Why Immutable Storage Is Now a Cyber Insurance Requirement

Cyber insurance renewals in 2026 look nothing like they did just three years ago. What used to be a questionnaire with yes/no questions is now a technical audit. Insurers are sending specialists to verify that your controls actually work, not just that you said they do. Immutable backups have moved from a security best practice to a non-negotiable underwriting requirement. If you can’t demonstrate it, you either don’t get coverage or you pay significantly more for it.

The shift happened gradually and then all at once. Ransomware losses escalated to the point where insurers had to tighten underwriting standards to stay solvent. Organizations that claimed controls on applications but didn’t actually have them started having claims denied. The market responded with technical audits, stricter requirements, and premium structures that reward organizations with verified controls and penalize those without them.

If you’re approaching a cyber insurance renewal and haven’t reviewed your backup architecture recently, this article covers what insurers are now checking and what the technical requirements actually mean.

What Are Cyber Insurers Actually Checking Now?

Five years ago, cyber underwriting consisted of a questionnaire with 20 yes/no questions. Today, it’s a technical assessment. Insurers like Munich Re, Allianz, and Zurich work with specialized service providers that scan the actual security posture, not just the claimed one.

The five mandatory controls that have become non-negotiable in 2026 are MFA everywhere, EDR on all endpoints, immutable backups, a tested incident response plan, and documented patch management. Without these five, there is neither coverage nor compliance.

The immutable backup requirement is the one most organizations are least prepared for, because it goes beyond simply having backups. Insurers specifically check for immutability, meaning backups cannot be deleted or modified by an attacker who has compromised production credentials. This means object lock, write-once media, or a backup platform with hardened admin separation. They also check isolation, meaning backup credentials are separate from production credentials, and tested restores within the last 90 days with documented results. Underwriters ask for the date.

The consequence for organizations that state controls are in place during the application process but fail to enforce them in practice is claim denial in the event of a loss. Given that cyber insurance exists precisely for the moment when something goes badly wrong, a denied claim at that moment is a significant financial event.

What the Regulatory Drivers Look Like

The cyber insurance requirements don’t exist in isolation. They’re converging with regulatory frameworks that are independently pushing organizations toward the same controls.

NIS2 requires organizations to implement 10 mandatory cybersecurity risk management measures, including demonstrable resilience, meaning organizations must prove they can restore operations quickly after an attack. This last requirement is where backup strategy, and particularly immutable backup storage, becomes critical. NIS2 does not explicitly use the word immutability, but its requirements around business continuity, recovery capability, secure data handling, and incident response make immutable backups a practical necessity.

Organizations that align their security program to NIS2 Article 21 requirements typically pass cyber insurance underwriting questionnaires with minimal additional work. The controls are fundamentally the same. This convergence is significant: investing in the infrastructure to satisfy NIS2 requirements also satisfies the insurance requirements, and vice versa. The two compliance workstreams have effectively merged.

The SEC’s cybersecurity disclosure rules add another dimension for US-listed companies. Organizations must now be able to demonstrate recoverability, not just report incidents. Producing that evidence requires infrastructure that generates and retains tamper-proof audit logs and can demonstrate that recovery controls have been tested and work.

For organizations operating in the EU or serving EU customers, NIS2 enforcement is actively underway in 2026. Organizations should ensure that their backup solution protects data with absolute immutability. This means that even the most privileged admin or attacker with access to backup storage cannot modify or delete data. This zero access must be verifiable with third-party testing.

What Does Immutable Storage Actually Mean?

Immutable storage is backup or object storage that cannot be modified, encrypted, or deleted for a defined retention period, even by users or processes with full administrative credentials.

The term gets used loosely, and it’s worth being specific about what actually qualifies versus what sounds like it might.

True immutable storage uses one of two mechanisms. Object Lock with WORM (Write Once Read Many) configuration prevents objects from being modified or deleted for a defined retention period, enforced at the storage system level. Even a user or process with full administrative credentials cannot alter or delete locked objects before the retention period expires. Air-gapped storage physically or logically separates backup copies from the production network, meaning compromised production credentials can’t reach them at all.

Ransomware operators know the pressure point: destroy the backups first, then encrypt everything else. When an environment’s backup repository is wiped before the ransom note appears, recovery stops being a scheduling problem. It becomes a survival problem. Immutable storage exists for that moment. It keeps backup data from being altered, encrypted, or deleted even when attackers have broad administrative access.

Versioning is the complementary requirement. Object versioning retains previous versions of files even when current versions are overwritten or deleted. Combined with object lock, versioning means you can recover to a known-good state even when attackers have successfully modified or encrypted recent data before the immutability lock kicks in.

Tamper-proof audit logs are the evidence layer. They record every access, modification attempt, and administrative action against your backup storage in a way that can’t be altered retroactively. When an insurer or auditor asks you to demonstrate that your backups haven’t been tampered with, the audit log is what you show them.

What doesn’t qualify is worth being equally specific about. Backups stored on mutable storage where administrative credentials can delete or modify objects don’t satisfy the immutability requirement. Backup solutions where the backup admin account is the same as or accessible from the production domain admin account don’t satisfy the isolation requirement. And backups that exist but haven’t been tested for successful recovery don’t satisfy the recoverability requirement regardless of how they’re stored.

Why Do Standard Backup Configurations Often Fall Short?

The gap between having backups and having immutable backups that satisfy insurer requirements is larger than most organizations realize until they go through a technical audit.

The most common failure mode is shared credential access. Many backup configurations use service accounts with broad administrative privileges because it makes setup simpler. Those same credentials, if compromised in a ransomware attack, give attackers access to the backup repository. Backup credentials must be separate from production credentials. The backup admin account cannot be the same as the domain admin.

The second common failure mode is mutable cloud storage used as a backup target. Storing backups in a standard S3 bucket or Azure Blob container without Object Lock enabled doesn’t provide immutability. A process with S3 write access can delete objects in a standard bucket. Without Object Lock, that storage doesn’t satisfy what insurers are checking for.

The third is untested restores. Immutable backups with documented restoration tests are among the three controls that address the majority of insurer concerns. Backups that haven’t been tested are a liability as much as an asset. The test matters as much as the backup itself, and the documentation of the test is what you need to show underwriters.

What Ceph Object Storage Provides

Ceph’s RADOS Gateway provides S3-compatible object storage with native support for S3 Object Lock, versioning, and the audit logging infrastructure that immutability compliance requires. Running on dedicated bare metal infrastructure rather than shared public cloud storage changes the compliance picture in a few specific ways.

Object Lock on Ceph enforces WORM retention at the storage level. Objects written with retention periods set cannot be modified or deleted by any process, including administrative users, until the retention period expires. This is the same mechanism that public cloud S3 Object Lock uses, on infrastructure you control directly rather than infrastructure managed by a shared cloud provider.

The audit trail on dedicated infrastructure is complete from the hardware layer up. Every access attempt, configuration change, and administrative action is logged in a way that doesn’t depend on what a cloud provider exposes through their logging APIs. When an insurer’s technical auditor asks for evidence of your backup immutability controls, the documentation comes from infrastructure you own rather than a subset of logs a provider makes available to you.

Backup credential isolation is cleaner on dedicated private infrastructure. The backup storage environment is separate from production systems at the infrastructure level, not just at the credential level. An attacker who has compromised production credentials doesn’t have a path to the backup storage through shared underlying infrastructure.

OpenMetal’s Ceph storage clusters run on dedicated hardware with fixed-cost pricing that doesn’t scale with backup data volume. Public cloud object storage billing compounds as backup datasets grow: more data, more versions, more retention periods all translate directly to higher monthly costs. Fixed-cost dedicated storage means your backup infrastructure budget is predictable regardless of how your data grows over the retention period you’re required to maintain.

For organizations with compliance requirements that extend to data residency, OpenMetal’s Amsterdam and Singapore facilities provide dedicated Ceph storage in specific jurisdictions. Immutable backup data that needs to stay within the EU for NIS2 compliance lives on EU infrastructure. Backup data for APAC operations with MAS requirements lives in Singapore. The data residency answer is architectural rather than contractual.

The Premium Reduction Math

The financial case for getting immutable storage right is more direct than most infrastructure investments.

Mid-market companies with $10M to $100M in revenue typically pay $8,000 to $35,000 annually for cyber coverage. A $20,000 annual premium with weak controls can drop to $13,000 to $15,000 with documented MFA, EDR, and immutable backup hygiene in place. The cost of implementing those controls often pays for itself within the first renewal cycle.

The calculation works the other way too. Organizations without verified immutable backups face higher premiums, reduced coverage limits, or outright denial. Given that the average cost of a ransomware recovery, before insurance, runs into hundreds of thousands of dollars for mid-sized organizations, the cost of adequate coverage is a different number than the cost of the premium alone.

The convergence of NIS2 and insurance requirements means the investment does double duty. Infrastructure that satisfies an insurer’s technical audit also satisfies NIS2’s demonstrable resilience requirement. For EU organizations or companies serving EU customers, that’s two significant compliance obligations addressed by a single infrastructure decision.

Cyber insurance is becoming harder to get and more expensive for organizations that can’t demonstrate their controls work. The organizations that have already built the infrastructure to prove it are in a better position at every renewal than those scrambling to close gaps under time pressure.

Frequently Asked Questions

Is immutable storage required for cyber insurance in 2026?

Yes. Immutable backups are one of five non-negotiable controls most major insurers now require. Without them, coverage is typically denied or premiums are significantly higher. Insurers verify immutability through technical audits, not just questionnaire responses.

What is the difference between immutable storage and a regular backup?

A regular backup can be deleted or modified by anyone with administrative access, including an attacker who has compromised those credentials. Immutable storage uses Object Lock or WORM configuration to prevent any modification or deletion for a defined retention period, enforced at the storage system level regardless of credentials.

Does NIS2 require immutable backups?

NIS2 doesn’t use the word “immutability” explicitly, but its requirements around demonstrable resilience, business continuity, and recovery capability make immutable backups a practical necessity for compliance. Organizations that align with NIS2 Article 21 typically satisfy cyber insurance requirements with minimal additional work.

How much can immutable backup controls reduce cyber insurance premiums?

For mid-market companies paying $8,000 to $35,000 annually, documented immutable backup controls alongside MFA and EDR can reduce premiums by $5,000 to $7,000 or more per year. The cost of implementing those controls typically pays for itself within the first renewal cycle.

Does S3 Object Lock on Ceph satisfy cyber insurance immutability requirements?

Yes. Ceph’s RADOS Gateway supports S3 Object Lock natively, enforcing WORM retention at the storage level. Combined with versioning and tamper-proof audit logs, it satisfies the immutability, isolation, and evidence requirements that insurers and NIS2 auditors check for.

Evaluating your backup and recovery infrastructure against current insurer requirements? See OpenMetal’s Ceph storage clusters for dedicated immutable object storage, or explore the object storage platform to understand how S3 Object Lock and versioning work on OpenMetal infrastructure.