Backup Failure: Insurance Claim Denied

The Situation

A mid-sized professional services firm purchased cyber insurance, believing they were protected against ransomware and other cyber incidents. On the application, they attested to having:

• Daily automated backups
• Offsite/cloud backup storage
• Regular backup testing and verification
• Documented recovery procedures

The firm did have a backup solution in place — at least on paper. What they didn't know was that the backup jobs had been failing silently for months. No one was monitoring the backup logs. No one was testing restores. The backup solution was technically installed, but it wasn't actually working.

The Attack

When ransomware hit, the firm's IT provider attempted to restore from backups. They discovered:

• The last successful backup was 4 months old
• The backup agent had stopped running after a server update
• No alerts were configured for backup failures
• No restore tests had been performed in over a year

The company faced a choice: pay the ransom for a decryption key, or lose 4 months of client work, financial records, and operational data.

Why the Claim Was Denied

When the company filed their insurance claim, the insurer conducted a forensic investigation. This is standard practice for large claims — insurers verify that the security controls attested to on the application were actually in place.

The investigation revealed:

• No working backups — The backup solution existed but hadn't successfully completed a backup in 4 months
• No monitoring — Failed backup jobs generated no alerts
• No testing — The company couldn't provide evidence of any restore tests
• Material misrepresentation — The application attestation didn't match reality

The insurer challenged the claim based on material misrepresentation. Whether intentional or not, the company had attested to controls they didn't actually have in place.

The Real Cost

• Ransom payment — The company ultimately paid the ransom to recover data (amount undisclosed)
• Recovery costs — IT labor, forensics, system rebuilding
• Business interruption — Lost productivity during the incident
• Client impact — Some work had to be recreated; client relationships strained
• No insurance coverage — All costs absorbed by the business
• Higher future premiums — If they can get coverage at all

What "Proper Backups" Actually Means

When insurers ask about backups, they expect:

• Automated daily backups — Not manual, not weekly, not "when we remember"
• Offsite/air-gapped storage — Backups that can't be encrypted by ransomware on your network
• Immutable retention — Backup data that can't be modified or deleted for a set period
• Monitoring and alerting — Someone gets notified immediately when backups fail
• Regular restore testing — Quarterly (at minimum) verification that you can actually restore data
• Documented RTO/RPO — Written recovery time and recovery point objectives
• Encryption — Backup data encrypted at rest and in transit

How RMA Prevents This

Insurance Readiness Review:

• We review your insurance application with you
• We verify that every attestation matches reality
• We identify gaps between what you claim and what you have
• We provide documentation to support your attestations

Backup Verification (Standard/Managed tiers):

• Quarterly backup configuration review
• Restore testing with documented results
• Backup monitoring and alerting verification
• RTO/RPO documentation

Compliance Gap Analysis:

• Full assessment of your security controls
• Comparison against insurance requirements
• Prioritized remediation roadmap
• Evidence collection for insurers

Source

This case study is based on documented insurance claim denials analyzed by Corsica Technologies in their 2025 cyber insurance readiness report.

Read more about the Corsica Technologies Report →