← All topics
Cyber-insurance readiness

Resilience — Backups & Recovery

Recovery is weighted highest. A documented DR plan only counts if it has been tested.

Why it matters

Carriers deny more claims over recovery than anything else — an untested backup is the difference between a bad week and a closed business.

What strong practice looks like

Offsite, off-network, immutable backups — and a tested restore with documented RTO/RPO.

What this area covers

Also covered in this area

  • How often are backups taken?
  • Are backups stored offsite or in the cloud?
  • Is at least one copy kept offline / off-network (air-gapped)?
  • Are backups encrypted?
  • Are backups immutable (cannot be altered or deleted)?
  • Which backup hardening measures are in place?
  • Is your only "backup" a file-sync service (Dropbox / OneDrive / SharePoint)?
  • Do you have a documented business-continuity / disaster-recovery plan?
  • Has a restore been tested in the last 12 months, with documented RTO/RPO?

This library is general education, not advice about your specific organization. It describes what each control is and what strong practice looks like; whether and how any of it applies to you is your decision, in consultation with your carrier, broker, or counsel.