By: E.J. Yerzak
In mid-October, Amazon Web Services’ US-EAST-1 data center in Ashburn, Virginia, went dark — and the internet felt it. The outage disrupted more than 2,500 organizations, from Netflix and Starbucks to Venmo and Coinbase. Even AI tools like Perplexity were affected, underscoring a simple truth: much of the digital world runs on a few major cloud providers.
For investment firms, the lesson is clear. Overconcentration risk isn’t just a market term. It’s a technology reality.
Redundancy Isn’t Always Resilience
Building resiliency across cloud environments sounds simple in theory, but it’s rarely efficient in practice. Multi-cloud deployments are costly, complex, and can introduce new risks that offset their intended protections.
In most cases, firms are better served by strengthening resilience within one reliable provider rather than spreading infrastructure thin across several. The recent AWS outage reminded us that even the strongest systems have weak points — but diversifying too broadly can multiply vulnerabilities instead of reducing them.
A Closer Look at the Concentration Risk
As of Q2 2025, AWS held roughly 30% of global cloud market share, followed by Microsoft Azure at 20% and Google Cloud at 13%. The top three providers control nearly two-thirds of the world’s cloud infrastructure. That concentration has its advantages — reliability, security, and mature toolsets — but it also creates a shared dependency few can fully avoid.
AWS’s own investigation traced the issue to DNS resolution errors for its DynamoDB API endpoint in the Virginia region. In simpler terms, the internet’s “address book” couldn’t match the right location, which caused a ripple effect that disrupted systems even with built-in redundancies.
What Firms Should Do Now
Compliance teams don’t need to reinvent their infrastructure, but they do need to document exposure and response. The AWS outage, like the CrowdStrike incident of 2024, should be memorialized in compliance files to demonstrate oversight and readiness.
Salus GRC recommends preparing a brief compliance memorandum noting:
- The date and time of the incident
- Whether the firm was directly or indirectly affected
- The nature and duration of any operational impact
- Whether internal systems or client-facing processes were affected
- If impacts were material enough to require notification to regulators or investors
Private fund advisers should also review whether any significant operational impacts triggered Form PF reporting obligations.
The Takeaway
The outage is a timely reminder that resilience isn’t about chasing perfect protection. It’s about preparation, documentation, and credible oversight — the same principles that define strong compliance.
At Salus GRC, we help firms turn events like these into evidence of readiness. The firms that document today’s disruptions are the ones regulators will trust tomorrow.