Recent outages shine spotlight on systemic cyber risks
Recent high-profile outages have underscored the economy’s increasing dependence on major cloud platforms and the disruptive potential of even short outages. While systemic cyber risk is still viewed as largely theoretical, insurers and reinsurers are paying closer attention to coverage gaps, exclusions, and aggregation exposure.
For businesses, these events highlight the need for precise policy language and proactive resilience strategies.
Tech failures becoming more visible
For businesses worldwide, small-scale technology outages occur daily. Large-scale outages occur less frequently but often generate news headlines and have ripple effects that draw significant attention from insurers, businesses, and the public.
In October, two such widespread outages — involving AWS and Microsoft’s Azure cloud platform — occurred within a matter of days. Internet infrastructure and security provider Cloudflare reported an outage of its own in November. Each event disrupted thousands of websites and applications across desktop and mobile platforms, affecting companies and organizations across various industries, including aviation, banking, healthcare, and retail.
These outages follow two other high-profile outages in the last 18 months. In July 2024, a software update defect affecting the cybersecurity company CrowdStrike’s Falcon threat monitoring platform impacted 8.5 million Windows devices, resulting in widespread disruptions for airlines, hospitals, banks, and others. And in November 2024, a Microsoft 365 outage affected thousands of Outlook and Teams users.
Although outage frequency is not necessarily rising, the scale of cloud dependence means that more users and insurers could feel the impact when a major provider has an issue. Multiple large-scale events occurring in a relatively short period of time can also raise concerns for insurers, including potentially prompting them to take a closer look at policy language.
How insurers & reinsurers are reacting
Insurers are not yet broadly rewriting cyber policies or otherwise overreacting to recent trends. Recent events, however, are prompting sharper scrutiny. For example:
- Although cyber insurance is broad, it was not designed to cover every outage. Some policies require waiting periods — often nine to 12 hours — before coverage is triggered, which means short outages may not qualify as covered losses.
- Some carriers may view the AWS outage, for example, as an infrastructure issue, which raises questions about coverage applicability. Standard cyber insurance policies often exclude coverage for infrastructure-related losses, but generally include “cloud services” in policy definitions of insureds’ computer systems.
- Sublimits and exclusions for systemic risks will likely become more common, especially for cloud outages.
Still, systemic risk remains a largely theoretical concern. The reality is that actual large-scale failures that would be described as “systemic” events have, to this point, been exceedingly rare.
Reinsurers, particularly newer entrants, continue to deploy meaningful capacity for both proportional and nonproportional covers. However, recent outages are a reminder that systemic events could have broad implications for reinsurance portfolios. As a result, reinsurers are increasingly focusing on waiting periods, critical infrastructure exclusions, and event aggregation modeling.
There has been some limited chatter about a potential public-private partnership on cyber risks. The Terrorism Risk Insurance Program (TRIP) — established in the wake of the Sept. 11, 2001, terrorist attacks and most recently reauthorized in 2019, extending the program through Dec. 31, 2027 — applies to cyber events, but the general market view is that TRIP is ill-suited for large-scale business interruption events.
Some in the industry have expressed interest in a stand-alone backstop dedicated to cyber risks, but federal government and congressional support for such a program appears to be limited. Lawmakers remain cautious due to challenges seen in other government-sponsored insurance initiatives, such as the National Flood Insurance Program. Regulatory agencies are instead exploring security standards and legal frameworks to bolster infrastructure resilience.
Building resilience
Given the evolving cyber threat landscape, businesses should focus on becoming more resilient.
From an insurance perspective, organizations should work with their brokers to ensure cyber policies include clear language covering cloud outages. While most insurers currently offer such coverage, exclusions for networking or internet infrastructure may apply. In partnership with their brokers, companies should review sublimits, waiting periods, and endorsements to confirm coverage adequacy.
Insurance, however, is not a panacea. To build more resilient cybersecurity structures, additional steps are critical. Organizations should focus their attention on:
01
Vendor management.
Systemic risk often stems from shared dependencies on major providers. Organizations must understand dependencies, contractual obligations, and service-level commitments across all tiers of the supply chain. They should also ensure clear communication on recovery plans.
02
Redundancy planning.
Businesses should distribute critical workloads across multiple zones or providers to reduce single points of failure.
03
Backups.
Organizations should maintain secure, tested backups — with multiple vendors — to enable quick restoration after outages or cyber incidents. Regular validation of backup processes ensures they will work when needed, reducing exposure.
04
Incident response planning.
Businesses should ensure response plans include detection, containment, and recovery steps along with communication protocols. Plans should be accessible both physically and digitally, updated annually and after incidents, and tested regularly through tabletop exercises to ensure readiness and incorporate lessons learned for effective crisis management.
