Cloud Outages: Where Cyber Insurance Meets Professional Liability

It seems like every few weeks the world wakes up to another technology disruption. 

On October 20 2025 Amazon Web Services suffered a major outage that interrupted companies and products across the globe. 

On November 18 2025 it was CloudFlare which went down. 

Between these two service providers over the course of the last month much of the internet has, for a time, gone dark.

While all systems at both AWS and CloudFlare are now back up and running, these incidents have highlighted the very real risks associated with doing business in a technologically dependent environment, and have seen the necessity of asking hard questions. 

What happens to your balance sheet, your client relationships, and your professional liability when critical third-party technology platforms fail?

Digital Dependency in 2025

The November 18^th incident at web infrastructure and security provider, CloudFlare, disrupted traffic and operations to a significant portion of the global internet. Reports on the outage suggest that a misconfigured file, handling traffic management in regards to digital threats, crashed part of the company’s network. This caused time outs and errors on popular applications and websites, including Social Media platforms, productivity tools, Banking apps, and even A.I services.

The CloudFlare disruption lasted hours, and at its peak, removed significant portions of both the public and private internet from access by normal users. Businesses and Organizations that use CloudFlare and which were reliant on their services for content delivery, DNS resolution, or even IT security, were unable to proceed with normal daily operations. Even though internal systems and services were working, these businesses found themselves at the receiving end of customer complaints and lost revenue because of the disruption in CloudFlare’s network.

The CloudFlare incident is not isolated.

Less than one month ago, on October 18^th 2025, Amazon Web Services also experienced a major outage. Centered on the AWS US-East-1 region, one of the most heavily utilized cloud hubs in the world, this disruption is thought to have been caused by malfunctions in internal automation systems monitoring network load balancers and database services. The failure of these system led to DNS disruption and cascading service outages across myriad AWS offerings. Like the CloudFlare incident, the AWS outage lasted many hours and impacted a huge number of organizations across many different industries. From Smart Mattresses in consumer’s bedrooms, to the most popular social media sites, much of the internet and its connected “things” simply didn’t work.

Both the AWS and CloudFlare events share a number of characteristics that deserve attention, and make understanding the incidents critical from a risk and insurance perspective.

• Neither event was caused by a direct cyber attack or malicious actions on the part of cyber criminals towards the end customer (organizations using AWS and CloudFlare services).
• In both cases the disruption originated in 3^rd party Cloud Computing providers that form much of the backbone of modern supply chains.
• Both disruptions caused widespread business interruption and customer service outages for companies and organizations that had little to no control over the root cause of the issue and were consequently unable to fix it.

The combination of non-malicious technology failure at a trusted third-party vendor, coupled with broad operational and reputational impact, is exactly where the intersection and interaction of both Cyber Insurance and Professional Indemnity Insurance becomes complex, hazardous, and extremely necessary.

From Outage to Loss; Financial and Legal Implications of Cyber Disruption

If, and when, a Cloud Computing or Network provider fails, a business in the modern world will typically experience several categories of loss.

The first, and most visible type of loss in this event, is going to be straightforward Business Interruption. When your website or network goes dark because a critical vendor has experienced an outage, online sales will stop, subscription services may become unavailable, call centers and technical support will be slammed with angry customers, and (in the case of online-only or FinTech companies) extreme lost revenues.

Then there is the cost of managing the disruption.

Even if an outage is the fault of a third-party vendor, the impacted companies will still need to mobilize technical teams, legal counsel, crisis communications, and even hire external experts to assist in managing the event. All of this comes at additional costs to regular business operations. Staff overtime, emergency infrastructure to work around the problem, and even customer give aways to salvage a damaged reputation all contribute to a drain on the balance sheet in the immediate wake of a cyber event.

In regulated sectors, like Financial Services, Healthcare, Utilities, and critical infrastructure (like public transit), additional burdens and costs may be present. Depending on the severity of the disruption or outage, and the scale of its impact, companies operating in regulated industries may be subject to investigations from supervisory bodies; which can include the possibility of fines.

Finally, there is the loss that can come from customer actions. It is increasingly common for end-customers to frame their losses (in any area) as the result of inadequate professional advice or service. A software integrator that architected a client’s cloud environment, a consultancy that recommended a particular third-party provider, or a managed service provider that offered round-the-clock uptime guarantees may all find themselves facing allegations that they failed to exercise reasonable skill and care in designing a resilient solution.

Any of these areas of loss can potentially touch on a form of insurance coverage; but not necessarily the same policy, and not always in the way policyholders expect.

Understanding Cyber Insurance in a Cloud-Centric world

Cyber Insurance has seen tremendous evolution since its introduction to the global market. 

Modern Cyber Insurance coverage has moved beyond focusing exclusively on data breaches, and is now offering broader protection for a range of technology related incidents. Current cyber insurance products will typically address coverage needs for first-party response costs (including forensics and crisis communications), as well as third-party liabilities towards Regulators, Customers, and other stakeholders who may be impacted by any digital disruption.

As such, and recognizing the dependency on modern businesses for an always connected marketplace, many modern Cyber Insurance products will offer business interruption protection as a core component of the coverage. This means that, depending on the policy’s specific wordings, coverage may be activated when an insured organization’s own network is compromised by a cyber attack or ransomware event, system failure, or other defined “security” disruption. This ensures that coverage is there for lost income and extra expense costs during a restoration period or investigation into the issue.

It is important to note, however, that extended outages at third party providers may not be covered as standard under many cyber insurance products – necessitating the purchase of a more focused, and specific cyber insurance policy. This type of protection, which is deemed “contingent” or “dependent” business interruption is normally an optional extension under some Cyber Insurance products which can be purchased for an additional premium. If purchased, contingent business interruption coverage will be subject to separate sub-limits, longer waiting periods than would normally be found on the policy, and much narrower triggers in the event of a claim situation.

When it comes to purchasing contingent business interruption on a cyber insurance policy, it is important to understand that coverage terms can be highly technical. For example, many policies will require that a loss be caused by a “defined event” (which can be limited to malicious attacks) affecting the third-party network, rather than a simple technical error.

In the situation of both the CloudFlare and AWS incidents, the major question for all businesses is not “do we have insurance for this?” but rather “does our existing cyber insurance policy extend coverage to outages at our providers?”

“Are the triggers broad enough to capture outages and interruptions that are deemed to be non-malicious?”

Where the answers are positive and well-structured, cyber coverage can provide valuable financial support during and after such disruptions. Where coverage is narrow, misaligned with the organization’s actual vendor dependencies, or limited to narrowly defined cyberattacks, businesses can be surprised by the extent of uninsured loss.

Professional Liability Risks in a Hyper Digital Economy

Professional Indemnity Insurance, also known as Errors and Omissions Insurance, Professional Liability Insurance, or simply Malpractice Insurance is designed to protect individuals and businesses from claims that negligence, errors, or omissions in their work have led to a customer loss or caused the customer harm. Traditionally this type of policy is associated with Doctors, Lawyers, Architects, Bankers, and Insurance Brokers, but is increasingly becoming a vital risk-management tool for technology consultants, systems managers, managed service providers, and other technology focused professions.

Simply put, Professional Indemnity Insurance covers allegations that the policyholder made a mistake. Whether this was omitting critical information, provided flawed advice or services, or otherwise failed to meet reasonable professional standards, Professional Indemnity Insurance is able to assist with covering the costs of a legal defense as well as payment of any damages that may be awarded against the at-fault firm.

In an age where business is conducted remotely, through digital channels, it may be natural to assume that Professional Indemnity Insurance policies would typically cover cyber-related claims as standard. However, it is critical to be aware that the market trend is to treat Professional Liability protection and Cyber coverage as separate and distinct policy classes, with PII plans restricting cyber-related exposures and cyber policies avoiding Errors and Omissions benefits. Many Professional Indemnity product wordings will offer only limited cover (or none at all) for cyber-related incidents.

The simple reason for this is that insurers and underwriters did not originally design Professional Liability Insurance products to handle the growing volume and complexity of data breaches, as well as cyber claims. As such, providers have taken steps to limit their cyber exposure under most Professional Liability Insurance products, with the expectation that the policyholder purchase a dedicated cyber-insurance policy to address those risks.

Having said this, it is important to understand that comparative discussions of Cyber insurance and PII coverage stress an important nuance; Professional Indemnity is still intended to respond to “professional mistakes,” where cyber insurance policies focus on “security failures” and technology incidents.

Should a Cyber Event have occurred because a professional failed to exercise reasonable skill and care in their job (failing to provide required due diligence or follow industry standards, for example) then there may be scope for a PII policy and a Cyber Insurance policy could be implicated in assisting with the claim. However, this will entirely depend on the specific policy wordings and exclusions of the insurance products involved.

This evolving landscape, with PI policies narrowing cyber exposure, cyber policies expanding into business interruption and third-party technology outages, and complex overlaps in potential claim scenarios, is exactly where the 2025 cloud incidents offer valuable lessons.

Triggering Both PII and Cyber Exposures

To understand a scenario where both Professional Indemnity Insurance and Cyber Insurance Cover would trigger, lets take the example of a software company that is in the business of providing a cloud computing platform to enterprise customers. A professional services department in the same company designs and implements bespoke integrations for clients, advising on architectural, resilience, and failover concerns.

This company was extremely exposed to the AWS incident in October 2025. During the outage the platform is unavailable for a period of several hours, leaving clients unable to transact business or access critical data. As some customers have experienced a financial loss due to the outage, they are now alleging that the Software company failed to provide a suitable solution that would have prevented this situation. Supporting these allegations are the software company’s marketing materials guaranteeing 99.999% up time, and worldwide disaster recovery solutions.

In this situation, the Software company might initially lean on any Cyber Insurance protection it holds. The cyber insurance policy would be in a position to cover lost internal revenue from the downtime, as well as provide assistance with the PR and reputational costs needed to manage an evolving crisis. If that Cyber Insurance coverage offers a business interruption benefit, and has broadly worded triggers that encompass non-malicious system failures at third-party providers, then there is the possibility of recovery on the financial and technical fronts.

However, once the allegations of negligence and wrongdoing begin to appear, then it is likely that any Professional Indemnity Insurance held by the software developer would then be engaged. The allegations that the company’s advice, design or implementation fell below the standard of a reasonably competent professional, sit squarely in the realm traditionally occupied by professional indemnity insurance.

A single cyber-related incident can trigger both cyber insurance and professional liability insurance policies. One responding primarily to the technology and data aspects of the incident, the other to the professional relationship and advice component. But this interplay is only smooth where policies are carefully coordinated.

Inadequate alignment can lead to disputes between insurers over which policy should respond, or worse, uncovered gaps where each carrier points to exclusions and denies primary responsibility.

Professional Indemnity and Cyber Insurance; Together

The 2025 AWS and Cloudflare incidents are unlikely to be the last large-scale technology outages the global economy experiences. If anything, growing reliance on a concentrated group of infrastructure providers, combined with the increasing complexity of their platforms, suggests that similar events will reoccur.

For organizations that rely on digital channels to deliver professional services or operate business-critical platforms, these outages function as a real-world rehearsal.

They expose not only weaknesses in technical architecture and vendor oversight, but also potential fault lines in how risk is transferred between cyber and professional indemnity insurance. 

Used thoughtfully, cyber insurance can provide essential support for business interruption, incident response and third-party claims when technology fails. Equally, professional indemnity cover remains a vital safeguard when clients allege that a firm’s advice, design or oversight fell short of professional standards, even if the immediate trigger was a third-party outage.

The challenge, and opportunity, now is to treat these policies not as isolated products but as complementary tools within a coherent resilience strategy. That means understanding where each policy should respond, identifying overlaps and gaps, and aligning coverage with the real dependency map created by cloud, SaaS, and network providers.

The headline-grabbing outages of late 2025 have given boards, executives and professionals a vivid demonstration of systemic digital risk. 

The next step is to translate that awareness into concrete actions: reviewing contracts and SLAs, stress-testing business continuity plans, mapping critical vendors, and, crucially, revisiting cyber and professional indemnity insurance with fresh eyes. 

Where those efforts are coordinated, businesses will be better placed not only to survive the next outage, but to preserve trust, meet regulatory expectations and continue delivering professional services in an increasingly interconnected world.

For more information about Cyber Insurance, Professional Indemnity Insurance, or your Business Insurance options, Contact Us.

Ask CCW – where your insurance is always Swift, Simple, and Sorted.