What happened
On February 20, 2026, Cloudflare experienced a major global service outage that lasted just over six hours after a configuration change related to its Bring Your Own IP (BYOIP) feature inadvertently caused more than 1,100 IP prefixes to be withdrawn from global routing tables via Border Gateway Protocol (BGP), making those services unreachable from the public internet.Â
Who is affected
Thousands of websites and applications that rely on Cloudflare’s content delivery, DNS, and edge network services were affected worldwide. The outage disrupted access to a broad mix of consumer apps, enterprise platforms, and online services, leading to failed connections and timeouts for end users.Â
Why CISOs should care
The incident underscores the critical dependency many organizations have on third-party infrastructure providers. A routing misconfiguration at a major network edge provider can cascade rapidly, causing broad service degradation or downtime that impacts availability, user experience, and business operations — even in the absence of malicious activity. Operational resilience and third-party risk management must account for these systemic dependencies.
3 practical actions
- Reevaluate third-party risk frameworks: Ensure redundancy, failover plans, and contractual expectations for critical infrastructure providers like CDN and routing services.
- Implement multi-path networking: Use multi-CDN configurations and automated traffic steering to mitigate single-provider outages.
- Test incident response for external outages: Conduct tabletop exercises and simulations that include third-party service failures to strengthen preparedness and communication.
