On November 18, 2025, companies had another opportunity to test their resiliency when connectivity and security provider Cloudflare had an outage of about four hours, which resulted in several popular websites going offline while others managed to provide some services to their customers.  What can this mean for your company?

Background

Cloudflare provides security services that help companies block malicious code, bots, etc.  That technology requires frequent updates.  On November 18, a module that managed bot access to Cloudflare customers’ sites received an updated configuration file every few minutes, generated by a database.  There was an adjustment to database access permissions that inadvertently generated this configuration file at twice the expected size, causing the bot management module to crash throughout the Cloudflare network.  Within three hours, Cloudflare had identified the problem and concluded that “the issue was not caused, directly or indirectly, by a cyber attack or malicious activity of any kind.”

Customer reactions

Many companies’ websites reportedly went down because they were unable to migrate from Cloudflare’s services during the issue or were unable to move to another service provider because they also purchased domain name system services from Cloudflare. It was reported that some companies managed to move their websites from Cloudflare during the outage by electing to keep their websites running without Cloudflare’s protection from malicious actors.  It was reported that thousands of users of very popular websites were reporting outages during the height of the issue, and the full extent of the same is not yet known. 

Supply chain concerns

This is not the first time that a commonly used service provider has caused massive outages and issues for their customers, and it will not be the last.  In today’s interconnected world, there are a few integral service providers that almost all companies use and work with, and that also support most websites and online offerings.  When those providers suffer from an issue, it can ripple throughout the internet causing similar problems.

The key for businesses that are customers of these integral providers is being ready to respond to and deal with such disruptions. The first step is to identify such providers in your supply chain, and then to map out how many other providers that your business relies on most likely relies on these providers as well. The list below is a great place to start to plan for such outages in the future, and as a reminder, it is not if but when an organization will have to deal with these issues so using these real life disruptions as a time to reflect and update response efforts is a best practice.

Next steps

An outage at a key service provider can raise many questions for your company:

  • Many companies are required to have business continuity and disaster recovery plans, and others have them even if not required.  Does your company plan include service provider outages?  When was the last time you tested your company plan?  When was the last time it was reviewed?
  • If your business continuity plan calls for backup providers for certain key services, have you tested the plan with those backup providers?  Does your budget even allow you to contract with backup providers?
  • Does your company have a risk register?  How are key service provider risks handled in the risk register?  Have you updated the risk register for service provider risks like these outages?
  • Does your company have a procedure for security incidents?  Was it activated during any of the recent outages?  Note that none of the three widespread outages that have occurred in the past month were cyber incidents, underscoring our team’s opinion that shorter notice timelines do not necessarily improve notification outcomes. 
  • While on the subject of security, have you checked your logs to see if any malicious actors took advantage of the disruption and potential lack of security that it brought?
  • If your company used alternate methods during the outage, were they in accordance with your business continuity policy?  Was all data protected and retained in accordance with company policy?  Are any of those alternate methods still in use?

As you can see, an error at a key service provider can have an impact on several aspects of your company.  Make sure that your continuity plan takes a comprehensive view, and keep it updated.