From cloud outages to cybersecurity failures, the digital backbone of modern business is under constant strain. Recent high-profile disruptions — including last week’s AWS outage — have exposed just how vulnerable organizations can be when critical systems go dark. These incidents aren’t isolated anomalies; they’re signals of a new status quo where technology-driven interruptions happen every day, with potentially far-reaching consequences.
In this environment, preparation and planning aren’t optional — they’re a must. Organizations can build resilience through risk assessments, incident response planning, and cyber insurance strategies that help mitigate the impact of inevitable outages.
The event
In the early morning of Monday, October 20, a major outage at Amazon Web Services (AWS) caused thousands of websites and both desktop and mobile applications to go offline, affecting millions of individual users. The disruption stemmed from an AWS data center in Virginia but had global repercussions, affecting businesses across multiple industries. AWS is recognized as the largest cloud services provider in the world.
Amazon reported a resolution of the core problem within hours. But the growing complexity of technology chains and increasing reliance on third-party technology providers means that an outage involving a single provider can affect countless more companies, and have ripple effects across the economy.
For affected organizations, the duration of service interruption varied significantly; some returned to normal operations in a short amount of time, while others experienced disruptions of more than 24 hours, according to news reports. Ultimately, it will take some time before the true impact of the event is known.
Increasingly routine occurrences
The AWS outage was the latest example of how software disruptions can impact business operations in ways big and small. The AWS disruption follows two significant and widely reported outages in 2024: In July, an outage involving cybersecurity company CrowdStrike’s Falcon threat monitoring platform affected nearly 9 million Windows devices, and in December, a disruption involving Microsoft affected thousands of individual and business users of its popular 365 software suite.
These widely reported events are just the tip of the iceberg. With technology embedded in so much of what we do every day, IT outages are an unfortunate reality for both businesses and individuals. Routine technology-driven business interruption events can occur daily, and are often unreported on by major news media.
Given how much some companies rely on technology to perform both the critical and the mundane, even a small, relatively isolated event can have serious repercussions for any affected organizations, including potential system downtime and extra expenses.
Unfortunately, not all outages are preventable. But organizations can take action to reduce the potential impact of outages — both large and small — on their people, operations, and finances.
Preparing for future events
It’s important that organizations not lose sight of the potential impact of technology outages once they fade from the headlines. Instead, they must seek to build resilience against future outages by gaining a clear understanding of their specific cyber vulnerabilities.
Your organization can start this process by identifying the critical technologies and external partners your operations depend on. After you’ve done this, you can evaluate how disruptions might unfold, what backup systems or workarounds exist, and how your organization could continue functioning if those resources were suddenly unavailable.
Your critical technology partners should also be conducting thorough risk assessments. Vendors should identify their own key service providers and evaluate their exposure to potential disruptions in their technology supply chains. And organizations should trust but verify by considering including obligations around supply chain oversight, cybersecurity protocols, and IT service performance standards in contracts with vendors.
Companies should also develop robust cyber incident response plans. Among other things, these plans should:
Outline essential procedures. These include how companies can detect, contain, and respond to disruptive incidents and maintain business operations in crisis situations.
Be physically and digitally accessible. Plans should be printed and available in multiple secure and easy-to-reach locations.
Be regularly updated and tested. Organizations should keep plans current by updating them at least once per year and after every incident to ensure that lessons learned are incorporated. Teams should also engage in regular testing through tabletops and other exercises to ensure organizations are ready to respond during a crisis event.
Insurance essentials
Cyber insurance policies can offer valuable protection to organizations during and following IT outages. Business interruption coverage in a cyber policy can offset potential financial losses from technology disruptions, along with cyberattacks and other major technology-related exposures. Businesses may also be able to secure contingent business interruption coverage, which can reimburse policyholders for the effects of disruptions to third parties — such as cloud providers — on their own operations.
For policyholders, outcomes are highly dependent on the nature of an individual event and policy language. Coverage can vary widely among insurers, which makes it essential for organizations to work closely with insurance brokers to tailor terms and conditions and structural elements — including limits, sublimits, retentions, and deductibles — to best match their risk profiles and meet their unique needs.
As cyber threats and large-scale outages become more frequent, insurers are increasingly focused on systemic risk. In response, many have tightened policy language and introduced exclusions. Documentation of cybersecurity controls is also frequently a prerequisite for purchasing cyber insurance coverage.
Although buyers should be mindful of these developments, the good news is that cyber insurance remains accessible and affordable for most businesses. The key is to proactively work with your insurance broker to secure the right protection — and make sure your organization is ready to respond to a costly disruption before you face a crisis.
For more information visit our webpage here (opens a new window)or contact a member of Lockton’s Cyber & Technology Practice.
