Cloudflare disruption hit SoFi, Varo, other banks

• Supporting data: Cloudflare dominates the "internet plumbing" sector with an estimated 82% market share for reverse proxy services, meaning a single glitch can ripple through global commerce.
• What's at stake: The disruption reignites concerns detailed by the Treasury Department regarding the financial sector's dangerous over-reliance on a small concentration of cloud service providers.
• Forward look: Security leaders are urging financial institutions to adopt a "prepper" mindset by building modular systems that isolate faults and guarantee availability even when vendors fail.

Overview bullets generated by AI with editorial review

Internet infrastructure provider Cloudflare experienced a global service degradation on Monday, impacting a range of websites and applications, including some operated by small financial institutions.

The disruption began with Cloudflare reporting an "internal service degradation" at approximately 6:48 a.m. Eastern Time. At 9:42 a.m., the company reported it had implemented a fix.

By 12:44 p.m., the services were operating normally with typical error rates and latency across the network, and at 2:28 p.m., the company declared the incident resolved.

The incident affected TEG Federal Credit Union in Poughkeepsie, New York, which reported on its website early in the outage that its digital banking service was experiencing intermittent connectivity issues because of the outage.

Customers of digital bank SoFi, de novo bank Varo, and Associated Bank in Green Bay, Wisconsin also reported a brief period of service disruption during the same time Cloudflare reported issues. The reports came from DownDetector, a crowdsourced internet outage tracker.

Cloudflare attributed the disruption to a "spike in unusual traffic," according to the status update page on the matter. As of time of publication, its engineering teams were continuing to perform a deeper investigation into the disruption. Initial indications did not suggest a cyberattack.

What exactly is Cloudflare?

Although Cloudflare has relatively modest cloud computing and storage services, the company dominates in the field of internet plumbing — the servers and connections that get data from one part of the internet (perhaps a bank's servers) to another (perhaps your phone or computer).

Specifically, Cloudflare provides the biggest reverse proxy service and most popular content delivery network, according to market analyses.

A reverse proxy service acts as a go-between that filters traffic to a website, improving website performance with techniques such as caching. A reverse proxy also adds a layer of protection against certain cyberattacks such as distributed denial of service, or DDoS attacks.

W3Techs, a platform that tracks web technology usage, estimates that Cloudflare has an 82% market share of reverse proxy services — ahead of Amazon Web Services at 6%.

A content delivery network expands on this idea, offering more comprehensive improvements to website performance. As Cloudflare explains it, a CDN "is a geographically distributed group of servers that caches content close to end users. A CDN allows for the quick transfer of assets needed for loading Internet content."

6Sense, an internet service marketing and intelligence firm, estimates Cloudflare owns 41% of the content delivery market — again, ahead of Amazon Web Services at 27%.

Concerns over similar, bigger incidents

Leaders at payments companies Tribe Payments and BR-DGE noted the potential for impacts on payments when internet service providers such as Cloudflare experience service degradation.

"When a single upstream provider experiences issues, the impact doesn't stay contained; it cascades across industries," said Fadl Mantash, chief information security officer at Tribe Payments.

The Cloudflare outage serves as "another reminder of just how fragile the internet's backbone can be, and how quickly a single point of failure can ripple through global commerce," said Thomas Gillan, CEO at BR-DGE.

The incident also revived arguments by consumer advocates regarding the threats posed by the high concentration of power among a few large technology firms providing critical internet infrastructure.

In February 2023, the Department of the Treasury detailed concerns within the financial services industry about concentration risk in the cloud market.

The report found that the "current cloud services market is concentrated around a small number of service providers," which while offering potential benefits like economies of scale, also exposes many financial services companies "to the same set of physical or cyber risks."

The concentration means that if an incident occurs at one cloud service provider, it could concurrently affect numerous financial sector clients.

The Treasury report identified six major challenges, including the potential impact of market concentration and the dynamics in contract negotiations given the limited number of providers, noting that smaller financial institutions, in particular, lacked bargaining power.

Cybersecurity leaders for payments companies reiterated these monopolization concerns in 2024, when a panel of leaders at a cybersecurity conference lamented what they called monopolization in the cloud services industry.

Clarissa Banks, chief information security officer for payments platform Deluxe, said at the time that monopolistic vendors often want to charge extra for basic security controls even though the features constitute "foundational controls that you would expect regardless."

For institutions relying on these services, the imperative remains building resilience that accounts for infrastructure failures beyond their immediate control.

Tribe Payments' Mantash said after the Cloudflare incident Monday that companies need to adopt the "prepper" mindset by building modular systems that isolate faults, rehearsing failure scenarios and adhering to robust compliance frameworks that guarantee availability even during disruptions.