Today myself and a lot of people I have been speaking with have been impacted by the Cloudflare outage. I thought Cloudflare was supposed to protect websites from going down but for the second time in a few months, Cloudflare itself has actually prevented many significant websites from working. What's going on??!!
Here’s my take on today’s major disruption at Cloudflare — what went wrong, why it matters for fintech and web infrastructure, and what firms should learn from it.
In the last 6-12 months, there have been at least four or five significant service incidents affecting Cloudflare's infrastructure that had global or near-global impact.
What Happened?
On 18 November 2025, Cloudflare suffered a global outage that disrupted access to a wide range of major websites and platforms — including X (formerly Twitter), ChatGPT and many others.
Cloudflare has stated that the initial trigger was a spike in “unusual traffic” to one of its internal services, which caused error rates to propagate across its network.
While some functions, such as the Cloudflare dashboard, recovered relatively quickly, elevated error levels continued to affect many services throughout the incident window.
This is not the first major disruption Cloudflare has experienced this year — there was also a significant issue earlier in 2025 relating to a credential key-rotation failure.
Why This Matters
For organisations — particularly those in fintech, trading, SaaS and any business where uptime is critical — this outage highlights several important risks:
Single Point-of-Dependency Risk
If your entire web stack relies on a single provider for DNS, security and content delivery, any failure on their side instantly becomes your outage — even if nothing is wrong with your own systems.
Reputational & Operational Impact
For trading platforms and regulated firms, upstream failure can translate directly into lost client trust, missed trades, contractual breaches, and even regulatory scrutiny.
Chain Risk & Vendor Resilience
Vendor due diligence must extend beyond the first supplier — what happens when their dependency breaks?
Infrastructure Fragility
Cloudflare is considered a backbone provider for the modern internet. The fact it can be knocked partially offline proves that even the most sophisticated networks are not bulletproof.
Given the breadth of impact, I would currently assign the risk rating for firms heavily reliant on Cloudflare (or similar single-CDN setups) as Medium-High until a full technical explanation and corrective roadmap are published.
Key Questions To Ask
What exactly caused the spike in unusual traffic?
Was it an attack, an internal misconfiguration, or a cascade failure?
What was the real exposure window?
How long were downstream users unable to access affected services?
Do you have functional fail-over?
Secondary CDN? Alternate DNS routing? Automatic re-pointing?
Is your business continuity plan fit for upstream vendor failure?
Many firms test their own server resilience, but never test what happens if their service provider disappears.
How will Cloudflare prevent this happening again?
Will they change architecture, redundancy, transparency? Customers should demand answers.
Implications For LiquidityFinder’s Audience
- Firms in FX, digital assets, payments, brokerage, and institutional trading should treat this as a reminder to review web-stack resilience and vendor concentration risk.
When reviewing providers, ask for detailed documentation of multi-region redundancy, multi-vendor setups, and client-side fail-over options.
Procurement teams should ensure contracts include:
🔹 Service availability obligations
🔹 Vendor fail-over commitments
🔹 Clear disclosure of root-cause post-incident
🔹 Compensation / SLA remedies for material downtime
For technology vendors, this is also a positioning opportunity: if you are multi-CDN, multi-region or built with active fail-over capabilities, now is the time to say so.
Bottom Line
We assume the biggest internet infrastructure providers are unbreakable. They aren’t.
Today’s Cloudflare outage is a reminder that: The real risk isn’t just “what if our servers fail?” It’s “what if the provider we rely on fails?”
That gap — between what we think we control and what we actually control — is where operational risk lives.
Thankfully we are not on Cloudflare
