Insight and analysis on the data center space from industry thought leaders.
Managing Risk: Is Your Data Center Insurance up to the Test?
Insurance experts Stephen Raptis and Amy Koss review the types of insurance coverage data centers can purchase to protect against risk and ensure maximum protection.
October 1, 2024
There were more than 5,000 data centers in the US as of March 2024 – more than 10 times the amount of the next highest country.
Operation of these facilities presents a unique portfolio of risks that may not fit neatly within protections provided by traditional, off-the-shelf insurance products.
By ensuring that their insurance policies provide maximum protection against these risks, data center operators may avoid unpleasant and costly surprises if any of these risks materialize.
Some of the most common data center risks include:
Physical damage to the data center or its contents caused by fire, water intrusion, and natural events
Service interruptions and related downtime (resulting from power outages and other causes)
Data breaches
Discharges of potentially harmful substances, vibrations, and noise
Some of the policies potentially covering these risks are written on largely standardized insurance industry forms, but some are not.
The terms of policies written on non-standard forms – such as errors and omissions (E&O) and cyber – vary from policy to policy and tend to be more negotiable.
But even policies written on standard forms – such as property and general liability – can be, and often are, modified meaningfully by endorsement.
Thus, the extent of coverage available for key data center losses may turn on the operator’s attention to detail when purchasing and renewing its insurance policies.
In this article, we review the types of insurance coverage data center operators can purchase to protect against these risks and some of the proactive steps they can take to ensure that they are receiving maximum protection.
Property Coverage
Possibly the most significant risk data centers face is physical damage caused by events such as fires, earthquakes, and water intrusion. Property policies typically provide coverage for physical damage to the insured’s tangible assets, including its facilities and equipment.
Some property policies insure only against specified hazards (such as fire or wind) where so-called “all risk” policies insure against all causes of physical damage not specifically excluded.
Additionally, some policies provide business interruption coverage that protects the insured’s income flow during the period that its normal business activities are interrupted by physical damage covered by the policy.
While property policies often are written on standardized forms, there are numerous different forms in the marketplace, each of which may vary in the scope of coverage provided. With respect to data centers in particular:
Water damage may result from both natural events and failures of a data center’s key infrastructure. Although water damage may be excluded generally under standard-form property policies (with some exceptions), most policies can be endorsed to provide at least some protection. For example, water damage-specific endorsements often provide coverage for groundwater intrusion and malfunctioning pipes and sprinkler systems. Particular focus should be given to available water damage coverage and evaluating such coverage against a data center’s most prominent (and possibly unique) risk factors – including climate, geology, and infrastructure characteristics.
Coverage for damage to computer equipment can vary substantially from policy to policy. Some policies provide broad coverage for damage to computer hardware, some specifically exclude such damage, and some make no mention of computer hardware at all. Given that computer equipment often is a data center’s most valuable tangible asset, it is particularly important for data center operators to scrutinize their policy language to ensure that they are receiving the broadest possible coverage for such equipment and that the limits of coverage purchased are adequate.
Even property policies that cover computer hardware generally may exclude coverage for the costs of replacing data that is lost as a result of otherwise covered property damage. And even where a policy does not contain a specific data loss exclusion, some insurers have asserted that because data is not a “tangible asset,” lost data is not covered. To avoid such ambiguity and potential disputes, data center operators may be able to purchase specialized electronic data processing (EDP) coverage – either as an endorsement to their property policy or as a separate policy – that expressly provides coverage for the costs of replacing lost data. Because the costs of replacing lost data can be significant, data center operators would be well-advised to review their property policies to determine the extent of coverage for lost data and, if appropriate, consider purchasing EDP coverage.
Property policies vary in the scope of coverage provided for damage resulting from public utility incidents, including interruptions of power supply. For example, a policy may provide coverage for damage caused by a utility power surge, but may not provide coverage for damages caused by a utility power failure. Given the often significant reliance of data centers on public utilities, their operators would be well-advised to carefully review their property policies for coverage of damages arising from public utility incidents and, if appropriate, seek adjustments when purchasing or renewing their policies.
Technology Errors and Omissions Coverage
E&O policies generally protect against liability to third parties for losses arising from the insured’s errors and omissions in performing “professional services.” Thus, to the extent a data center hosts data processing operations of its customers (as opposed to its own data processing operations), these policies may provide coverage for claims arising from losses allegedly caused by the acts or omissions of the data center operator.
Some insurers offer specialized “Technology E&O” policies that purport to be tailored to the unique needs of technology companies. E&O policies often are combined with cyber policies (discussed in the next section) and sold as part of the same policy. These policies are not written on standard industry forms, and their specific terms vary widely.
For example, one of the most prevalent E&O risks data center operators face is customer claims arising from unanticipated service interruptions. Although such interruptions could arise from numerous causes, failures of public power systems and other utilities may be the most prevalent potential cause.
Recognizing this risk, some Technology E&O policies exclude coverage for claims arising from failure of power, utility, or telecommunications systems. To be clear, these exclusions typically do not apply to the failure of systems that are in the data center’s direct control – such as its cooling or backup power generation systems. However, given the overall dependence of most data center operations on public utilities – and power systems in particular – operators should be especially mindful of these exclusions and consider seeking their removal or limitation when purchasing or renewing their E&O policies.
Cyber Coverage
Cyber coverage typically protects against a broad range of first-party losses and liability claims arising from various causes, including data breaches and other disclosures of non-public information.
A data center that processes data owned by third parties plainly has liability exposure to such parties if their non-public information is disclosed as a result of the data center’s operations. But even if a data center is processing only its own company’s data, it still has liability exposure, including for disclosure of non-public information belonging to its customers and employees.
Given the often-substantial costs of defending data breach claims, data center operators would be well-advised to (1) review their cyber policies carefully for exclusions or limitations that potentially could apply to their liability coverage under circumstances particular to their operations and (2) purchase cyber liability limits commensurate with the amount and sensitivity of non-public data in their possession.
General Liability Coverage
In recent years, data centers increasingly have been the subject of lawsuits and complaints from residents in surrounding areas arising from alleged harms and nuisances caused by data center operations, including noise, vibrations, discharges of noxious substances, and related diminution of property values. Although general liability (GL) coverage generally protects the insured against claims of bodily injury, property damage, and so-called “personal injury,” the extent of coverage provided by GL policies for these specific harms remains largely untested. For example:
GL policies typically are subject to exclusions for pollution-related claims. However, a data center operator may be able to negotiate exceptions for claims arising from accidental discharges of pollutants unique to its operations – such as diesel emissions from power equipment or PFAs from two-phase cooling systems. And even if such coverage is not available under its GL policy, an operator may be able to secure specialized pollution liability (PL) insurance to cover such claims. The specific language of both GL and PL policies should be carefully reviewed to ensure that the data center operator is receiving coverage commensurate with its specific discharge liability risks.
To the extent noise and vibrations from data centers result in bodily injury, property damage, or personal injury triggering GL coverage, GL insurers may argue that they are pollutants for purposes of GL pollution exclusions. Because such arguments remain largely untested, data center operators may consider seeking endorsements to their policies expressly carving out noise and vibrations from the scope of otherwise excluded pollution.
GL policies typically exclude coverage for losses that are expected or intended by the insured. Data center operators likely will not be able to negotiate this exclusion out of their GL policies altogether. Accordingly, operators should be mindful of mitigating potential threats to their neighbors – particularly in light of increasing public scrutiny of potential data center impacts on third parties and surrounding properties.
At a minimum, data center operators would be well-advised to consult their insurance brokers to fully assess their potentially covered risks, evaluate and coordinate the coverages provided by their policies in light of those risks, and minimize their premium costs.
In addition, operators should consider consulting experienced, policyholder-side insurance coverage counsel regarding the specific language of their policies to identify any latent coverage gaps and ensure that they are receiving maximum protection against their unique risk portfolios.
Stephen Raptis is a partner and Amy Koss is an associate in Reed Smith’s Insurance Recovery Group. They represent commercial policyholders in all types of insurance-related disputes and regularly counsel their policyholder clients in securing the broadest insurance coverage possible in hopes of avoiding such disputes.
About the Author
You May Also Like