They have to, are required to have a disaster recovery plan whereas they can restore data if totally wiped out. Where’s the plan and where’s the data?
We did where I worked due.
What bothers me almost more is that the people writing legislation for electronic privacy and security don't seem to have a clue - or the guts - to say the "excuse" is BS