A surprising situation unfolded this summer when buying a car in the U.S. became nearly impossible. In June, a ransomware attack targeted CDK Global, a Chicago-based software company with a market value of about $6.4 billion, halting operations at thousands of dealerships for almost three weeks. Approximately half of the U.S. auto industry depends on CDK Global’s software for daily operations.

Shortly after, a malfunctioning software update from cybersecurity firm CrowdStrike caused disruptions worldwide, affecting millions of computers running Microsoft Windows. This glitch impacted critical infrastructure, including airports, banks, hospitals, and government services.

Cybersecurity experts are now concerned as these events signal a more unstable future. The consolidation of software providers and lack of competition in industries offering essential services create risks. A single software failure could bring entire industries to a standstill, and experts warn the next incident could be even worse.

Previously, cyberattacks and outages were either brief or focused on individual targets. However, the attacks on CDK Global and CrowdStrike were different. Rory Mir, associate director of the Electronic Frontier Foundation, emphasized that these events highlight the severe risks linked to reliance on a single software provider, affecting not just individuals but entire industries.

The financial toll from these outages has been significant. The CDK Global attack cost nearly 15,000 car dealerships in the U.S. an estimated $1 billion and led to around 56,200 lost car sales over three weeks, according to Anderson Economic Group. The CrowdStrike incident is believed to have caused even greater economic damage, with some estimates putting the loss in the tens of billions of dollars globally.

As a result, the cyber insurance industry now faces increasingly complex risks. Insurance premiums are likely to rise as insurers struggle to assess the unpredictable nature of future cyber threats. Dr. Keri Pearlson of MIT Sloan School of Management remarked that insurers are grappling with pricing models because they cannot foresee the likelihood or nature of the next major cyber incident.

The CrowdStrike failure demonstrated how a single software issue could affect various industries. The CDK Global attack, on the other hand, underscored how entire sectors—such as car dealerships—can be heavily dependent on a few dominant software providers. This situation is not unique to the automotive industry; the banking and airline sectors also rely on a handful of key software vendors, creating potential choke points for disruption.

For instance, in the banking industry, three payment processors—FIS, Fiserv, and Jack Henry—control approximately 70% of the market. In the airline industry, three major booking platforms—Travelport, Amadeus, and Sabre—dominate the market. These consolidations create vulnerabilities, much like the Suez Canal blockage that paralyzed global shipping for days, according to Brad Hibbert of Prevalent.

Healthcare, long a prime target for cyberattacks, faces even greater risks. Dominant software providers such as Epic Systems and Oracle-owned Cerner control the U.S. digital medical records market, making healthcare IT a weak link in the chain, says Andrew Southall of SkySiege.

To address these vulnerabilities, experts recommend diversifying critical systems and adopting multi-vendor strategies. John Price of SubRosa suggests that businesses should explore redundancy and backup solutions across multiple vendors to minimize the impact of potential outages.

However, diversifying is easier said than done. Federal Trade Commissioner Lina Khan’s antitrust efforts have focused on Big Tech, but niche software providers have largely escaped scrutiny, contributing to the growing risk of market concentration.

As Rory Mir notes, limited choices in software markets may harm consumers and businesses by allowing monopolies to lower security standards. In cybersecurity, this consolidation creates a “digital monoculture,” leaving fewer targets but higher stakes for malicious actors.

CDK Global’s dominance in the auto industry exemplifies the dangers of unchecked market power. The company faced an antitrust case by industry disruptor Authenticom, which accused CDK and Reynolds and Reynolds of forming a cartel. The case ultimately ended with a settlement, but the issue underscores the risks posed by monopolies in the digital age.