Recent Breaches
Breaches
View All →
Why OSS

3-2-1-0 Backup,
The Insurer Standard

Cyber insurers now expect a real offline copy. Firevault Bunkers deliver the 0 in 3-2-1-0 with the audit trail underwriters want to see.

0
The Rule

What 3-2-1-0 Actually Means

A plain English breakdown of the rule insurers, regulators and boards keep referencing.

01
Production plus two protective copies

3 Copies of Data

Insurers expect you to hold the live production copy plus two independent backup copies. One copy alone is not resilience, it is hope. The third copy exists so that loss of one backup never leaves you exposed.

Production copyLocal backupProtective backup
02
Avoid single technology failure

2 Different Media

Holding both backups on the same storage technology means a single firmware bug or vendor incident can take both copies at once. Different media reduces correlated failure and is increasingly explicit in policy wording.

Disk and offlineCloud and bunkerReduces correlated risk
03
Physically separated from production

1 Offsite Copy

An offsite copy survives site events, fire, flood and physical compromise of your primary location. Insurers want to see geographical separation with documented chain of custody.

Geographic separationDocumented custodyVerified retrieval
04
The new requirement

0 Errors and 0 Online Copies

The modern addition. Zero verified errors on restore, and at least one copy that is fully offline so ransomware cannot reach it. This is where Iron Mountain tape and Firevault Bunkers compete, and where most cloud only strategies fall short.

Verified restore testsOne copy fully offlineInsurance grade evidence
Offline Copy Options

Tape, Cold Cloud, or Bunker

The three credible ways to satisfy the offline copy requirement, and where each one wins or loses.

01
Proven physical air gap, slow recovery

Iron Mountain Tape

Tape ejected and stored offsite is a genuine physical air gap. The tradeoff is operational. Recoveries can take days, handling errors are common and verifying restores at scale is painful.

True offline copyDays to recoverHandling overhead
02
Online with retrieval delay

AWS Glacier and Cold Cloud

Glacier and similar tiers are still reachable through the public cloud control plane. Retrieval is slower and cheaper than hot storage, but the data remains addressable, governed by IAM policies and exposed to identity compromise.

Always reachable via APIIAM dependentEgress and retrieval fees
03
Modern offline copy, scheduled access

Firevault Bunkers

Firevault Offline Secure Storage delivers a tape style physical air gap with scheduled, identity verified online windows for restores. UK based bunkers, audit trails written for insurers, and no per gigabyte egress to budget around.

Layer 1 disconnectScheduled identity verified accessInsurer ready audit trail

Underwriter ready evidence pack

Read the full Firevault 3-2-1-1-0 briefing, or explore wider critical national infrastructure resilience.

Cyber Insurance and 3-2-1-0

Mark Fermor
David Bailey
Kenny Phipps
Online Now
Concierge

Make your offline copy insurer ready

Talk to Mark Fermor and the Firevault team about evidencing 3-2-1-0 with a Layer 1 air gapped bunker copy.

Takes about 2 minutes. No account needed.

Free2 minsNo sign-up
    Get started

    Your privacy matters

    We use cookies to keep the site running smoothly and to understand how you use it. You are in control. Privacy Charter · Cookie Policy

    Firevault

    Firevault is Offline Secure Storage. Hardware you own, physically disconnected by default, with KYC-verified access. Ransomware-proof by design, not by patch.

    © 2026 Firevault Limited. Disconnect to Protect®