Why backups are key to driving down cyber insurance

It wasn’t long ago that the cyber insurance market was in a highly precarious position. In the aftermath of the pandemic, ransomware surged as attacks became more sophisticated, organised and targeted in their efforts, looking to capitalise on the opportunities that widespread digitisation provided amidst stay-at-home orders.

In turn, organisations began to be hit with multi-million-dollar ransom demands. The 2021 attack on Colonial Pipeline stands as a prime example, having made headlines due to gas supply shortages in some US states. Critically, the company paid a $4.4 million ransom within hours.

Quickly, that spike in attacks put the cyber insurance market in trouble. With claims rising and insurers facing huge losses, many were forced to reassess their models, dramatically increasing premiums. According to Swiss Re, global cyber insurance premiums doubled from 2017 to 2020 and again from 2020 to 2022. Further, in 2023, around one fifth of insurers elected to remove ransomware protection altogether.

In more recent times, the market has cooled slightly. In fact, premiums actually declined 6% over the last three quarters of 2024. However, the sector remains highly prescriptive over what is required for a company to be considered for cyber insurance. Most cyber insurers now require evidence of technical and procedural controls before granting coverage or reducing premiums. These typically include endpoint protection, incident response plans, MFA, regular vulnerability assessments, and – crucially – a tested and secure backup strategy.

Organisations today are expected to align with a much more stringent set of criteria to qualify for policies, with much greater emphasis on resilience.

Data storage and backups have become a critical part of that picture. According to the Apricorn Annual Survey of IT decision makers conducted in 2024, nearly half (46%) of respondents consider a robust backup policy to be the most important factor required to ensure cyber insurance compliance – up from 28% in 2023.

Having robust backup processes in place ensures that even if systems fall victim to ransomware, those businesses will still have the ability to restore their information and systems and continue to operate. Equally, they also can’t be held to ransom as effectively.

Such demands are likely to have influenced the upward trend in the adoption of comprehensive backup strategies. Indeed, Apricorn’s survey found that the use of automated backups to both central and personal repositories has surged to 30%, up from 19% in 2023.

Many organisations are also becoming increasingly aware that paying ransoms doesn’t always guarantee that a business will get its data back. One 2025 report shows that over a quarter (26.5%) of companies were unable to recover their data after paying the ransom.

Apricorn’s survey further reveals that half of IT decision makers had to turn to backups to recover data. But while 50% were able to do so successfully, 25% were only able to partially recover their data/documents, and a further 8% were unsuccessful, demonstrating that not all backup strategies are effective.

The survey also found that almost one in ten respondents acknowledged their current backup systems are not sufficiently robust to allow rapid recovery from any attack. And attackers are all too aware of this. The 2025 Ransomware Report shows that 89% of organisations had their backup repositories targeted by cybercriminals, with many going after restoration strategies to prevent victims fromresponding to threats.

To ensure that backups can be used as intended – to recover data quickly and comprehensively – enterprises need to adopt and implement robust backup strategies and the prescriptive requirements of insurers can be used as a guide for best practice. Indeed, many insurers specifically demand regular backup testing and multi-factor authentication for backups to reduce cyber liability. While a strong backup policy alone won’t meet every insurer requirement, it can fulfil several key ones. These include demonstrating resilience through regular and successful recovery tests, encryption of stored data, and implementation of offline or immutable backups. Aligning with these criteria helps reduce the likelihood of payout and therefore can directly influence premium costs. Further, if you also have active measures in place to protect your backups, you’ll be better placed to negotiate lower premiums.

To align with insurer requirements, organisations should centre their backup and recovery strategy around the ‘3-2-1’ rule – a practice advised by many leading cybersecurity bodies, such as the UK’s National Cyber Security Centre (NCSC). This states that companies should backup at least three copies of data, to at least two different places, with at least one of these offsite. It’s also recommended that at least one copy of the data should be offline, such as on an encrypted removable hard drive that can be disconnected from the network. Should the encrypted backup be compromised, it will then remain unreadable.

Thankfully, IT decision makers are showing awareness of the importance of encryption. Indeed, when asked what tools and strategies they currently incorporate into employee usage policies to meet cyber insurance compliance, the Apricorn survey found that many said they encrypted storage at rest (35%) and on the move (39%).

Ensuring that your backup policy is multilayered in this way – including offsite and offline versions within a regularly tested system – you will be able to demonstrate to insurers that you take resilience seriously.

Today, that’s more important than ever. As the cost and frequency of claims has grown in recent years, so too have policy requirements. Backups are a core way of providing proof of due diligence and ofnegotiating better terms and reducing premiums over time.

In a world where ransomware remains rampant, backups can save organisations millions – something that insurers are all too aware of. However, the fact that a quarter of IT decision makers that had to turn to backups to recover data but could only do so partially, while 8% were unsuccessful altogether, shows there’s still significant room for improvement.