Global outages in 2025 are a stark reminder that the digital infrastructure we rely on is fragile, interconnected, and increasingly concentrated. From AWS to Cloudflare, recent incidents have shown how a single technical failure can ripple across universities, businesses, and critical services. According to the panel at the 2025 Cyber Insurance Academy Bootcamp, understanding these outages isn’t just about technology; it’s about risk management, insurance, and operational resilience.

Lessons From Global Outages

Global outages reveal the underlying systemic risks and concentration issues that can amplify disruptions across industries. Our panelists emphasized that these events aren’t isolated; a single failure can cascade across universities, hospitals, businesses, and critical services, affecting operations, revenue, and regulatory compliance.

AWS Outage

In early 2025, Amazon Web Services (AWS) experienced a major outage that affected universities, businesses, and service providers across the U.S. Josephine Wolff, Professor of Cybersecurity Policy at The Fletcher School at Tufts University, explained, “It was really the result of a failure in their automated DNS management system – the address book of the internet.” Therefore, the outage created widespread cascading effects.

CrowdStrike Outage

This was evident not only in the AWS disruption but also in the global CrowdStrike outage, which sent shockwaves through industries reliant on cloud-based cybersecurity solutions. Approximately 8.5 million computers and servers worldwide were affected. Together, the AWS and CrowdStrike outages demonstrated how quickly disruptions could escalate across interconnected environments, highlighting the concentration risks and cascading effects that defined the panel’s discussion.

Tony Anscombe, Chief Security Evangelist at ESET, noted the dangers of monoculture in technology and insurance: “Imagine everyone on the same street using the exact same burglar alarm. Once a thief figures out how to break into one house, on night two, he comes back and hits the next.” He explained that when organizations rely on the same two or three tools, they create concentration risk that can amplify the impact of outages across industries. This monoculture doesn’t just affect individual companies; it can cascade through interconnected systems, turning a single technical failure into a global disruption and underscoring why operational resilience and diversified vendor strategies are critical.

Patrick Milnamow, Senior Manager at Ernst & Young LLP, added that policyholders often face confusion and frustration during such incidents: “I saw a lot of general frustration during the AWS and CrowdStrike outages – whether the outage was too short from a waiting period perspective, or if they didn’t have the proper wording within their policy.” The AWS outage serves as a real-world reminder that operational resilience, diversity in vendor selection, and careful policy design are critical for mitigating the effects of global infrastructure failures.

Cloudflare Outage

Cloudflare, an IT management company, experienced a major global outage on November 18, 2025. A permissions change in its database caused a configuration file to exceed size limits, disrupting traffic across services including X (formerly Twitter), ChatGPT, Spotify, and Canva. Users saw widespread HTTP 500 errors, and while core services were restored by early afternoon, the incident highlighted the same concentration risks discussed by the panel.

Jay Vinda, Global CISO and Cyber Risk Engineering Lead at Mosaic Insurance, emphasized that addressing these concentration risks requires proactive planning: “Better third-party management, greater visibility of where our concentration risk points exist, and integrating insurance mechanics into tabletop exercises, creates an environment for operational resilience.” His point links directly to the Cloudflare outage and the earlier AWS and CrowdStrike incidents, showing that even well-prepared organizations must account for systemic dependencies to strengthen operational and insurance-based defenses.

The Cloudflare outage illustrates this point vividly: even well-prepared organizations can be caught off guard when critical infrastructure layers fail. It also underscores the importance of reviewing policies for waiting periods, coverage scope, and how BI losses are defined.

Why These Lessons Matter

The panel discussion brought a holistic view to global outages: technology failures are inseparable from operational, legal, and insurance considerations. Key takeaways include:

• Concentration risk is real: Even diverse cloud strategies can fail if multiple services depend on the same edge or security provider.
• Pre-incident modelling is essential: Organizations need to map dependencies and quantify potential business interruption and regulatory exposure.
• Policy design and claims language matter: Waiting periods, coverage definitions, and monoculture risks can influence whether organizations are protected.
• Operational resilience is key: CISOs must work across legal, finance, and risk teams to plan recovery strategies that anticipate systemic failures.

The AWS and Cloudflare outages together demonstrate that global digital infrastructure is both critical and fragile. For insurers, brokers, and CISOs, the path forward lies in preparing for the next outage before it happens. 

This panel discussion took place at the 2025 Cyber Insurance Bootcamp. It brought together top industry minds for an intensive, no-nonsense learning experience focused on the trends that will shape cyber risk in 2026.