On 20th October 2025, more than 2,000 companies worldwide were affected by an IT systems error within Amazon’s cloud computing service, Amazon Web Services (AWS). Days later, a less publicised but still significant outage on Microsoft’s Azure cloud platform brought down a range of websites including those of NatWest bank and London Heathrow Airport. Around the time of publication, an error at internet cyber security services provider Cloudflare has triggered widespread disruption.
Large-scale cloud computing failures can be devastating to businesses, as customers and clients are unable to access key services online. In this article, Wayne Cleghorn, Technology and Cybersecurity Partner at Excello Law, explains how businesses can best prepare for and respond to an IT outage.
What happened to AWS and Azure?
Reporting has confirmed the AWS IT outage was caused by errors that left its internal systems unable to connect websites and IP addresses. Critical database processes around Domain Name System (DNS) records fell out of sync and triggered a chain reaction of issues across the system significant enough to bring down the online platforms of more than 70,000 customers of AWS, including 2,000 large organisations.
Azure’s IT outage had a different technical root cause arising from a configuration change in its content delivery and traffic management system. However, a significant cycle of disruption resulted from a domino effect of different parts of the platform failing to connect. Azure’s systems were disrupted for eight hours, while AWS’s outage lasted for about fifteen hours. Even though Azure’s IT outage was shorter, it still disrupted thousands of organisations and demonstrated the fragility of these systems.
Most of the damage suffered by businesses using AWS’ or Azure’s IT services occurred within the hours of the outage itself. Loss of access to key services offered by affected customers was the most obvious knock-on effect. However, loss of productivity affected many internal teams within these customer organisations, particularly IT, online and sales teams. These groups were forced to focus on crisis management and turn away from business-as-usual activities and key everyday operations.
How can businesses prepare to deal with an IT outage?
- Prepare, Prepare, Prepare: Early and ongoing preparation to ready a business for downtime, whether from cloud computing failure, cyber-attack or otherwise, will save time and money when an incident occurs. UK Government data reports that 43% of businesses (and 30% of charities) surveyed had experienced a cyber security breach or attack in the previous 12 months.
- Know Your Cloud Services Contract: Scrutinise the terms of your contract with your cloud computing service provider. The contract should include provisions for minimum service and performance levels and what is considered ‘acceptable’ downtime. The terms should also address immediate crisis remedies available, though these may differ depending on the root cause of an IT outage. Where the downtime is a result of error by the service provider, a clear route to redress should be made available. Contact your IT services supplier if this is not the case or if the terms are not clear. Provisions might also cover third party failure.
- Review the terms of your Corporate Insurance Policies: As an additional layer of security, review your company’s insurance policies including those relevant to business disruption and cybersecurity. This is a fast-evolving area and clauses can differ significantly between insurers and based on when a policy was agreed. If a policy has not been updated in some time, it may not reflect the latest threats or might be vague about what is and what is not insured. Where there are ambiguities, specialist legal advice should be sought.
- Ready your Business Continuity and Disaster Recovery Plans: All businesses should have disaster recovery and business continuity plans ready for when IT outages occur. These must operate across the business by setting up a multidisciplinary team with clear designation of responsibilities at each stage of the response process. To ensure the organisation’s readiness when a crisis occurs, key staff must be trained on up-to-date best practices.
- Review, Practice, Learn: Getting ready once is not enough – businesses should constantly review processes to ensure that it is equipped to deal with any potential new threats. Research conducted in 2024 by business protection and recovery specialist Assuresto found that 20% of IT professionals admit to testing data backup systems just once a year or less. Systems should be tested for resilience in isolation as well as part of a fully simulated crisis response.
What to do during an IT outage
- Get Information: All action must be informed by first taking all available steps to understand the nature and cause of the IT system failure. Get as much relevant information as possible from your suppliers; consult a multitude of trusted sources so you can make risk-based real time decisions to stabilise and improve the company’s position. Do not rush into corrective action that might cause more damage to the business than a more informed and measured response.
- Work Through Your Response Plan: Gain a thorough understanding of the outage’s scope and source. Then, determine whether the issue is severe enough to require activating your business continuity and disaster recovery plans. Each step of the activated plan must be worked through sequentially. Establish a clear chain of command and responsibility and ensure that everyone knows their role and what their priorities are. Use IT systems and database backups that are unaffected and available, and close exposed services.
- Effective Internal and External Communication: Communication within and outside the business is vital throughout the response process. Your internal channel must ensure each part of the business is informed of relevant developments but must not overload stakeholders with unnecessary information. Have a team in place to maintain contact with the rest of your supply chain. This increases understanding around what each link in the chain is doing to fix and minimise the effect of all relevant issues, and deliver effective feedback to the key response team.
- Look after your Clients, Customers and the Market: There is an important balance to strike in transparency to clients, customers and the market. Honesty is paramount, and it is usually beneficial to provide periodic status updates to your external stakeholders, but this should be done with a degree of caution. Only give assurances about return to normal service when you are very sure that this can be fulfilled; further delays might damage trust further. Be careful that your business does not become exposed to any unintended reputational or legal risk.
Recovery and redress following an IT outage
- Learn the Lessons: The first step following an IT disruption should be to make sure lessons are learned. Review each step of your response and prepare a report detailing how different parts of the organisation were affected and what the short, medium and long-term impact might be. Highlight both glaring errors and notable successes and communicate these to your multidisciplinary group.
- Practice, Practice, Practice (Again): Your response team should learn from its mistakes, but it may be worth running a new crisis simulation a few months later. This will acknowledge and imbed the recent lessons learnt and supplement long-term institutional resilience.
- Consider and Seek Compensation: The business might also be eligible for compensation, either directly from the cloud services provider or from cyber insurance policies. The increasing frequency of IT service outages, along with the devastating series of cyber attacks recently facing large companies, reinforce that while cyber insurance might previously have been seen as optional, it is now crucial for asset protection, risk-sharing and business resilience.
- Work with your Insurers and Lawyers: IT service providers and insurers may refuse to pay redress following service disruption or may make deliberately low settlement offers. Where there has been a large-scale IT outage, they may be processing claims from hundreds of businesses and will be seeking to reduce the impact on their balance sheets. Business leaders who believe that their legitimate claims are being refused should obtain specialist legal advice. The supplier or insurer may change their position once a lawyer gets involved. If they continue to deny liability or refuse to settle early, litigation may be required.
Conclusion
IT outages can severely disrupt key internal business operations, trading and supply chains. Even relatively short-lived technical IT outages within cloud service providers can reduce an affected business’ revenue, damage their reputation and divert valuable resources. For the unprepared, these outages can cause longer trails of loss and disruption.
Business leaders, IT teams, procurement teams and legal advisors should always keep an open mind about whether a large IT outage is linked to a previous cyber-attack, even one occurring externally in the wider supply chain. Large scale IT outages can be seeded by a range of causes – from an innocuous-looking system intrusion many months ago to a very recent cyber-attack at a key supplier.
Even where there is no proven and active cyber-attack, cloud service outages can severely disrupt the day-to-day operations of businesses. This is why business continuity plans must be in place, kept up to date and fully rehearsed.
