Data center risk management: 12 ways to protect your operations

Businesses across the globe are moving their data into the cloud –– and fast. In fact, 60% of worldwide corporate data is now stored in the cloud, up from only 30% in 2015. As a result, data centers are receiving more business. But along with that growth comes the increased pressure to store customer data and manage data center risk.

With their sophisticated equipment, intense energy needs, and need to be “on” 24/7, there are distinct challenges when it comes to data center insurance and risk management. Members of the Liberty Mutual Global Risk Solutions (GRS) middle market, risk control, and cyber teams reviewed 12 key risk management actions that address data center exposures:

Power outages in the U.S. are on the rise, and they force data centers to rely on emergency power, which may not always be sufficient. Identifying the specific requirements of your customers — ahead of time — enables better planning and resource allocation during power outages. For instance, a perimeter-security company relying on 24/7 service has different needs compared to a grocery store using a data center for inventory management.

It’s also important to measure how much electricity your site’s equipment draws versus what its emergency capacity is. Are you using more electricity than your emergency capacity? Less? What apps and systems are drawing on your power—and can some of them be shut off during an outage? Applications that use generative AI, for example, will represent a stronger drain.

In addition to understanding your current capacity, scheduling regular maintenance to ensure optimal performance and making necessary upgrades as electricity needs grow should also be part of your power assessment plan.

Natural catastrophes such as floods, earthquakes, and hurricanes are well-established threats — but climate change is also exacerbating so-called “non-named” threats. “We are seeing more frequent and severe weather events, including ‘non-named’ wind events and severe thunderstorms,” says Breidenbach. “And these events are becoming more impactful.”

These weather events can lead to power grid vulnerabilities affecting data facilities and producing changes in their electrical load. Even when the incidents occur “upstream,” effects for data centers can be felt downstream in everything from UPS (uninterruptible power supplies) to switchgear, electrical transformers, and emergency generator capacity.

With the ability to damage servers and injure staff members, water intrusion — whether from leaks or flooding — can be a threat. “Water intrusion can cause significant damage,” says Matt Henry, senior underwriting officer for technology at Liberty Mutual. “We’ve all seen the photos of server cages with six inches of water running—and with the power cables underneath.”

An excess of water can overload municipal water and sprinkler systems, causing leakage. If a facility is unable to handle this runoff, everything from pathways to cable trays is in danger. Accidental discharge may also seep in from adjacent spaces and floors above — areas that may not be in the direct control of a facility. “Ensuring facilities are equipped with adequate drainage and water management systems is essential,” Henry advises.

Then there is the opposite problem: insufficient water. “With climate change being the way it is, water services are a finite resource,” notes Mea Clift, principal cyber risk engineer at Liberty Mutual. “As a data center owner, you have to keep a close eye on what’s happening with water, because eventually it may not be there for you.” Cooling systems require a lot of water; if municipal water is cut off, these systems will be unable to perform properly, increasing the risk of system overheating. Data center cooling systems are so complex that they bring along their own unique risks, discussed below.

It’s a Catch-22: cooling systems are critical for maintaining optimal operating conditions in data centers — but the rapid evolution of cooling technology brings new risks. “As technology evolves, cooling requirements change. It’s essential to ensure cooling systems are adequate to handle the heat load,” Breidenbach explains.

Because transformers emit such high heat, they need to be submerged in a dielectric fluid — a process known as “submerging cooling.” While reducing the air exchange needed, this fluid also increases fire concerns. With new technologies like dielectric fluid, “you get a great heat exchanger and a great way to reduce your heat load,” says Breidenbach, “but then you might create an unintended effect by switching technology and not looking at all of the impacts of that switch.”

Cooling systems are not the only fire risk for data centers. While wildfires are a well-known threat — especially for data centers located in more rural, forested areas — a lesser-known risk stems from lithium batteries. Due to their ease of maintenance, lithium batteries are becoming an increasingly popular way for data centers to build in redundancies for power outages.

However, “lithium-ion batteries are very prone to thermal runaway when things don’t go right—and that can generate some pretty nasty fires,” warns Breidenbach. Data centers that use lithium batteries should ensure that their fire suppression systems are designed to handle this type of fire. “It’s a matter of being risk-aware about these backup power systems,” says Henry. “Nothing is 100% foolproof, and every new system you add brings its own new risk.”

Any complex machinery or technology is susceptible to breakdown—and data centers are full of such equipment, including large servers and other critical IT infrastructure. To reduce the risk, “redundancies are vital to maintaining operations during equipment failures,” advises Henry.

While it is common practice for facilities to mirror their data operations in multiple locations, data centers should ensure these “hot sites” are far away. “It’s not a great idea to have information on one server backed up physically on a server right next to it in the same building,” notes Breidenbach. “If the hot site is at a location thousands of miles away, that’s extremely advantageous.”

They type of mirroring can also impact your risk. “A site that is 100% mirrored vs. backed up once a month is less likely to experience a lag or disruption and is a better risk to underwrite,” notes Henry.

Cyber incidents present a major threat to data centers, particularly given the sensitive nature of the data they handle. “If a bank relies on 24/7 service and their data center goes offline, that could easily lead to a claim and related lawsuit,” notes Clift. In addition to instilling a culture of cyber hygiene, there are also other cyber-related areas for data center operations to address, including:

Repurposing buildings that were not originally designed as data centers — such as a tire manufacturing plant, for example — can introduce unforeseen risks. “Converted facilities may not have appropriate sprinkler systems and other protective measures required for data centers,” Henry adds. These converted facilities might lack the necessary protective design features to protect against fire, water, and other exposures.

“It should be very fundamental to understand what’s going on in your supply chain,” says Clift. “What might interrupt your power, your space, your cooling? Is your microchip provider having problems getting chips for your backups for your UPSs?” “With the availability of spare parts tighter than ever, having backup plans and hot sites is essential,” adds Breidenbach. Proactive measures to secure supply chains and ensure the availability of critical components can prevent disruptions and maintain continuous operations.

Operating with a small crew can be risky, especially in remote locations where finding a replacement for a staff member may be challenging. For that reason, “developing local talent and creating a training pipeline is crucial,” Clift advises. Consider developing your own talent by reaching out to high school and college students in your region to create a training-and-apprenticeship pipeline. New hires should be properly vetted, trained, and provided only the access that they need to help mitigate the risk of damage to data or equipment.

In today’s tumultuous environment, knowing who your customers are — and what potential risks they bring — can affect insurability. “Understanding the types of clients you attract helps manage this risk,” says Henry. Data centers also need to guard against internal sabotage. Besides thoroughly vetting your hires, contractors, and others that are onsite, and having site security protocols in place, it’s a good idea to make client information anonymous wherever possible—for example, by assigning numbers to each customer.

Taking a comprehensive approach enables you to effectively mitigate risks and plan for further growth. In addition to considering the factors above, your approach should also include:

By taking these steps, you can better navigate the complex landscape of risk and ensure more secure and reliable data center operations for your customers.

Learn more about our solutions for technology companies.