Data resilience: why financial services must prepare for the worst

In the fast-paced world of auto and equipment finance, data has become the backbone of business. Every decision, transaction, and customer interaction relies on it. When systems go down, the consequences are immediate and costly; deals are lost, customers are frustrated, and reputations are damaged.

But it’s not just about customer experience anymore. Increasingly, regulators are demanding that financial services firms demonstrate operational resilience and show the ability to withstand and recover from severe disruptions. In the UK, for example, the Financial Conduct Authority (FCA) now requires firms to identify critical business services and ensure they remain available even during major outages. Across the EU, the Digital Operational Resilience Act (DORA) – which came into effect on 17 January 2025 – goes a step further by requiring banks, insurance companies, investment firms, and other financial entities to prove they can withstand, respond to, and recover from ICT-related disruptions, such as cyberattacks, system failures, or third-party service outages.

In this environment, data resilience is no longer optional. It’s a regulatory imperative and a business-critical capability, one that demands a rethink of how firms design their infrastructures and continuity strategies.

Why data availability has become a pressing issue

Historically, many financial institutions relied on on-premises infrastructure to manage their systems. This often meant a basic disaster recovery (DR) site and occasional DR testing, if at all.

But as Alex Barnes, Director of Cloud Hosting at Alfa, explains, the shift to cloud has changed the game:

“When firms managed their own infrastructure, there were always limitations in what could be achieved. At best, you might have a DR site that hopefully worked, but many organisations rarely tested it properly. The move to the cloud has awakened something. Firms now recognise that availability is critical but also feel like control has shifted. If there’s a regional outage on AWS or Google Cloud, they can feel powerless – so they have to plan for scenarios they never considered before.”

This shift in mindset isn’t just about technology; it’s also driven by regulatory pressure. As Barnes points out, regulators are forcing firms to think more strategically:

“The FCA and DORA have been clear: if you outsource large sections of your business, you can’t just be hands-off. You must have a documented plan for handling outages – even extreme ones, like a hyperscaler going offline. That’s making firms take resilience much more seriously.”

“Outsourcing doesn’t mean being hands-off — firms must plan for even extreme outages.”

Evolving threats: from ransomware to data theft
Cybersecurity has also accelerated the focus on resilience. Financial services firms face a dual challenge: protecting against data theft and ensuring business continuity in the face of ransomware attacks.

Barnes explains the distinction: “We see two kinds of threats. One is theft — attackers steal your data and try to ransom it back, but there’s no guarantee they won’t release it anyway. The other is ransomware that locks up your systems and stops you operating. The latter is devastating for auto and equipment finance firms that rely on constant system availability.”

There’s also a moral dimension: every company that pays a ransom is directly funding the next wave of attacks. It’s on everyone to avoid being in a position where they have to make that choice.

In this context, data backups alone aren’t enough. Firms must design architectures that make it possible to rebuild environments quickly without relying on compromised infrastructure or negotiating with attackers.

Why resilience needs to be designed in

The old model of periodic DR testing and isolated backup vaults isn’t sufficient in a world of regional outages, ransomware, and sophisticated cyberattacks. Financial services firms need to design for resilience from the ground up.

Key principles include:

Multi-region strategies: Ensuring operations continue even if a whole region goes offline
Multi-cloud diversification: Avoiding single-provider dependency
Immutable backups: Protecting data from tampering or corruption
Infrastructure as code: Automating rebuilds so recovery becomes “business as usual”

Barnes stresses the importance of practising recovery until it becomes routine: “If you only test disaster recovery once a year, you’re probably not ready to do it when it matters. Making recovery part of business-as-usual operations is essential. For example, refreshing environments from backups as part of regular workflows ensures you know you can recover when needed.”

“Making recovery part of business-as-usual operations is essential.”

Case study: planning for the worst

One example of this approach comes from Alfa Cloud, which delivers the Alfa Systems platform as a single-tenant SaaS solution for the auto and equipment finance industry.

For Alfa Cloud customers, these principles are built into the platform via its recently launched Data Guardian feature, which provides an illustration of what “planning for the worst” looks like in practice:

Backups stored in multiple regions to ensure geo-redundancy
Replication to a separate cloud provider to mitigate cloud-wide outages
Single-touch infrastructure provisioning to rebuild environments in hours rather than weeks

“Our goal is to make resilience predictable,” says Barnes. “In the event of a ransomware attack, for example, we can provision a fresh cloud account and rebuild our customers’ entire infrastructure using last night’s backups. We don’t need to negotiate with attackers. We just carry on.”

“Our goal is to make resilience predictable.”

For customers like Novuna Business Finance, this resilience has been transformative. “Since migrating to Alfa Cloud, we’ve experienced a remarkable transformation in how we operate,” says Matthew Colville-Foley, Head of Change Delivery at Novuna.

“Data security and access control are standout features, giving us complete confidence in the integrity and confidentiality of our information. The strong security posture and robust governance model align seamlessly with FCA requirements,” he added.

Cloud adoption and industry gaps

Despite these advances, Barnes observes that much of the auto and equipment finance sector is still catching up when it comes to cloud adoption:

“In our experience, we’re almost always migrating firms from legacy on-premises platforms, sometimes even mainframes. Rarely are we replacing another cloud-based solution. That means a lot of firms are only now confronting these resilience challenges for the first time.”

This lag in cloud adoption presents both risks and opportunities. Firms yet to migrate have the advantage of designing resilience into their architectures from the start, but only if they recognise the importance of doing so.

Resilience as a strategic imperative

What was once seen as a compliance requirement is now a competitive differentiator. Customers expect seamless availability. Regulators demand demonstrable continuity planning. And firms that can guarantee uninterrupted service stand to earn greater trust and competitive advantage in a crowded marketplace.

Barnes sums it up simply: “You have to plan for the worst. You can’t predict every scenario – attackers are too sophisticated, and technology changes too fast. But if you assume the worst can happen, you can make sure your business carries on regardless.”

Investing in robust data resilience strategies is no longer simply about mitigating risk; it’s about enabling growth.

“You have to plan for the worst. You can’t predict every scenario. But if you assume the worst can happen, you can make sure your business carries on regardless.”

Conclusion: from backups to business continuity

For auto and equipment finance providers, the stakes around data availability have never been higher. Worst-case scenarios – from ransomware to hyperscaler outages – are no longer edge cases; they’re operational realities.

The firms that thrive will be those that: