PROCEDURE TEMPLATE

Backup & Recovery Procedure

Answer their questions with a customized procedure document — built in three minutes, aligned to Hartford, Travelers, Coalition, and Beazley requirements.

📋 What this cyber insurance requirement is

Why carriers care: Ransomware is the leading cause of cyber insurance claims. Carriers want proof that you have isolated backups, test recovery regularly, and can actually restore your systems.

Create your backup & recovery procedure below

What you'll get
  • A customized backup & recovery procedure document (3-5 pages)
  • RTO/RPO targets aligned with your system criticality
  • Backup isolation & immutability strategy details
  • Testing frequency & validation procedures
  • Systems coverage inventory & backup platform configuration

What carriers are looking for

Each carrier asks slightly different questions. Here are some named artifacts by carrier.

Hartford

  • Backup & recovery procedure
  • Testing documentation
  • Isolation strategy
  • Recovery test results

Travelers

  • RTO & RPO targets
  • Backup frequency specification
  • Last restore test date
  • Recovery runbook

Coalition

  • Immutability configuration
  • Air-gap verification
  • Systems coverage list
  • Validation frequency

Beazley

  • Platform details
  • Encryption config
  • Testing schedule
  • Scope documentation

What to collect

Evidence artifacts your broker will need during the renewal process.

📸

Platform Configuration

Screenshots showing backup frequency, retention, and isolation settings from your backup platform

📝

Restore Test Reports

Documentation of restore tests with dates, systems tested, and results (monthly, quarterly, or annual)

🎯

RTO/RPO Documentation

Written definition of target Recovery Time Objectives and Recovery Point Objectives by system criticality

📋

Systems Inventory

List of systems in backup scope with platform assignment and criticality levels

🔒

Immutability Configuration

Screenshots or documentation showing immutable backup settings and air-gap storage isolation

🔐

Encryption Details

Evidence of encryption in transit and at rest for backup storage and repositories

Important: What this doesn't prove

Be upfront about these gaps. Carriers appreciate honesty over overstatement.

Real Recovery Success: A procedure documents intent, not actual restore success under pressure during an incident

True Isolation: Backups may be immutable, but ransomware could still have propagated before backup isolation

Complete Coverage: Documentation cannot prove all critical systems are actually included in the backup scope

Achievable RTO/RPO: Targets on paper may not be realistic given infrastructure, bandwidth, or data volume constraints

Staff Preparedness:A procedure is only as good as the team's ability to execute it quickly and correctly

Ongoing Validation:A single test or audit doesn't guarantee backups work consistently over time

Who owns what

🏢Insured

The organization is responsible for defining backup strategy, setting RTO/RPO targets aligned with business criticality, approving backup and isolation controls, and ensuring the procedure is regularly tested and maintained. Leadership must allocate budget and resources for backup infrastructure and testing.

🔧MSP/IT Team

The IT team configures and manages the backup platform, sets backup frequency and retention based on approved targets, executes restoration tests on schedule, documents all test results, and maintains the systems inventory. They also ensure encryption is enabled and backups remain isolated from production systems.

🤝Broker

The broker interprets carrier requirements, submits the procedure and evidence to underwriting, tracks feedback, requests additional documentation as needed, and ensures timely follow-up. They act as the liaison between your organization and carriers to ensure all evidence meets expectations.

Frequently Asked Questions

How often should we test our backups?
Minimum: Annual full system restore. Preferred: Semi-annual or quarterly. Full system restores are better than file-level recovery testing. Many carriers now expect at least quarterly validation.
What RTO/RPO targets should we set?
Critical systems: 4-hour RTO, 1-hour RPO. Important systems: 8-hour RTO, 2-hour RPO. Standard systems: 24-hour RTO, 4-hour RPO. Targets should reflect your actual recovery capabilities, not aspirational numbers.
What does "immutable backup" mean?
Immutable backups cannot be deleted or modified once written, preventing ransomware from corrupting or destroying recovery points. Combined with air-gapping, this is now considered a core control by most carriers.
Should we use air-gapped or immutable storage?
Air-gapped: Backup is isolated on separate systems or cloud accounts, disconnected from production. Immutable: Backups cannot be changed or deleted even by system administrators. Many organizations use both strategies layered together.
Do backups need to be encrypted?
Yes.Encryption in transit (TLS/IPSec) and at rest (AES-256 minimum) is required by all major carriers. This protects backup storage media if it's compromised or lost.
How do we document our restore test results?
Create a simple form capturing: test date, systems restored, restore duration (actual vs. RTO), data integrity check results, and team sign-off. Include screenshots of successful restores. This becomes part of your renewal submission.

Sources (March 2026)

  • Hartford Cyber Underwriting Guidelines — Backup & Recovery Procedure documentation requirements
  • Travelers Cyber Insurance Requirements — RTO/RPO definition and testing frequency standards
  • Coalition Underwriting Standards — Immutability, air-gap, and backup validation controls
  • Beazley Security Questionnaire — Backup platform, encryption, and recovery procedure details
  • NIST Cybersecurity Framework — Data protection and disaster recovery best practices

Get your policies in order

← Browse all templatesStart a renewal readiness check →Decode a carrier form