Written by: Luke Sobieraj, Founder & COO, Digital Colliers
When a vendor puts half a billion dollars into your market and builds its European HQ in your capital, that's a bet on a gap. Rubrik isn't betting UK banks and asset managers are ready. They're betting the opposite. They're betting the middle of the market has a data-resilience story that falls apart the first time a regulator or an attacker actually pulls on it.
If you run engineering or operations at a mid-market financial firm, the question isn't whether that bet is smart. It's whether you're the trade.
What data-layer resilience actually means
Most boards hear "cyber resilience" and picture firewalls, EDR, maybe a SOC contract. That's perimeter. Data-layer resilience is different. It's the answer to a much colder question: when your production data is encrypted, corrupted, or quietly poisoned, how fast can you bring the business back, and to what point in time?
Four things matter here, and you should be able to state each one in a sentence:
- RTO (Recovery Time Objective). How long from incident to operational. Hours? Days? Be specific per system.
- RPO (Recovery Point Objective). How much data you're willing to lose. Fifteen minutes of trades is not the same as fifteen minutes of HR records.
- Immutable copies. Backups an attacker with domain admin cannot delete or encrypt. If your backups sit on the same AD trust as production, they're not immutable.
- Tested restores. Not "we have backups." Not "we ran a tabletop." A restore drill, on real data, on the clock, with the runbook the on-call actually has.
DORA has been in force since 17 January 2025, and the ICT resilience testing expectations under it are not satisfied by a policy document. They're satisfied by evidence that you've done the restore.
The resilience gap is a data-integration gap
Here's the part vendors don't lead with. The reason mid-market firms fail restore drills isn't backup software. It's that nobody knows where the data lives, who owns it, or which system is the source of truth.
You can see the same pathology in the finance function. Most mid-market finance teams still run month-end close in spreadsheets, pulling numbers across systems by hand. Month-end at the median firm runs 8 to 10 days, while the strongest teams close in under 5. The gap between those two isn't effort. It's data integration. The winners have a single, governed layer where the numbers reconcile automatically. The rest are copy-pasting.
Cyber resilience runs on the same physics. If your customer master lives in three CRMs, your positions live in two OMS instances, and your KYC evidence lives partly in SharePoint and partly in someone's inbox, you don't have a recovery plan. You have a scavenger hunt with a stopwatch on it. Immutable snapshots of a mess restore a mess.
What mid-market firms should be measuring this quarter
If you want to know whether you're the trade Rubrik is pricing, run these checks before end of quarter. None of them require a vendor.
- Named RTO and RPO for your top 10 systems. Written down, agreed by the business owner, not aspirational.
- Last successful full restore date, per system. Not last backup. Last restore.
- Backup blast radius. If a domain admin account is compromised at 2am, can that account reach and destroy the backups? Yes or no.
- Data lineage for your top 3 regulatory reports. Source system, transformation, destination. If you can't draw it on one page, you can't defend it.
- Patch latency on internet-facing assets. Industry data suggests only 3 to 5 percent of disclosed vulnerabilities are patched within 30 days. Where do you sit against that.
- GDPR exposure on the restore path. Fines run up to 20 million euros or 4 percent of global turnover. A recovery that re-materialises data you were meant to have deleted is its own incident.
The left-behind risk
The operators who come out of the next 24 months intact aren't the ones who buy the most tooling. They're the ones who treated data-layer resilience as an engineering problem and did the unglamorous integration work. They know where the data is. They know what "good" restoration looks like. They've timed it.
The firms that get left behind are the ones that read Rubrik's UK announcement as a procurement story. It isn't. It's a signal about which side of a gap you're on. The vendors have already placed their bet. Your quarter is the answer.

