained as a living record: restore test history, configuration screenshots, isolation confirmation, and MFA documentation — organized by control category and ready to submit.

Readiness AI does not replace your backup solution. It makes the evidence of what your backup solution does visible, organized, and defensible.

Start your Readiness Review to see what your current backup evidence package looks like and where the gaps are. Or view a sample evidence pack to see what a complete submission looks like.

---

Readiness AI helps Canadian SMBs organize cyber readiness evidence for insurance renewal, client security reviews, and compliance workflows. It does not provide insurance advice, legal advice, or a guarantee of coverage. Businesses should work with a qualified cyber insurance broker for advice specific to their situation.

Frequently Asked Questions

What backup evidence do cyber insurers require in Canada?

Canadian cyber insurers typically require evidence of: offsite or air-gapped backup storage, immutable (write-protected) backup copies, a documented restore test with a recent date, MFA on backup management access, and encryption of backup data in transit and at rest. Self-reported answers on applications are increasingly subject to evidence verification.

How often should backups be tested for cyber insurance purposes?

Most Canadian cyber insurers ask whether backups are tested at least annually, with some requiring quarterly testing for higher-risk organizations. The minimum defensible practice is a documented restore test within the past 12 months. The test record should include the date, what was restored, who performed it, and the outcome.

Does Microsoft 365 backup count for cyber insurance?

Microsoft 365’s native data retention is not a backup in the insurer’s sense. Microsoft retains deleted items for limited periods and does not protect against ransomware encryption, accidental mass deletion, or malicious insider activity in the way a dedicated backup solution does. Most underwriters expect a third-party backup solution covering Microsoft 365 data, with evidence of offsite storage and restore testing.

What is an immutable backup and why do insurers care?

An immutable backup is a copy that cannot be modified, encrypted, or deleted for a defined retention period — even by an administrator with credentials. Insurers care because ransomware operators have learned to target and encrypt backup repositories before deploying the main attack payload. Immutable backups break this attack chain. Major backup platforms and cloud providers support immutability as a configurable feature.