This week’s Amazon Web Services (AWS) outage may have cost billions in lost opportunity and downtime for technology and internet services around the world and could trigger some cyber insurance policies, but it was not significant enough to be considered a Catastrophic Event, Parametrix has told us.
Thousands of companies were affected as the Amazon Web Services platform experienced an outage on Monday October 20th 2025, laying bare the centralised and concentrated exposure of the economy to major cloud computing providers.
Impacts ranged from being unable to do business, as services that relied on Amazon AWS in some cases went down completely, to the less serious as internet users found thousands of popular websites lost features for a time (even our catastrophe bond market charts were unavailable for a few hours due to AWS being offline).
The outage, or a sense that something was affecting services, was first being reported by internet users around 7am UK time on Monday morning, while Amazon began reporting on the issue at closer to 8am.
Amazon had applied fixes quickly in response and this helped many systems recover, but knock-on effects of the AWS outage ran through various Amazon cloud services for hours after.
From its first report about the outage at 12:11 AM Pacific Time, Amazon finally reported a complete resolution at 3:01 PM, by when it said “all AWS services returned to normal operations.”
So that’s almost 15 hours in total during which there was some level of AWS issues it appears, which does bring the subject of cyber insurance policy wait times into focus.
Most cyber insurance that features business interruption protection has a wait time, to ensure short-lived outages and IT issues do not activate coverage.
Often, these wait times range from 8 to 12 hours, but can be seen to be as low as 6 in certain cases. When it comes to cloud outage coverage, wait times can differ though and are sometimes longer where the goal is providing cover for catastrophic events, often where reinsurance is concerned.
The one example of a cyber catastrophe bond that provides protection against cloud outage risks on a parametric trigger basis is the Cumulus Re issuance sponsored by global reinsurance firm Hannover Re.
Hannover Re sponsored a renewal of the cloud outage cat bond in March, securing $20 million in retrocessional cyber reinsurance protection from a Cumulus Re (Series 2025-1) issuance.
At the time of covering that renewal of the only parametric cloud outage cyber cat bond we said that sources had told us it could be triggered if the delivery of specific cloud services, in certain U.S. cloud regions, by one or more named cloud service providers, were interrupted in excess of a specified waiting period. We were told the waiting period, so effectively the attachment metric for these notes, would be for a 24 hour cloud outage event.
While the Amazon AWS outage did not last that long, we felt it would be interesting to hear from specialist provider of digital business interruption risk analytics and solutions Parametrix, which helped in designing the parametric trigger and provides data and calculation services for the Cumulus Re cyber cat bond.
Parametrix also provides its services to traditional insurance and reinsurance arrangements as well, so is particularly well-positioned to have a good view of how the Amazon AWS outage should be thought about, in the context of parametric cyber insurance, reinsurance, or catastrophe bonds like Cumulus.
On the Cumulus Re cat bond specifically, Sharon Haran, VP Europe and Reinsurance at Parametrix highlighted that it is specifically designed to protect Hannover Re against a prolonged cloud outage event, one that would result in the cyber insurance policies of its cedents being triggered.
Unable to comment specifically on the details of the Cumulus Re trigger, understandably, Haran of Parametrix did explain that while the duration of an outage is a factor, the parametric trigger also considers the severity of an event, in order for it to become “qualifying” under the terms of the deal and defined as an “Outage Event” under the terms of the cloud outage cat bond.
That means there are defined severity thresholds for each of the covered cloud services, which helps to calibrate the parametric cat bond trigger and ensure coverage meets the need of the sponsor and the structure responds to events as intended as well.
Importantly, on this week’s AWS outage specifically, Haran of Parametrix highlighted that the period during which services were completely unavailable was around 2.5 hours, but then Amazon launched its recovery processes and this had the effect of significantly reducing the impact for more than half of the users in the affected cloud region.
Therefore, while some customers could have experienced more than 12 hours of unavailability, which Parametrix notes is a duration that could trigger some conventional cyber insurance policies, the proportion that would be expected to be activated is certainly not sufficient to constitute a catastrophic event.
Which is helpful context for how to think about cloud computing service provider outages and how they could affect parametric insurance, or a reinsurance structure such as the parametric Cumulus Re cyber catastrophe bond, as well as their potential to result in losses that could be considered catastrophic.
This Cumulus Re 2025-1 cyber catastrophe bond became the eleventh cyber cat bond arrangement listed in our Deal Directory, but only the second to feature a parametric trigger, alongside the maturing 2024 issuance under the same name.
For additional context, specialist cyber risk modeller CyberCube said the Amazon outage has moderate insured loss potential, “The outage affected a broad array of critical services across sectors with significant cloud reliance. While not all losses will be insured, the event could drive CBI claims, particularly among large enterprises with high sensitivity to service continuity.”
CyberCube also said that the AWS incident “highlights systemic risk from concentrated cloud-provider dependencies and underscores the exposure of digital ecosystems to a single cloud region/critical service failure.”
