Ransomware incidents have more than doubled since the pandemic began, according to the IEEE Computer Society, and the consequences have spread well beyond the IT department. When the Bank of England cited Jaguar Land Rovers' (JLR's) cyberattack as a direct contributor to slower Gross Domestic Product (GDP) growth in Q3 2025, it marked the first time a cyber event had caused material harm to the British economy at a national level. In the same year, British retailer Marks & Spencer (M&S) estimated that the cost of cleaning up after a cyberattack would exceed £300 million. At the same time, the UK's National Cyber Security Centre (NCSC) said that the number of major cyberattacks had increased by 130%.
The threat landscape is accelerating in ways that render traditional defences increasingly inadequate. Anthropic's Project Glasswing has already identified thousands of previously unknown zero-day vulnerabilities across every major operating system and browser, and AI has fundamentally collapsed the cost of discovering and weaponising those flaws. When novel malware variants can be generated faster than any signature database can update, the economics of attack have shifted permanently in the attacker's favour.
What Financial Services Firms Are Doing Today
Regulators across every major jurisdiction have moved past asking whether organisations have backup, and are now asking whether they can prove recovery from a targeted, adversarial cyber event.
The European Digital Operational Resilience Act (DORA) Article 12 requires financial entities to restore data using systems that are “physically and logically segregated from the source.” The Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) have jointly published guidance requiring systemic firms to demonstrate enhanced cyber response and recovery capabilities.
The Securities and Exchange Commission (SEC) now mandates disclosure of material cyber incidents within four business days.
Other regulatory and industry frameworks, including the Hong Kong Monetary Authority (HKMA), the Securities and Exchange Board of India (SEBI), the Network and Information Security Directive 2 (NIS2), and the UK's Cross Market Operational Resilience Group (CMORG) Cloud-Hosted Data Vaulting Good Practice Guide, converge on the same expectations:
Segregated recovery environments
Provable data integrity
Documented response capabilities
Together, these requirements go far beyond what traditional operational backup solutions were designed to deliver.
Most regulated firms have responded by strengthening their existing backup and disaster recovery strategies. They have invested in more backup copies, more frequent replication, faster failover, and larger disaster recovery budgets. The instinct is understandable because these tools have served the industry well for decades, through hardware failures, natural disasters, and accidental deletions.
The problem is that ransomware is none of those things. It is a targeted, adversarial attack engineered to cause your recovery mechanisms to fail.
Why High Availability, BC/DR and Backup Were Never Built for This
High Availability and Business Continuity/Disaster Recovery (BC/DR) systems replicate data in real time. If ransomware encrypts data in the primary environment, that encryption is often replicated to the secondary environment before the attack is detected. As a result, both copies of the data can be compromised.
Traditional backup systems have a different challenge. Attackers often remain undetected in an environment for weeks before launching an attack. If an attacker has been present for 30 days, many of the backups created during that period may already contain malware or other malicious changes. Restoring from those backups can reintroduce the threat along with the data.
Modern ransomware operators understand this architecture intimately. They specifically target backup infrastructure, deleting shadow copies, encrypting backup catalogues, and compromising backup admin credentials, because they know that if they eliminate your ability to recover, you pay. The entire business model depends on leaving organisations with no viable alternative.
There is a structural gap in the enterprise security stack that none of these tools address. Firewalls inspect traffic at the perimeter. Endpoint Detection and Response (EDR) inspects running processes on endpoints. Security Information and Event Management (SIEM) analyses logs and traffic patterns. But none of them look inside the files sitting on your storage, and that is precisely where the attacker's work lands. Every post-exploitation action, from ransomware deployment to data staging to file encryption, writes artifacts into the data layer. If nothing inspects that layer, the compromise persists undetected through every protection mechanism you have.
How Qumulo Addresses the Problem
Qumulo introduces a modern cyber-resilience architecture that addresses both sides of the ransomware challenge: preventing data corruption before it spreads and preserving a trusted, isolated recovery environment that remains beyond the reach of attacker lateral movement. By combining active protection with an architecturally isolated recovery environment, Qumulo delivers a new standard for ransomware resilience, one that assumes compromise and ensures recoverability.
NeuralProtect: Detection at the Storage Layer
Qumulo NeuralProtect is real-time ransomware and malware detection built directly into the Qumulo storage platform. Unlike approaches that rely on known signatures or behavioral inference from network traffic, NeuralProtect uses Deep File Inspection to open and analyse every file at the moment it is written to storage. Its multi-modal detection engine identifies both known malware families and zero-day ransomware that has never been catalogued. When it detects a threat, it acts immediately by killing the malicious session to halt lateral file encryption, while also creating defensive snapshots to preserve a known-good state, and enabling rapid recovery from verified clean data. This is not a bolt-on agent or a third-party integration requiring separate infrastructure. It is protection embedded at the storage layer itself, exactly where the attacker's damage is done.
Qumulo Cloud Data Vault: Breaking Lateral Movement
The Qumulo Cloud Data Vault is a validated architectural pattern built on Qumulo Cloud Native deployments, designed to create an isolated, immutable recovery environment for business-critical data. It is not a separate product, but an architecture that leverages existing Qumulo capabilities to deliver cyber resilience.
The vault sits in a separate cloud account with no persistent connection to the production environment, meaning there is no lateral path from a compromised system to the vault. Snapshots within the vault are locked using cryptographic keys, so a locked snapshot cannot be deleted or have its expiration shortened, even by a compromised administrator who lacks the private key. Connectivity to the vault exists only during scheduled replication windows, mimicking the physical airgap of tape removed from a library but delivered through cloud-native architecture that meets the regulatory requirements of DORA, CMORG, and the Bank of England's effective practices guidance.
The Compound Effect
These two capabilities work together to solve the fundamental problem that backup alone cannot, and they directly address the regulatory expectations now bearing down on financial services. NeuralProtect inspects data at the point of write, which means the data flowing into your backup, replication, and vault layers are verified clean at origin. Without that inspection, every protection layer downstream is potentially preserving compromised data and calling it resilience.
If NeuralProtect catches an attack early, your existing backup and DR copies remain clean and usable. If a sophisticated attack evades initial detection and is discovered later, the Qumulo Cloud Data Vault provides a provably clean recovery point from before the compromise, stored in an environment the attacker never accessed.
DORA Article 12 demands that restored data passes through “multiple checks and reconciliations” to ensure “the highest level of data integrity.” NeuralProtect's Deep File Inspection delivers exactly that verification, applied continuously rather than only at the point of restore.
The CMORG Cloud-Hosted Data Vaulting Good Practice Guide specifies that vaulted data must reside in an environment with no persistent connectivity to production, with cryptographic immutability and defined replication windows. The Qumulo Cloud Data Vault is built to that specification.
The SEC's four-day disclosure clock starts not at the moment of the attack, but when the company determines that the incident is material, and that determination must be made without unreasonable delay. Materiality is assessed by whether a reasonable investor would consider it important to their decision-making. Organisations cannot afford ambiguity. NeuralProtect's real-time detection gives security teams immediate visibility into whether an attack has reached the data layer and whether recovery points remain viable, compressing that assessment window from weeks to minutes.
Together, they deliver what regulators across every jurisdiction are now demanding and what backup alone cannot provide: the ability to detect threats before encryption completes, isolate compromised sessions in real time, protect critical data in a segregated, immutable environment, and recover cleanly without paying a ransom.
The Bottom Line
Ransomware is a business survival problem, and the organisations that navigate it successfully will be those that recognised their existing operational resilience tools were designed for a different era of threats. The Bank of England is citing cyberattacks in GDP forecasts. DORA is enforceable across the EU. The PRA and FCA are publishing joint guidance on what “effective” cyber recovery looks like for systemic firms. The SEC is holding boards personally accountable for cybersecurity governance. Insurers are pulling back from the cyber market as claims outpace premiums, and those insurers that remain are demanding evidence of segregated recovery architectures before they will underwrite policies.
Backup is not ransomware protection.
Disaster recovery is not ransomware protection.
Business continuity is not ransomware protection.
They are all necessary components of operational resilience, but they were never designed to withstand a targeted adversary whose entire strategy depends on making them fail. More importantly, they no longer satisfy the regulatory bar. Regulators are not just asking whether you can restore from backup. They are also asking whether your recovery environment is segregated, whether your data integrity is provable, and whether you can demonstrate that your last known-good copy is genuinely clean.
Qumulo NeuralProtect and the Qumulo Cloud Data Vault help organisations build the capabilities regulators are increasingly asking for. Detecting threats at the point of write, preserving critical data in an isolated recovery environment, and recovering from verified clean copies strengthen cyber resilience and support a demonstrable recovery strategy in the face of ransomware.
Ready to see how Qumulo NeuralProtect and the Cloud Data Vault work together? Request a demo at qumulo.com/product/neural-protect or read the NeuralProtect Solution Brief to learn more.
About The Author
Tom Tasker is a Principal Cloud Solutions Architect at Qumulo, focused on cloud data protection and ransomware resilience for financial services and regulated industries across EMEA and APJ. He is the co-author of the AWS Storage Blog post Resilience by Design: Building an Effective Ransomware Recovery Strategy, and lectures at Loughborough University on Modern Data Architecture.