The Green Sheet Online Edition
May 25, 2026 • 26:05:02
Lessons financial institutions must learn from the Cloudflare outage
Last November, Cloudflare's outage caused major disruption to a large portion of the internet. This was the result of a configuration change in its bot-management infrastructure; a critical routing component crashed, triggering hours of digital disruption (see tinyurl.com/35de9yjm).
Within the last year, there has been a series of major infrastructure incidents. Our familiarity with such events should not reduce our concern, but instead, help us understand how each outage emphasizes just how fragile and interdependent our digital economy has become.
When a dominant upstream provider hits trouble, its problems don't stay contained. Instead, they ripple through ecosystems at speed, taking social networks offline, slowing ecommerce, breaking authentication journeys and interrupting payments. The fallout doesn't care which industry the root cause sits in.
Once the infrastructure shakes, everyone feels it. This is why financial institutions must become "preppers": those who prepare for failure before it happens instead of scrambling to respond when systems go dark.
A digital economy skating on thin ice
For all its finesse, the internet is surprisingly vulnerable. It runs on a narrow set of critical providers. Even the most advanced digital platforms sit on top of complex, interdependent layers of cloud services, API gateways, security tools and network infrastructure. These complexities are both a strength and weakness; whilst it offers flexibility and scale, it also means a small failure can escalate rapidly.
What is contributing to the rise in large-scale outages? Resilience. It has always been expensive to build, and duplicating providers or infrastructure often becomes a "late" problem, one that organizations address only after weaknesses begin to surface.
As companies scale, their systems become harder to unknot—more interdependencies and more hidden links inevitably produce more potential points of failure.
And culturally, the industry, instead of favoring the modest work of building robust foundations, focuses on showcasing speed, growth and feature delivery. Consolidation only adds pressure. When much of the internet is concentrated around a handful of cloud or security platforms, outages become far more disruptive.
The unique vulnerability of payments
Payment transactions rely on a delicate sequence, making them particularly at risk. Cloud platforms, processors, third-party APIs, fraud tools, card schemes and authentication services: they all must, within seconds, chronologically align when someone taps a card or clicks to pay.
If a single link in that chain snaps, the entire experience can collapse.
The Cloudflare outage mirrored the dynamics of CrowdStrike's incident in July 2024 (see tinyurl.com/3bzsbwp9). The root problem had nothing to do with payments directly, yet payments became one of the most discernible casualties.
Payments infrastructure is tightly connected, highly distributed and fundamentally dependent on the strength of its weakest link—the nature of the ecosystem.
Resilience must be designed, not improvised
In financial services, resilience is a necessity, not a nice-to-have. It's part of the core information security triad: confidentiality, integrity and availability. Lose availability, and the other two principles can't function meaningfully.
Resilience must be designed and meticulously applied long before an incident hits. This mindset means comprehensively understanding your architecture, regularly rehearsing failure scenarios, and ensuring your teams know exactly what to do when a provider or service goes dark.
Good architecture isolates faults, and a good process ensures continuity plans are living documents, not "emergency" PDFs left opened since onboarding, digitally gathering dust.
Compliance frameworks play a considerable part here. ISO, PCI, DORA, NIST, NIS2—these aren't there for box-ticking. They're the guardrails keeping resilience embedded in day-to-day operations instead of becoming a rare audit exercise.
The consequences of ignoring incidents are severe: damaged trust, reputational hits, direct financial losses, increased fraud exposure and greater regulatory pressure. In an industry where competitors often rely on the same core infrastructure, resilience becomes one of the last true differentiators.
So, what should companies be doing now?
The organizations that weather outages best are the ones that treat resilience as fundamental engineering, not optional insurance. In practice, that means:
- Eliminate single points of failure. Design systems with multiple cloud providers, intelligent routing and strong fallback mechanisms.
- Embed cybersecurity in operations. CISOs and compliance leaders need meaningful authority and budget.
- For payment providers specifically, the private-cloud-versus-public-cloud debate often comes up. The reality is that private clouds are extremely costly and rarely match the global reach or reliability of major cloud platforms. A multi-cloud strategy, backed by thoughtful redundancy planning, is far more realistic for maintaining availability at scale
- Use AI as an accelerator, not a replacement. AI can detect abnormal traffic patterns, surface early signs of infrastructure stress, and trigger automated failover – but it cannot replace architectural thinking or the operational discipline required to build true resilience
Turning disruption into a breakthrough
To their merit, major platforms treat outages with the gravity they demand. Reputational risk alone demands it. Cloudflare sits behind everything from WAF protection to edge routing, and when it goes down, every business depending on it is forced to examine its own exposure.
This latest incident should be exactly that: a moment of honest appraisal. The goal isn't perfection. It's designing a system that doesn't collapse because one provider falters.
Resilience must become an everyday discipline. If our digital economy relies on shared infrastructure, then every organization has a responsibility to design for failure, rehearse for disruption and invest in the capabilities that keep services available when the unexpected happens.
The question for every financial institution is simple: when the next outage hits, will you be a calamity or a case study in resilience? 
Fadl Mantash is chief information security officer at Tribe Payments (https://www.tribepayments.com). Find him on LinkedIn at https://www.linkedin.com/in/fadl-mantash-423391235.
Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.
