Stabilized Assets

From the perspective of real estate assets, data centers face multiple risk exposures, but business interruption losses are most concerning due to the widespread impact and cost of downtime. Owners should seek to understand their exposure to these various threats and implement measures to reduce the impact of any loss event.

Business interruption and loss of income

Business interruption costs arising from a loss-of-income scenario is one of insurers’ main concerns about data centers. Such a scenario may arise following any event which gives tenants the right to break their contract with the data owner, which prevents a tenant from renewing their rental contract, or which dissuades new tenants from renting the premises.

An inconsistent or interrupted energy supply is among the key risks likely to cause business interruption and potentially result in tenant loss. Maintaining data server equipment itself is likely to be a tenants’ responsibility; however, failure of the power supply to monitoring or cooling systems increases the risk of fire and associated damage to data center equipment. This may lead to a loss of tenants’ data and may cause disruption to tenants’ business operations.

Certain servers may also include an automatic switch-off protocol if the necessary cooling systems become ineffective. This failure alone may be enough for a tenant to exercise punitive conditions in their contract.

Where power supply failures are regular or long term, there is a growing risk that existing tenants will depart the property, or that owners become unable to source new tenants. Insurers are sensitive to this risk, owing to the typically high sums required to cover long-term lost rental income. Owners may also suffer contractual penalties if found to have failed to guarantee energy supply to tenants.

Security

Protecting the security of data centers will be a key responsibility for owners with tenants’ involvement. Typical data centers hold vast amounts of diverse and valuable data, making them an attractive target for potential threat actors. An owners’ ability to demonstrate resilience to these threats will be critical to maintaining their reputation and attracting clients.

Specific threats include hostile attacks against data centers' physical perimeter and buildings. Risk exposure will be specific to each site and depend on factors including geography, ownership and tenants, and the nature of the data held. Threat actors may seek to impersonate others to gain access to the building and inflict physical damage; alternatively, cyber-attacks against the data center may seek to cause physical harm (see cyber section) – for instance, by hacking cooling and monitoring systems to increase the likelihood of fire or data loss.

Natural hazards also pose a threat to data centers, with main risks including service disruption and power outages.

Environmental impact

Data centers can have a significant environmental impact since servers are highly energy intensive, and must be supplied with large volumes of power. Likewise, cooling systems to prevent fires draw on huge volumes of water.

This large footprint poses a risk, both to the natural environment immediately surrounding a data center and more broadly. For instance, in Slough, a town to the west of London, which has the largest concentration of data centers in Europe, there are fears that data centers' huge demands on local power and water supply may cause future shortages for local residents. Although data centers are meant to draw on wastewater, many have been found to be using drinkable water supply for cooling purposes.

Other environmental risks posed by data centers include fuel leaks, improper wastewater disposal, and fire risks spreading to the surrounding area.

As the global climate changes and property losses from natural catastrophes such as storm, flood and wildfires become more prevalent, it's more important than ever to ensure that assets are protected and future-proofed against emerging and existing climate risks. Where value assets such as data centers are concerned, the risk is even more acute as the potential loss to insurers and investors is significant.

Flood mitigation, for example, is something that can be factored in throughout the project lifecycle, from design to build and beyond, helping to improve an asset's risk profile for insurers and reduce insurance costs, whilst also preventing interruption to an asset's operation, safeguarding income from tenants.

Lockton has partnered with external providers to undertake climate risk modelling analysis for our clients, helping to inform investment decisions and safeguard their investments from a more extreme climate in the future. This modelling can, for example, predict the future occurrence of wildfires, helping clients to avoid building or purchasing assets in areas that will be considered 'high risk' in the future.

The Lockton Risk Control team has the expertise to design risk solutions and offer advice tailored to data center operators globally.

Retro-fit and installed data centers

For operators of retrofit data centers, or those installed within a pre-existing building, extra consideration will need to be paid to the location of the data center.

Basement floors are a popular choice for installing data centers but bring a high risk of flood and water leakage. This is especially the case when installed in older properties, or those positioned within a flood zone. If pursuing an alternative – i.e. installing on the upper floors or roof of a building – the weight-bearing load capabilities of the relevant floor must be considered and checked against the combined weight of the data center equipment. This should also include the weight of any equipment to be installed at a potential future date, as the needs of the property or its tenants evolve.

In the case of roof installations, data centers will be exposed to higher risk from storm damage, wind damage, and potential ingress of water. In the case of one building, a storm ripped off the building’s entire roof because the data center infrastructure had been bolted to the roof.

Insuring data centers

Insurance is available to insure loss of rent, but insurers will typically require extensive information on the property. Key points of interest include the operating model for the data center (e.g. servicing a single client, or multiple clients), whether there is any on-site fuel storage and if there have been historic fuel leaks, and whether a sprinkler and/or gas suppression system have been installed.

Loss of power is typically only insured after 40–60 days and insurers may require a specific damage trigger to provide coverage.

Data centers must therefore rely on redundant capacity in form of generators, batteries, or other alternative power supply options.

For operators of retrofit data centers, or those installed within a pre-existing building, extra consideration will need to be paid to the location of the data center.

Recommendations

There are various steps that data center owners can take to improve the resilience of their property and reassure insurers as to its insurability, including:

Conduct a risk assessment for the building focused on understanding key threats and how attacks are likely to manifest
Implement deterrence measures to reduce the potential for an attack, including visible security personnel and strong security messaging
Limit access to key control systems, and undertake an appropriate cyber vulnerability assessment (potentially involving tenants) to identify and resolve any potential weaknesses
Check for physical exposures to the data center (e.g. wastewater systems, ducting) which may be large enough for a person to access
Segregate or filter power supply to secure any unreliable equipment
Conduct role-base risk assessments to identify high-risk positions, and undertake robust pre-appointment screenings prior to any new hires
Screen any external contractors prior to recruitment, including whether they are working for an alternative employer or competitor, or may be motivated to participate in threat activity for financial gain
Create a ‘security culture’ – ensure staff and leadership are adequately trained on security protocols from induction through to exit, and keep learning regularly refreshed
Monitor and review staff performance to ensure security and people issues are quickly recognized and dealt with
Build redundancy in power generation and supply to protect against a potential power outage (e.g. backup generators, on-site renewables where possible) and conduct regular testing
Develop and regularly update a crisis plan to be enacted in the event of a potential loss-causing event.