By Ryan Windt | Head of Growth Marketing | Updated April 2026
On October 20, 2025, a DNS failure in AWS’s US-EAST-1 region cascaded across more than 140 services. Slack went down. Atlassian products went down. Banks, airlines, and government services were disrupted across multiple countries. The outage lasted roughly 15 hours.
Three weeks later, a configuration issue in Azure Front Door triggered an eight-hour disruption affecting Microsoft 365, Xbox, and thousands of enterprise customers.
These are not anomalies. Between August 2024 and August 2025, AWS, Azure, and Google Cloud together experienced more than 100 service disruptions. Azure outages averaged 14.6 hours in duration. Google Cloud disruptions averaged 5.8 hours. Even AWS, the most operationally reliable of the three, averaged 1.5 hours per incident.
For any business running operations on cloud infrastructure, the question is no longer hypothetical: if your cloud provider goes down and your revenue stops, does your cyber insurance respond?
The answer depends on what coverage you actually have.
The Difference Between First-Party and Contingent Business Interruption
Standard cyber policies include business interruption coverage, but that coverage is triggered by a security event in your own environment. A ransomware attack that takes down your systems. A breach that forces you offline. An incident that originates inside your network.
Cloud outages are different. When AWS goes down, nothing happened to your systems. No one compromised your credentials. No attacker touched your network. A third-party provider you rely on simply failed, and you lost revenue as a result.
That is what insurers call contingent business interruption (CBI), and it sits in a different part of the policy from standard business interruption. Whether you have it, and how broadly it is defined, determines whether your cloud downtime is a covered loss or an uncovered operational expense.
To understand the full scope of what a cyber policy can and cannot do, it helps to understand first-party versus third-party cyber coverage and how each layer responds to different types of losses.
What Contingent Business Interruption Coverage Actually Does
CBI coverage is designed to respond when a third party’s system failure causes you to lose income. In a cyber context, that means losses attributable to an outage at a cloud provider, SaaS platform, or other vendor your operations depend on.
A well-structured CBI endorsement will typically cover:
Lost revenue during the outage period. If your e-commerce platform, customer portal, or internal systems are inaccessible because your cloud provider is down, the revenue lost during that window is covered, subject to the policy’s waiting period and limits.
Extra expenses incurred trying to maintain operations. If you spin up emergency alternatives, pay staff overtime, or incur other costs trying to work around the outage, those expenses can also be covered.
Dependent system failures. Some policies extend coverage not just to direct cloud providers but to downstream vendors you depend on, including SaaS tools, payment processors, and other platforms that run on the affected infrastructure.
What CBI coverage does not do, in most cases, is respond to every cloud hiccup. Policies typically require the outage to meet a minimum duration threshold before coverage activates, commonly eight to twelve hours. A two-hour disruption, even a disruptive one, may not trigger the coverage.
Where Most Policies Fall Short
CBI coverage exists in the market, but it is not universally included in cyber policies, and where it does exist, the terms vary considerably.
The gaps most commonly surface in three places.
CBI is excluded or sublimited. Some policies exclude contingent business interruption entirely, limiting business interruption coverage only to events originating in the insured’s own systems. Others include CBI but apply a sublimit significantly below the overall policy limit. This is one of the less visible cyber insurance sublimit issues that businesses often discover only after a loss. A company with a $2 million policy might have $250,000 in CBI coverage, which may bear no relationship to what a 15-hour cloud outage actually costs.
“System failure” is narrowly defined. Some CBI provisions only respond to outages caused by a security event at the third-party provider. If AWS goes down because of a misconfigured DNS record, a capacity failure, or an internal engineering error rather than a cyberattack, certain policies may not cover the resulting loss at all. The October 2025 AWS outage was caused by a DNS automation error, not a breach. Policies with security-event triggers would not have responded to it.
This narrow trigger language is the same dynamic that creates cyber insurance exclusions around nation-state attacks and infrastructure failures more broadly. The definition of what caused the loss determines whether the loss is covered.
Named provider requirements. A subset of policies require you to specifically schedule the cloud providers you depend on at the time of underwriting. If you are running on Azure and AWS and only scheduled Azure, an AWS outage may not be covered. This is a straightforward gap to close at renewal, but many businesses discover it only after a claim.
How to Read Your Policy for Cloud Outage Coverage
If you are not certain whether your current policy responds to cloud provider outages, there are a few specific things to look for.
First, find the business interruption section and confirm whether it contains contingent business interruption language or a dependent systems provision. These may be listed as separate coverage parts or as endorsements.
Second, check the trigger language. Does CBI coverage activate on any system failure at the third-party provider, or only on security events? The distinction matters enormously for outages caused by technical failures rather than attacks.
Third, review the sublimit. If CBI is included, what is the applicable limit? Does it match your actual exposure from a meaningful cloud outage?
Fourth, check the waiting period. Most policies have a retention period before business interruption of any kind kicks in. Understanding your cyber insurance deductible structure and waiting period thresholds together gives you a clearer picture of what a real claim would actually recover.
If any of these answers are unclear, that is the conversation to have with your broker before your next renewal, not after an outage.
Cloud Concentration Risk Is a Real Underwriting Consideration
AWS, Azure, and Google Cloud together control more than 62% of the global cloud market. When one of them experiences a major outage, the affected businesses are not just one company’s customers. They are a significant portion of the global digital economy operating on shared infrastructure.
Insurers have started paying close attention to cloud concentration risk for this reason. They want to understand which providers you rely on, how dependent your operations are on each, and what your recovery options look like if a primary provider goes down for an extended period. This is related to the aggregation risk dynamic that has emerged in the MSP and managed services space, where shared infrastructure dependencies create correlated losses across many clients at once.
Businesses that have documented multi-cloud or hybrid strategies, or that can demonstrate meaningful recovery alternatives, are generally viewed more favorably by underwriters. This is an area where the security controls conversation and the coverage conversation intersect.
What This Means for Tech Companies and MSPs
Cloud dependency is especially concentrated among technology companies and managed service providers. If your core product or service delivery runs on AWS, Azure, or Google Cloud, a provider outage is not a peripheral risk. It is a primary revenue risk.
Cyber insurance for tech companies needs to account for this specifically. A policy structured around traditional first-party breach scenarios may leave significant gaps for businesses whose biggest operational risk is cloud infrastructure failure rather than a direct intrusion.
For MSPs, the exposure is compounded. An outage at a cloud provider can simultaneously affect an MSP’s own operations and the operations of every client running on that infrastructure. Understanding how cyber insurance fits into MSP service delivery is increasingly about mapping these third-party dependencies, not just securing the MSP’s own perimeter.
Practical Steps Before Your Next Renewal
Whether you are approaching a new policy or renewing existing coverage, cloud outage exposure is worth addressing directly.
Map your cloud dependencies before you talk to your broker. Know which providers you rely on, which business functions depend on each, and what a four-hour or twelve-hour outage at each provider would cost you in lost revenue and extra expenses. That number is what your CBI coverage needs to address.
Ask specifically whether CBI is included in your policy and review the trigger language. If the policy only covers security events at third-party providers, ask whether a broader system failure trigger is available.
Confirm that named cloud providers are scheduled, or that your policy uses an unnamed-provider approach that covers any dependent system failure without requiring you to list providers in advance.
Review the sublimit relative to your actual exposure. If your cloud costs and cloud-dependent revenue are substantial, a nominal CBI sublimit will not serve you in a real event.
If you are unsure whether your current coverage is structured correctly, a cyber insurance coverage review with a specialist broker is the right starting point.
The Honest Answer
Cyber insurance can cover cloud outages, but whether your policy does depends on the specific terms, definitions, and sublimits in your coverage. Many businesses that assume they are covered would find, upon a close reading, that their business interruption coverage only responds to events in their own environment.
As cloud dependency has increased and major provider outages have become a routine feature of the technology landscape rather than a rare disruption, CBI coverage has moved from a niche consideration to a legitimate component of a well-structured cyber program.
The time to understand your exposure is before the next AWS DNS failure, not while you are watching your revenue dashboard go flat.
SeedPod Cyber specializes in cyber and Tech E&O coverage for businesses of all sizes. Contact us for a coverage review or quote.