Businesses across the globe are moving their data into the cloud –– and fast. In fact, 60% of worldwide corporate data is now stored in the cloud, up from only 30% in 2015. As a result, data centers are receiving more business. But along with that growth comes the increased pressure to store customer data and manage data center risk.
With their sophisticated equipment, intense energy needs, and need to be “on” 24/7, there are distinct challenges when it comes to data center insurance and risk management. Members of the Liberty Mutual Global Risk Solutions (GRS) middle market, risk control, and cyber teams reviewed 12 key risk management actions that address data center exposures:
1. Assess your power needs
Power outages in the U.S. are on the rise, and they force data centers to rely on emergency power, which may not always be sufficient. Identifying the specific requirements of your customers — ahead of time — enables better planning and resource allocation during power outages. For instance, a perimeter-security company relying on 24/7 service has different needs compared to a grocery store using a data center for inventory management.
It’s also important to measure how much electricity your site’s equipment draws versus what its emergency capacity is. Are you using more electricity than your emergency capacity? Less? What apps and systems are drawing on your power—and can some of them be shut off during an outage? Applications that use generative AI, for example, will represent a stronger drain.
In addition to understanding your current capacity, scheduling regular maintenance to ensure optimal performance and making necessary upgrades as electricity needs grow should also be part of your power assessment plan.
2. Understanding the weather in your geographic location
Natural catastrophes such as floods, earthquakes, and hurricanes are well-established threats — but climate change is also exacerbating so-called “non-named” threats. “We are seeing more frequent and severe weather events, including ‘non-named’ wind events and severe thunderstorms,” says Breidenbach. “And these events are becoming more impactful.”
These weather events can lead to power grid vulnerabilities affecting data facilities and producing changes in their electrical load. Even when the incidents occur “upstream,” effects for data centers can be felt downstream in everything from UPS (uninterruptible power supplies) to switchgear, electrical transformers, and emergency generator capacity.
With the ability to damage servers and injure staff members, water intrusion — whether from leaks or flooding — can be a threat. “Water intrusion can cause significant damage,” says Matt Henry, senior underwriting officer for technology at Liberty Mutual. “We’ve all seen the photos of server cages with six inches of water running—and with the power cables underneath.”
3. Evaluate the potential impacts of water (too much or not enough)
An excess of water can overload municipal water and sprinkler systems, causing leakage. If a facility is unable to handle this runoff, everything from pathways to cable trays is in danger. Accidental discharge may also seep in from adjacent spaces and floors above — areas that may not be in the direct control of a facility. “Ensuring facilities are equipped with adequate drainage and water management systems is essential,” Henry advises.
Then there is the opposite problem: insufficient water. “With climate change being the way it is, water services are a finite resource,” notes Mea Clift, principal cyber risk engineer at Liberty Mutual. “As a data center owner, you have to keep a close eye on what’s happening with water, because eventually it may not be there for you.” Cooling systems require a lot of water; if municipal water is cut off, these systems will be unable to perform properly, increasing the risk of system overheating. Data center cooling systems are so complex that they bring along their own unique risks, discussed below.
4. Monitoring cooling system requirements
It’s a Catch-22: cooling systems are critical for maintaining optimal operating conditions in data centers — but the rapid evolution of cooling technology brings new risks. “As technology evolves, cooling requirements change. It’s essential to ensure cooling systems are adequate to handle the heat load,” Breidenbach explains.
Because transformers emit such high heat, they need to be submerged in a dielectric fluid — a process known as “submerging cooling.” While reducing the air exchange needed, this fluid also increases fire concerns. With new technologies like dielectric fluid, “you get a great heat exchanger and a great way to reduce your heat load,” says Breidenbach, “but then you might create an unintended effect by switching technology and not looking at all of the impacts of that switch.”
5. Assessing the pros and cons of lithium batteries
Cooling systems are not the only fire risk for data centers. While wildfires are a well-known threat — especially for data centers located in more rural, forested areas — a lesser-known risk stems from lithium batteries. Due to their ease of maintenance, lithium batteries are becoming an increasingly popular way for data centers to build in redundancies for power outages.
However, “lithium-ion batteries are very prone to thermal runaway when things don’t go right—and that can generate some pretty nasty fires,” warns Breidenbach. Data centers that use lithium batteries should ensure that their fire suppression systems are designed to handle this type of fire. “It’s a matter of being risk-aware about these backup power systems,” says Henry. “Nothing is 100% foolproof, and every new system you add brings its own new risk.”
6. Building in appropriate equipment redundancies
Any complex machinery or technology is susceptible to breakdown—and data centers are full of such equipment, including large servers and other critical IT infrastructure. To reduce the risk, “redundancies are vital to maintaining operations during equipment failures,” advises Henry.
While it is common practice for facilities to mirror their data operations in multiple locations, data centers should ensure these “hot sites” are far away. “It’s not a great idea to have information on one server backed up physically on a server right next to it in the same building,” notes Breidenbach. “If the hot site is at a location thousands of miles away, that’s extremely advantageous.”
They type of mirroring can also impact your risk. “A site that is 100% mirrored vs. backed up once a month is less likely to experience a lag or disruption and is a better risk to underwrite,” notes Henry.
7. Bring your a-game when it comes to cyber resilience
Cyber incidents present a major threat to data centers, particularly given the sensitive nature of the data they handle. “If a bank relies on 24/7 service and their data center goes offline, that could easily lead to a claim and related lawsuit,” notes Clift. In addition to instilling a culture of cyber hygiene, there are also other cyber-related areas for data center operations to address, including:
- Compliance: Being cyber-aware also means addressing the compliance risks related to your various customers. If a customer’s security requirements involve biometric data, such as retinal scans, for example, you will need to comply with regulations, such as HIPPA and BIPA, on storing that data. “If you don’t have additional security around compliance, it has the potential to become a major problem,” Clift emphasizes. Failure to do so can result in severe legal and financial consequences.
- Cyber contractual obligations: Reviewing and securing contracts to cover cyber breaches is critical. “Lawsuits can arise from failing to fulfill contractual obligations, making E&O coverage important,” says Henry. Although your contracts may have language protecting you against cyber-breaches, the customer may still be able to argue a failure to fulfill that part of the contract, either through failing to protect data or by not being fully available. Ensuring that contracts clearly define responsibilities and include provisions for cyber incidents can protect data centers from legal liabilities.
- Security redundancies: Just as you build redundancies into your storage and equipment, you should build redundancies into your cyber-security efforts. “Implementing redundancies, robust security measures, and ensuring adequate capacity is crucial,” Clift notes. Regular risk assessments and upgrades to security systems can help prevent cyber incidents and ensure continuous service.
8. Conduct due diligence for converted facilities
Repurposing buildings that were not originally designed as data centers — such as a tire manufacturing plant, for example — can introduce unforeseen risks. “Converted facilities may not have appropriate sprinkler systems and other protective measures required for data centers,” Henry adds. These converted facilities might lack the necessary protective design features to protect against fire, water, and other exposures.
9. Identify potential supply chain vulnerabilities
“It should be very fundamental to understand what’s going on in your supply chain,” says Clift. “What might interrupt your power, your space, your cooling? Is your microchip provider having problems getting chips for your backups for your UPSs?” “With the availability of spare parts tighter than ever, having backup plans and hot sites is essential,” adds Breidenbach. Proactive measures to secure supply chains and ensure the availability of critical components can prevent disruptions and maintain continuous operations.
10. Plan for current and future personnel needs
Operating with a small crew can be risky, especially in remote locations where finding a replacement for a staff member may be challenging. For that reason, “developing local talent and creating a training pipeline is crucial,” Clift advises. Consider developing your own talent by reaching out to high school and college students in your region to create a training-and-apprenticeship pipeline. New hires should be properly vetted, trained, and provided only the access that they need to help mitigate the risk of damage to data or equipment.
11. Protect against civil unrest and internal sabotage
In today’s tumultuous environment, knowing who your customers are — and what potential risks they bring — can affect insurability. “Understanding the types of clients you attract helps manage this risk,” says Henry. Data centers also need to guard against internal sabotage. Besides thoroughly vetting your hires, contractors, and others that are onsite, and having site security protocols in place, it’s a good idea to make client information anonymous wherever possible—for example, by assigning numbers to each customer.
12. Take a comprehensive and collaborative risk management approach
Taking a comprehensive approach enables you to effectively mitigate risks and plan for further growth. In addition to considering the factors above, your approach should also include:
- A robust continuity plan. Implement a comprehensive business continuity and disaster recovery plan to ensure that your data center can maintain operations during disruptions. “Business continuity planning is multifaceted and essential for managing risks,” Henry explains. “As the customer, you have to do your own homework and make sure your business continuity plan contemplates the backup of all your data.”
- A solid understanding of your risk tolerance. Understanding and determining your risk tolerance is crucial for making informed decisions. “The more you understand your risks, the more prepared you are,” Henry states. Collaborating with your insurance provider to align risk tolerance with coverage options can enhance overall resilience.
- Proactive communication and partnership with your insurers. Engage with insurance providers early in the planning stages to assess risks and ensure appropriate coverage. “Early engagement, transparency, and authenticity helps us understand your risks and provide tailored solutions,” says Henry. Building a strong relationship with your insurance provider can lead to better risk management and coverage options.
By taking these steps, you can better navigate the complex landscape of risk and ensure more secure and reliable data center operations for your customers.
Learn more about our solutions for technology companies.
Featured insights
This website is intended to be informational. Descriptions are provided only as a summary outline of the products and services available and are not intended to be comprehensive and do not constitute an offer to sell or a solicitation. The products and services described may not be available in all states or jurisdictions. See your policy, service contract, or program documentation for actual terms, conditions, and exclusions. Any inquiries regarding the subject matter set forth herein should be directed through licensed insurance professionals.
Coverage and insurance are provided and underwritten by Liberty Mutual Insurance Company or its affiliates or subsidiaries. When we offer insurance products, we will state clearly which insurer will underwrite the policy. Some policies may be placed with a surplus lines insurer. Surplus lines insurers generally do not participate in state guaranty funds and coverage may only be obtained through duly licensed surplus lines brokers.