Rhea Siers, a former senior US intelligence official, is an advisor on cyber threats and risks and an adjunct faculty member at Johns Hopkins University.

The Trump administration is developing its own cybersecurity strategy amid concerns around cyber threats and the growing risk of disruptions for the public and private sectors. But beyond these policy efforts, enterprises and boards must sharpen their understanding of concentration risk and build governance structures capable of assessing and acting on the threat.

Accountability, transparency, and risk assessments

One major issue to address is the need to account for the market concentration in cloud and other IT services and the extent to which organizations rely on a small number of providers. The benefits of scale must be weighed against the risks associated with an increasing number of outages and disruptions. While this accounting is already practiced in some regulated industries, it is urgent to provide clarity with hard data, not with anecdotal evidence.

What is needed now is for mid-sized and large enterprises, and all federal government agencies, to demonstrate accountable governance through clear policy and practice. And that can only be accomplished if these entities are mandated to provide to their boards or overseers two distinct elements.

First, they must provide a clear, evidence-based statement of the risks and benefits of their current dependence on specific IT vendors and the impact on both the entire “stack” of technologies and individual components. This should include data on potential expenses, downtime and disruptions, as well as the costs, efficiency and other advantages of relying on a single vendor or third party for significant business operations.

The second critical assessment must present the true costs and risks of an “exit strategy.” This would include the “red line” for disruption, backed by data and documented impacts, caused by key vendor outages that would trigger a diversification strategy.

It should also include a realistic assessment of what “throwing out the baby with the bath water" might cost in terms of actual dollars and operating changes. Many enterprises have never provided this level of detail when evaluating governance of their third-party vendors, so they do little more than complain when a serious failure or outage occurs.

These internal governance requirements must include verification of joint “first line/second line” analysis, for both frontline IT and cybersecurity teams that directly manage risk and the Chief Risk Officer-type functions responsible for risk management and compliance. The roles for each of these “lines” must be clearly identified, and the requisite training must be a priority. Governance must also allow for “third line” review by independent or outside sources.

Corporate boards and their risk committees must have access to these assessments and the capability in terms of authority and expertise to review existing risk, operational backup, and recovery plans. The key is not only the presentation of risk to internal overseers but also evidence of ongoing improvement in risk strategies and assessment.

Companies of all sizes should also include specific concentration-risk scenarios in their ongoing incident response exercises. All incident response participants, including relevant stakeholders, need to have a basic understanding of this risk and its potential impact on operational resilience– not a long, detailed playbook, but a clear understanding of the operational risk pressure points.

Outages, interdependencies, and systemic fragility

These are urgent needs due to the recent outage of Cloudflare, a widely used service that enhances website security and performance, which affected thousands of institutions. That was in addition to the two global outages last month at Amazon Web Services (AWS) that were not merely technological hiccups, but governance warnings for all enterprise leaders. The more concentrated the digital infrastructure becomes, the greater the efficiencies. And if not strategically managed, the greater the risks.

AWS’s first US-East-1 failure in Virginia triggered cascading disruptions across the global economy, halting commerce, communications, entertainment, and financial platforms relied on by millions. Within minutes, global heavyweights like Amazon.com, Prime Video, Snapchat, and key banking apps were offline.

The second, more recent outage prompted more than 6,000 reports and affected Roblox, Fortnite, Snapchat, Duolingo, Canva, and others.

Analysts quickly compared the first AWS outage to the 2024 CrowdStrike incident in scope and impact. The CrowdStrike incident had a significant worldwide effect, with financial losses estimated as high as $10 billion across both the public and private sectors, including airlines and financial institutions, and a broad range of businesses.

For consumers, the disruptions were mostly momentary inconveniences. For businesses, risk officers, and boardrooms, these failures underscored an uncomfortable truth: intense technological concentration can deliver operational scale and speed, but unchecked, it leaves companies dangerously exposed.

These risks are not new and were often the result of cyber-attacks, such as the 2013 Yahoo Data breach or the WannaCry ransomware attacks in 2017. Today, the urgent need for transparency and accountability in risk assessments is amplified as outsourcing increases.

Researchers found in 2019 that when organizations outsource critical operations to a small number of providers without redundancy and strategic resiliency measures, they absorb those providers’ weaknesses and amplify them across global systems.

Managing diverse environments requires specialized talent, rigorous governance, and operational discipline that many organizations lack. Poorly administered diversity can spiral into fragmentation and weaken system resilience, according to a 2022 Carnegie Endowment for International Peace primer.

Ironically, some of the most prevalent examples of diversification come from companies that use hybrid or multi-cloud environments, meaning AWS is not their sole cloud services provider. These are generally large, well-resourced companies such as BMW, General Electric, Nike, Netflix and Airbus.

Effective leaders treat vendor concentration and diversification as strategic levers, not dogma. Building redundancy across platforms and providers, investing in proactive detection tools, and embedding transparency across departments aren’t just risk exercises; they are drivers of sustainable continuity and resilience.

Policy, regulation, and the path to resilience

A natural question concerns the government’s role or policy in these governance and concentration risk issues. The answer is not to add yet another compliance layer or requirements to those sectors, such as financial services, that are already operating under significant and redundant reporting rules.

There are already frameworks, including NIST’s Cybersecurity Framework 2.0 and specific regulations in the European Union that address cyber risks. However, regulators must focus their specific oversight not just on assessing existing risks but also on the enterprise’s actual practice in backup and business continuity. In some cases, regulatory examiners will need to concentrate their inquiries clearly on these issues.

Given the current regulatory environment, enterprises need more than “self-help”, especially those of small to medium-sized businesses with limited resources. The government and other industry groups must provide practical case studies of how and when to use multiple technology providers, such as multi-cloud arrangements and specific exit strategies.

I recently co-authored a study with Dr. Diana Burley on the ongoing debate over IT Concentration Risk at American University. One of our expert interviewees, an individual with extensive senior experience in cyber risk management and policy, said: “It is about building redundancy into the system and strengthening resilience.”

As threats and dependencies evolve, business continuity is becoming an enterprise-wide concern, touching governance, policy, compliance, and strategic planning. The lesson here is clear: interconnectedness fuels innovation, but it also makes systemic fragility a real and present danger. Concentration, when managed rigorously, can spur progress. Unmanaged concentration can bring markets—and economies—to a halt.

The next step for boards, CIOs, and regulators is to sharpen their measurement tools and enhance assessments. They need robust frameworks to identify, quantify, and monitor concentration risk, while accounting for shifting digital landscapes and increasing interdependencies.

Only then can industry leaders and policymakers engage in informed debates, set rational policy, and drive genuine resilience. Resilience is not possible without a true picture of what different forms of resilience will cost, both in terms of business operations and profits.

Strength, like stability, comes from disciplined equilibrium—a lesson no enterprise or investor can afford to ignore.