From cloud outages to cybersecurity failures, the digital backbone of modern business is under constant strain. Recent high-profile disruptions, including this week’s AWS outage, have exposed just how vulnerable organisations can be when critical systems go dark. These incidents aren’t isolated anomalies; they’re signals of a new status quo where technology-driven interruptions happen every day, with potentially far-reaching consequences.
In this environment, preparation and planning aren’t optional, they’re a must. Organisations can build resilience through risk assessments, incident response planning, and cyber insurance strategies that help mitigate the impact of inevitable outages.
The event
In the early morning of Monday, October 20, a major outage at Amazon Web Services (AWS) caused thousands of websites and both desktop and mobile applications to go offline, affecting millions of individual users. The disruption stemmed from an AWS data center in Virginia but had global repercussions, affecting businesses across multiple industries. AWS is recognized as the largest cloud services provider in the world.
Amazon reported a resolution of the core problem within hours. But the growing complexity of technology chains and increasing reliance on third-party technology providers means that an outage involving a single provider can affect countless more companies and have ripple effects across the economy.
For affected organisations, the duration of service interruption varied significantly; some returned to normal operations in a short amount of time, while others experienced disruptions of more than 24 hours, according to news reports. Ultimately, it will take some time before the true impact of the event is known.
Increasingly routine occurrences
The AWS outage was the latest example of how software disruptions can impact business operations in ways big and small. The AWS disruption follows two significant and widely reported outages in 2024: In July, an outage involving cybersecurity company CrowdStrike’s Falcon threat monitoring platform affected nearly 9 million Windows devices, and in December, a disruption involving Microsoft affected thousands of individual and business users of its popular 365 software suite.
These widely reported events are just the tip of the iceberg. With technology embedded in so much of what we do every day, IT outages are an unfortunate reality for both businesses and individuals. Routine technology-driven business interruption events can occur daily and are often unreported on by major news media.
Given how much some companies rely on technology to perform both the critical and the mundane, even a small, relatively isolated event can have serious repercussions for any affected organisations, including potential system downtime and extra expenses.
Unfortunately, not all outages are preventable. But organisations can take action to reduce the potential impact of outages, both large and small, on their people, operations, and finances.
For Businesses in the Middle East and North Africa
For organisations in the Middle East, the implications are particularly relevant. Although major global cloud service providers are expanding their data-centre footprint in the region, many critical workloads are still routed through European or US regions. This means that a disruption thousands of kilometres away can directly impact business operations in the region.
Inversely, specific countries in the Middle East now require certain types of data to be stored within national borders, such as Saudi Arabia, making organisations increasingly dependent on a limited number of local or "sovereign" cloud providers. This creates a concentration of risk, potentially limiting the ability to fail over to global infrastructure. While companies can design multi-region resilience, in practice this is constrained by regulation, where local data protection laws (i.e. Saudi's PDPL) heavily restrict cross-border data transfers, making backup data centres outside the country limited or conditional. As a result, the region's push for data sovereignty, while positive for data security and control, also introduces a unique systemic risk: heightened dependency on a smaller group of in-region providers and reduced geographic diversification, which amplifies the potential impact of any single-point technological failure.
Preparing for future events
It’s important that organisations not lose sight of the potential impact of technology outages once they fade from the headlines. Instead, they must seek to build resilience against future outages by gaining a clear understanding of their specific cyber vulnerabilities.
Your organisation can start this process by identifying the critical technologies and external partners your operations depend on. After you’ve done this, you can evaluate how disruptions might unfold, what backup systems or workarounds exist, and how your organisation could continue functioning if those resources were suddenly unavailable.
Your critical technology partners should also be conducting thorough risk assessments. Vendors should identify their own key service providers and evaluate their exposure to potential disruptions in their technology supply chains. And organisations should trust but verify by considering including obligations around supply chain oversight, cybersecurity protocols, and IT service performance standards in contracts with vendors.
Companies should also develop robust cyber incident response plans. Among other things, these plans should:
Outline essential procedures. These include how companies can detect, contain, and respond to disruptive incidents and maintain business operations in crisis situations.
Be physically and digitally accessible. Plans should be printed and available in multiple secure and easy-to-reach locations.
Be regularly updated and tested. Organisations should keep plans current by updating them at least once per year and after every incident to ensure that lessons learned are incorporated. Teams should also engage in regular testing through tabletops and other exercises to ensure organisations are ready to respond during a crisis event.
Insurance essentials
Cyber insurance policies can offer valuable protection to organisations during and following IT outages. Business interruption coverage in a cyber policy can offset potential financial losses from technology disruptions, along with cyberattacks and other major technology-related exposures. Businesses may also be able to secure contingent business interruption coverage, which can reimburse policyholders for the effects of disruptions to third parties, such as cloud providers, on their own operations.
For policyholders, outcomes are highly dependent on the nature of an individual event and policy language. Coverage can vary widely among insurers, which makes it essential for organisations to work closely with insurance brokers to tailor terms and conditions and structural elements, including limits, sublimits, retentions, and deductibles, to best match their risk profiles and meet their unique needs.
As cyber threats and large-scale outages become more frequent, insurers are increasingly focused on systemic risk. In response, many have tightened policy language and introduced exclusions. Documentation of cybersecurity controls is also frequently a prerequisite for purchasing cyber insurance coverage.
Although buyers should be mindful of these developments, the good news is that cyber insurance remains accessible and affordable for most businesses. The key is to proactively work with your insurance broker to secure the right protection and make sure your organisation is ready to respond to a costly disruption before you face a crisis.
For more information, contact a member of Lockton’s Cyber & Technology Practice (opens a new window).
