Summary
- Databarracks has acquired the assets of Acumen Business Services, a UK business continuity consultancy.
- The deal follows Databarracks’ acquisition of PlanB Consulting and strengthens its business resilience managed services.
- The acquisition reflects market demand for joined-up cyber recovery, continuity planning, and technology resilience.
Databarracks has acquired the assets of Acumen Business Services, extending its business continuity and resilience capability as UK organisations continue to bring cyber recovery, continuity planning, and technology resilience closer together.
The London-based resilience provider said Acumen brings more than 100 clients across financial services, healthcare, manufacturing, technology, and the public sector. The deal follows Databarracks’ acquisition of PlanB Consulting and continues its investment in business resilience managed services. Financial terms were not disclosed.
Acumen was founded by Andy Osborne, who has spent more than two decades delivering business continuity consulting. Databarracks says the acquisition will allow it to add further value to Acumen customers through its Recovery Confidence assurance concepts and business resilience managed service approach. The company’s acquisition notice frames the transaction around a unified approach to business and technology resilience.
The deal sits within a market where cyber incident response, disaster recovery, business continuity, crisis communications, and supplier failure planning are increasingly converging. Ransomware, cloud outages, software faults, datacentre failures, and third party incidents can all produce the same operational problem: critical services stop, customers are affected, evidence is demanded, and recovery assumptions are tested under pressure.
Business continuity providers have traditionally focused on impact analysis, recovery time objectives, crisis exercises, and continuity plans. Cyber recovery providers have focused on backups, restoration, immutable storage, clean-room recovery, and infrastructure failover. Those disciplines now overlap because attackers and outages do not respect organisational boundaries. A recovery plan that restores servers but does not account for call centres, suppliers, customer communications, regulatory reporting, or manual workarounds remains incomplete.
The convergence is especially relevant to regulated sectors. Financial services firms face DORA requirements around ICT risk, incident reporting, resilience testing, and third party oversight. Operators covered by UK NIS rules, and potentially the forthcoming Cyber Security and Resilience Bill, face increasing scrutiny over continuity of essential services. Healthcare, manufacturing, utilities, and public bodies all have operational constraints that make recovery more complicated than restoring data from backup.
Databarracks’ move also reflects procurement demand for managed resilience rather than one-off consulting documents. Organisations are trying to evidence that recovery capability works, not merely that a plan exists. That means testing, exercising, dependency mapping, backup assurance, supplier contact discipline, executive playbooks, and measurable recovery confidence. Providers that can combine advisory work with managed resilience services are better placed to meet that demand.
The value of the acquisition will depend on integration across methods, client data, tooling, and assurance models. Business continuity is relationship-heavy and context-specific, while managed technology resilience depends on repeatable processes and evidence. Acumen’s consulting expertise will need to retain enough local knowledge to support realistic continuity planning while fitting into Databarracks’ broader managed service model.
Organisations reviewing resilience suppliers are increasingly testing whether providers can cover the full recovery chain. The relevant questions now cut across technical and business functions: which services matter most, which suppliers are critical, how fast systems can be restored, what happens if recovery is partial, who notifies regulators, and how evidence is preserved. Cyber resilience is increasingly judged by whether operations can continue under stress, not by whether individual controls look mature in isolation.





