Imagine being the CISO, CIO, or CTO of a Fortune 1000 company, and finding your customers and partners unable to access their accounts because your website, mobile application, and/or payment portal relies on SMS-based multi-factor authentication. Next, your recovery plan stumbles for the same reason.

That’s the situation the January 14 Verizon outage created for many organizations.

When a national telecommunications carrier experiences a failure, it not only causes phones to go dead but also reveals whether a company that depends on those services can still authenticate, communicate, and make decisions quickly. The Verizon outage on January 14, 2026 served as a real-world test of whether executive teams and boards have effectively built resilient, identity-centric disaster recovery, business continuity, and incident response plans, or whether these plans are merely documented but untested.

Boards and chief information security officers need to move beyond the outdated view that risk mitigation is only a “life insurance policy” to be reluctantly financed and hopefully never activated. In today’s interconnected world, every possible failure mode will eventually appear in production. The idea that telecom outages, identity failures, and control-plane disruptions are rare edge cases is no longer valid. Governance must now require evidence that the organization can handle these disruptions without losing control over essential decisions or obligations.

Overview of the Outage

On January 14, 2026, Verizon suffered a widespread wireless voice and data outage that started in the early afternoon Eastern Time and lasted roughly 7–10 hours, ultimately generating more than 1.5 million reports of service problems across the United States, with heavy impact in major cities including New York City, Washington, D.C., Atlanta, Houston, and Charlotte. Verizon confirmed the outage shortly after 1 p.m. Eastern Time. It announced complete service restoration later that evening, offering account credits to affected customers and advising users to restart their devices to reconnect.

During the event, many smartphones, particularly Apple iPhones and newer Android models, displayed “SOS” or “emergency calls only,” indicating loss of standard carrier connectivity. Users reported failed voice calls and short message service (SMS) messages, even as internet-based messaging applications continued to function wherever wireless local area network (Wi-Fi) or other Internet Protocol (IP) connectivity was available.

Municipal emergency systems in Washington, D.C., New York, and other jurisdictions warned that some Verizon users might have difficulty reaching emergency services via 911. Residents were advised to use phones on different carriers, landlines, or to go directly to police or fire stations if necessary.

For Verizon’s business customers, the outage translated into immediate degradation of voice, SMS, and mobile data services—the very channels many organizations rely on for out-of-band approvals, SMS delivered multi-factor authentication (MFA) challenges, and crisis coordination. As of January 15, Verizon has not disclosed a detailed technical root cause. They have stated only that it was a “software issue” and that there is no indication of a cyberattack.

The Strategic Lesson: Focus on Identity and Communications

From a board and C-suite perspective, this is not a “telecom incident.” It is a resilience and governance stress test. Three themes should concern directors and executives:

1. Hidden control dependency. If privileged access, payments, or high-risk approvals depend on a single carrier’s SMS, then a third party effectively controls the organization’s ability to execute incident response, disaster recovery, and business continuity plans.
2. Assumed, not engineered, redundancy. Many disaster recovery and business continuity plans list “alternate channels” on paper but have never validated whether executives can actually assemble, authenticate, and act when a primary carrier fails.
3. Unclear decision rights under duress. When authentication or communication degrades, it often becomes unclear “who can waive what, by which mechanism.” This slows responses, increases legal and regulatory exposure, and creates personal liability questions for officers and directors.

Executives should treat this event as a near miss: an opportunity to confirm whether security, infrastructure, and business leadership are genuinely aligned on identity-first continuity rather than relying on optimistic assumptions.

Why SMS-Based MFA Is No Longer Acceptable

Security and standards bodies have long warned that SMS is both less secure and less reliable as an authentication factor, given risks such as subscriber identity module (SIM) swapping, Signaling System 7 (SS7) weaknesses, real-time phishing, and carrier outages.

The National Institute of Standards and Technology (NIST) Digital Identity Guidelines (Special Publication 800-63 Revision 4) explicitly emphasize phishing-resistant authenticators such as Fast IDentity Online 2 (FIDO2) and Personal Identity Verification (PIV) smart cards. Organizations are encouraged to move away from one-time codes over telephony channels and toward cryptographic authenticators bound to specific, trusted devices.

In practice, environments that rely heavily on SMS one-time passcodes experience significantly higher rates of account takeover than those using stronger authenticators, revealing gaps in both security and resilience. From a governance lens, boards should view SMS one-time passcodes for mission-critical systems and services, administrative consoles, payments, and treasury, principal software-as-a-service (SaaS) control planes, and incident response tooling as unacceptable control designs.

Planning for Carrier Failure

A mature disaster recovery, business continuity, and incident response program assumes that at least one primary communications provider will be unavailable at precisely the wrong moment. For executives and directors, the key questions are operational and fiduciary, not technical:

• Can the crisis leadership team assemble within 15–30 minutes using channels that do not depend on a single carrier?
• Can administrators, counsel, and executives authenticate to critical systems using phishing-resistant factors that do not depend on SMS or a specific handset?
• Are “break-glass” mechanisms governed, tested, and auditable, or only described in a policy binder?

Effective programs incorporate carrier and modality diversity, including dual-SIM or cross-carrier devices, for key leaders. They utilize Voice over IP (VoIP) bridges, landlines, and trusted end-to-end encrypted messaging channels, such as Signal, and regularly rehearse their use in tabletop exercises. They also align identity dependencies (MFA methods, device standards, authenticator custody) with recovery time objectives (RTOs) and recovery point objectives (RPOs) so that essential personnel can actually access systems to execute the plan.

For European regulated financial entities, this is not just good practice but a regulatory expectation. The European Union (EU) Digital Operational Resilience Act (DORA) requires financial entities to manage information and communications technology (ICT) risk, classify and report major incidents, and test their ability to maintain “critical or important” functions even when third-party ICT services fail. DORA also mandates clear oversight and contractual control over critical third-party ICT providers, including network and communications providers, and requires an up-to-date register of these dependencies.

From a DORA perspective, an architecture where all privileged access and critical approvals rely on one carrier’s SMS creates unacceptable residual risk. It is an unmitigated ICT dependency that will surface in impact assessments, resilience tests, and major incident reporting obligations. A Verizon-type outage is precisely the kind of ICT disruption DORA expects boards and senior management to anticipate, rehearse, and evidence through governance and testing.

Board-Facing Actions: A Practical Blueprint

The appropriate governance response to the Verizon outage is not a technical post-mortem on the carrier, but a directive to close structural weaknesses that this event has exposed. The following actions are recommended focal points for board oversight and C-suite accountability:

• Deprecate SMS for privileged access. Direct management to eliminate SMS-based authentication for administrators, executives, finance, legal, and incident response leaders on mission-critical systems, and require phishing-resistant MFA (e.g., FIDO2 or passkeys, smart cards, or platform authenticators such as Windows Hello for Business).
• Institutionalize break-glass access. Require documented, tested break-glass accounts protected with hardware security keys, with at least two keys per account held under sealed custody by separate executives and exercised in quarterly scenarios.
• Engineer multi-channel resilience. Mandate a carrier-agnostic crisis communications plan that includes phone trees spanning multiple providers, VoIP and landline bridges, and preconfigured end-to-end encrypted messaging groups for the crisis team, with precise alignment to DORA requirements where applicable.
• Run telecommunications and identity tabletop exercises. Instruct management to conduct at least quarterly exercises built around “regional SMS blackout” and third-party ICT failure scenarios, measuring time to assemble leadership, time to approve critical actions without SMS, and time to communicate externally via multiple channels.
• Demand metrics, not narratives. Ask for specific indicators such as: percentage of privileged accounts using phishing-resistant MFA; number of executives with dual carrier or backup devices; time to convene and time to authorize results from recent exercises; and closure rates on after-action items, mapped where relevant to DORA reporting and testing expectations.

Executive Resilience Checklist

For boards and CEOs, a concise litmus test helps determine whether Verizon-style outages will be an inconvenience or a full-blown crisis. At a minimum, look for affirmative answers and documented evidence for the following:

• Hardware security keys (with break-glass spares or backups) are issued to all members of the crisis leadership team and key administrators.
• Passkeys or time-based one-time passcodes are enrolled on at least two devices per high-risk user, with no dependency on SMS for primary or recovery factors.
• Cross-carrier access (dual-SIM or alternate-carrier handsets) for the core crisis cadre, plus validated VoIP and landline options.
• Pre-approved break-glass accounts and procedures, with named custodians, a tested escalation path, and alignment to regulatory expectations for access governance and operational resilience.
• Multi-channel alerting capabilities with templates specifically designed for network or carrier outage scenarios, including clear messaging for regulated customers and authorities.
• Documented evidence of recent tabletop exercises, including MFA failure, carrier outage, and critical third-party ICT failure, is injected with measurable improvements between cycles and traceability to internal and DORA testing programs.

A major telco outage can be a manageable event for organizations that have already aligned identity, communications, and crisis governance with modern resiliency and regulatory expectations. For those that have not, the Verizon scenario serves as a preview of how quickly “a phone problem” can become a business, safety, and compliance problem. Don’t miss this board-level opportunity to harden your enterprise before the next, less forgiving crisis arrives.

Next Steps

For organizations looking to improve their business continuity management and overall resilience, CBIZ Pivot Point Security provides expert consulting services to help you every step of the way with planning and execution. From conducting a business impact analysis to building a recovery plan to testing the plan to training your team, we can help you demonstrate to stakeholders that you can triumph over disaster and keep your company’s future secure.

CBIZ Pivot Point Security has also helped many businesses achieve ISO 22301 certification to develop and maintain a best-practice Business Continuity Management System (BCMS).

Contact us to start a conversation with a business resilience expert today.