The UK government's Cyber Security Breaches Survey for 2025/2026 landed on 30 April 2026, and the headline numbers are difficult to ignore. Ransomware incidents affecting UK businesses roughly doubled year-on-year — around 19,000 organisations hit — and the financial damage from breaches more than doubled in the same period.
If you have cyber insurance, your instinct might be to shrug and think: "That's what the policy is for." But there's a problem. The rules around what insurers will actually pay out on have changed significantly, and most UK SMBs haven't caught up.
Insurers Have Moved the Goalposts on Backup
A few years ago, having any kind of backup was enough to tick the box on a cyber insurance proposal form. Not any more.
Underwriters have been badly burned by ransomware claims where the policyholder's backups turned out to be useless — either because the ransomware encrypted them alongside the live data, or because they hadn't been tested and failed to restore. As a result, insurers have updated what they require.
The specific term you'll now see in policy conditions is immutable backup — a backup that cannot be altered, deleted, or encrypted, even by someone with admin credentials. Air-gapped backups (physically or logically separated from your main network) are also commonly required.
If your current backup doesn't meet those standards, you may already be underinsured without knowing it.
Claim Rejections Are Rising for Backup-Related Reasons
Claim denials tied to backup misrepresentation are now one of the leading reasons UK businesses find their cyber insurance policy doesn't pay out after an incident.
The mechanism is straightforward. You declare on your proposal form that you have regular, tested backups. A ransomware attack hits. Your insurer investigates. They find your backups were stored on the same network, weren't immutable, hadn't been tested in 18 months, or didn't match what you said you had. The claim is rejected on grounds of misrepresentation.
It doesn't matter whether that misrepresentation was intentional. If what you declared doesn't match what was in place, the insurer has grounds to void the claim — and often the whole policy.
More insurers are also conducting technical audits before they'll quote, not just at claim time. They want evidence, not assurances.
Most SMBs Have Backup. Most Don't Have the Right Backup.
This is the uncomfortable part. The majority of UK SMBs do have some form of backup in place. The problem is that basic cloud sync, file history tools, or simple nightly copies stored on the same network don't meet what modern ransomware preparedness actually requires — and they certainly don't meet what insurers are now asking for.
Modern ransomware is specifically designed to find and destroy backups before it triggers the encryption of your live data. Attackers will sit undetected in your environment for days or weeks, mapping your systems and corrupting backup files, before you ever see the ransom note.
If your backup is reachable from your network, it's potentially reachable by an attacker who's already inside your network.
What Insurers Are Now Asking on Proposal Forms
The questions on cyber insurance proposals have become more specific. Expect to be asked:
- Are your backups stored separately from your production environment?
- Are backups immutable — protected from modification or deletion?
- How frequently are backups taken, and what is the retention period?
- When were your backups last tested with a full restore?
- Do your backups cover all critical systems and data, including cloud-hosted services?
If you can't answer those questions confidently, or if the honest answers don't match what's currently on your policy documents, that's worth addressing now — before you have to make a claim.
A Quick Audit You Can Do Right Now
The NCSC's guidance — cited extensively in this year's Breaches Survey — gives a practical framework. Here's a condensed version you can apply today:
- Identify what you're backing up. Does it include cloud services like email and business apps, not just on-premise data?
- Check where backups are stored. Are they on the same network, or genuinely separated?
- Confirm immutability. Can an admin (or an attacker with admin access) delete or modify your backups?
- Review your last restore test. When did you last actually restore from backup? Did it work?
- Compare with your insurance declaration. Does your current setup match what you told your insurer?
If you find a gap at any point, that gap is both a security risk and a potential policy liability.
Don't Wait for a Claim to Find Out
The 2026 Breaches Survey is a useful reminder that ransomware isn't getting less common or less damaging. But the bigger risk for many UK SMBs right now isn't just the attack — it's discovering after the attack that the insurance you've been paying for won't cover you, because your backups didn't meet the standard your insurer expected.
Getting this right isn't complicated. It does require knowing what you have, checking it honestly, and making sure it's fit for purpose.
IronFell's managed backup service is built around exactly the controls that insurers now require — immutable, tested, and properly separated from your production environment. If you're not sure whether your current backup would hold up to an insurer's scrutiny, talk to us. No jargon, no hard sell — just a straight conversation about where you stand.