The Financial Brand
Strategic insights for growth-focused banking leaders.

How Banks Can Insulate Against Systemic Failures Like the AWS Outage

By Thomas P. Vartanian, Executive Director at the Financial Technology & Cybersecurity Center

Published on October 27th, 2025 in Banking Technology

Simple Subscribe

Subscribe Now!

Stay on top of all the latest news and trends in the banking industry.

Consent Granted*

Executive Summary

  • The October Amazon Web Services outage took down many essentials, including some bank and fintech services.
  • Tom Vartanian, author of The Unhackable Internet, says the internet is fragile and that AWS’ problems are just the latest in an ongoing stream of glitches — and worse.
  • The internet isn’t likely to get stronger. But Vartanian says financial institutions have multiple steps they can take individually. And they can support regulatory reform that could eventually help.

“Fragility” is a word you often hear to characterize the state of our online existence.

That is especially the case after incidents like the outage at AWS (Amazon Web Services) in the week of Oct. 19 that reportedly “broke the internet” when its cloud services were disrupted. Problems like this are becoming more frequent and larger. Last year, a software patch from CrowdStrike knocked nearly 10 million computers offline, making laptops using Microsoft software unusable and the cloud balky.

And these examples don’t even include the hundreds of millions of intentional hacking attempts that occur every day.

Financial services companies shudder when they hear about these incidents. After all, they rely on public trust in ways that most companies don’t. That is largely because people have an emotional attachment to their money and take a dim view of those businesses that fail to protect it. Given how financial institutions increasingly rely on cloud computing, the AWS outage is another wake-up call reminding them of the vulnerabilities that they must confront.

So, what are financial services executives to do? They are effectively locked into using a flawed internet and an online infrastructure over which they have limited control. There are no realistic alternatives and no silver bullets — at least not yet.

Understanding the Risks of a Fragile Internet

In my most recent book, The Unhackable Internet: How Rebuilding Cyberspace Can Create Real Security and Prevent Financial Collapse, I discussed the vulnerabilities, risks and threats that we face because of this fragility. I concluded that we built the wrong internet and should move toward secure private networks with real authentication, governance and enforcement. That is unlikely to happen for a variety of reasons that I discussed in the book. And the trend toward cloud computing — an architecture that facilitates interoperability of systems and maximum aggregation of data — actually moves in the opposite direction.

Cloud computing has certainly created new efficiencies, opportunities and challenges. Clouds are an array of digital hardware, servers and pipelines that store data on redundant, geographically dispersed servers (on earth not in space) owned by private companies such as Amazon, Apple, Amazon, Microsoft and Google. They make online services more affordable and globally accessible and help businesses update products for their customers while enabling remote work across industries through the concentration of digital communications and data.

But clouds also create significant new challenges for users ranging from broad network failures to the risks related to concentrating data and the control of it.

Recognizing these developing issues in 2020, the Federal Financial Institutions Examination Council released a statement on cloud computing security. The document noted that new operational and technical issues for banks. This includes the risk of “lock-in” as banks grow too dependent on a particular service provider, which increases the impact on financial stability if there is a failure or disruption.

That same year, the Federal Reserve Bank of New York estimated that a cyberattack on a money-center bank that suspended its ability to make payments could cause 6% of the country’s banks to breach their end-of-day thresholds. More than a single day of such dislocations could be catastrophic to confidence, leading to panic, disorder and civil unrest.

Read more: 3 Steps to Help Your Financial Institution Stay Ahead of Evolving Cyber Crime

-- Article continued below --

If clouds fail or succumb to cyberattacks, the damage can be enormous, measured only by the maliciousness and creativity of the hacker and the redundancy and resilience of the defenses that users have in place. In 2019, an attacker who was a former cloud employee allegedly used several programs to obfuscate her identity and discover a misconfigured firewall in Capital One’s cloud services. Five years later, 20,000 customers at Bank of America woke to see $0 balances in their accounts on Oct. 2, 2024, due to a technical glitch. You can only imagine the terror that grasped these customers as well as executives at the bank.

The greater the interoperability and efficiencies achieved by cloud’s technological advancements, the larger the stakes become.

As I interviewed experts for my book and discussed the internet’s vulnerability with them, it became clear to me that one of the more significant impediments to the capacity of a hostile nation disrupting the country’s power, water and financial networks was the incompatibility of the many different systems that drive these critical functions. Geographically dispersed electric grids, locally controlled water systems, and different financial networks simply are not always interoperable and can’t speak to each other.

When it comes to efficiency, that is bad. But when it comes to cybersecurity, it is good because one virus, piece of malware or human blunder that can disable a network may not be able to penetrate multiple systems.

What Can Banks Do to Protect Themselves? Seek Intra-Industry Help

As I describe in The Unhackable Internet, we are already way down the rabbit hole of cyber insecurity. It would take a massive coordinated global effort to secure the current internet. That is unlikely to happen.

Therefore, the most realistic business strategy is to assume the inevitable: A glitch, human error or a successful breach or cloud failure will occur. That means systems must be in place to distribute patches, resume operations, reconstruct networks, and recover lost data.

Redundancy is a necessary component to get back online, but how much redundancy is feasible or economically sustainable? And will those backstops actually work?

The financial services business is at the head of the class in terms of providing these kinds of solutions. Some examples:

• The Financial Services Information Sharing and Analysis Center (FS-ISAC) was established in 1999 as a consortium of financial institutions and payment processors to build the resilience and continuity of the global financial services infrastructure. Today, about 5,000 FS-ISAC members receive cyber intelligence, alerts and threat assessments that can provide them with early warnings of attacks. They also have access to a global community of experts, cybersecurity exercises, best practices and up-to-date training materials.

• In 2016, the Analysis and Resilience Center (ARC) for Systemic Risk was launched to bring together leaders from the financial and energy sectors in order to mitigate systemic risk to the nation’s financial and energy sectors and facilitate operational collaboration between members, the government, and other key sector partners.

• Three years later, Sheltered Harbor, a not-for-profit, industry-led initiative was created to protect customers and financial institutions from a catastrophic cyberattack that could cause critical systems to fail. Sheltered Harbor allows participating institutions to back up critical customer account data each night through their own or outside providers’ secure data vaults. And, in the area of training, institution staffs’ can participate in “cyber war games.” These are just a few of the many programs and associations in which institutions can participate.

Read more: Banking Legacy Systems Are Under Siege, and the Threat is Surprisingly Human

-- Article continued below --

How Major Regulatory Process Evolution Could Address Cyber Risks

Given these ever-increasing challenges and cyber incursions in the financial services business, I have argued for a fundamental change in regulation — one that will keep regulators on the cutting edge of digital and cybersecurity developments.

To accomplish that, regulation should be a more collaborative experience that invests the financial industry in its own oversight and systemic security. This effort should include industry executives and their staffs. Their expertise in the oversight process would enrich the quality of regulation, particularly from the perspective of strengthening the cyber defenses of the industry. (I describe this framework in further depth on the Financial Technology & Cybersecurity Center’s website.)

Conflicts would surely arise. But given all the challenges that financial institutions face, they would be some of the easier ones to resolve.

The benefits of moving from a cops-and-robbers to a cooperative approach could just prevent the next financial crisis.

Given the unprecedented changes that will penetrate every aspect of our lives as new technologies like artificial intelligence and quantum computing continue to evolve, banking also needs policy and thought leaders that can find solutions that match the enormity of the new risks being created. At the outset, those leaders will have to confront the obsolescence and inefficiency of a financial services regulatory system built nearly a century ago that is now composed of too many federal and state regulators jockeying for dominance.

Frankly, the system is struggling to efficiently and effectively supervise financial businesses that aren’t restricted by borders and are increasingly relying on technologies that seem to evolve daily. Security is one of the largest challenges we face.

In the financial services business, solutions will require admissions of failure, new approaches, better tools and more realistic systemic goals. None of those will be easy to achieve.

The AWS outage was just the latest canary in the coal mine. We can heed that warning or know that there will be more canaries to come, eventually followed by a catastrophic digital event. Unfortunately, there is only modest evidence that we are adequately heeding these warnings.

Read this next: Banks Remain Troublingly Vulnerable to Third-Party Cybersecurity Risk

About the Author

Thomas P. Vartanian is a former bank regulator and financial services attorney. He is currently the executive director of the Financial Technology & Cybersecurity Center and the author of two recent books: 200 Years of American Financial Panics and The Unhackable Internet, which this article draws from.

The Financial Brand is your premier destination for comprehensive insights in the financial services sector. With our in-depth articles, webinars, reports and research, we keep banking executives up-to-date with the latest trends, growth strategies, and technological advancements that are transforming the industry today.

© 2026 The Financial Brand. All rights reserved. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of The Financial Brand.