Data centre capacity is expected to grow rapidly in the next years, driven by customer demand and the rapid rise of Artificial Intelligence (AI) advancements. AI data centre capacity is projected to experience a compound annual growth rate (CAGR) of 40.5% through 2027, according to estimates from the International Data Corporation (opens a new window). Investors may put pressure on developers to deliver projects quickly as they are keen to reap the rewards. It is therefore paramount that developers put in place a strict risk management process for each project and development phase, and transfer the risk effectively to the insurance market.
Construction
In addition to standard insurance to cover construction activity, data centre developers need to factor in long lead times for equipment such as chillers, ventilation, air conditioners, and standby power generation. This equipment is in high demand, and, in the event of loss or damage, replacements can take a considerable amount of time to procure, transport, install, and commission. Damage to this equipment while in transit may also derail project timelines. Developers need to deliver against agreed debt repayment start dates to avoid significant additional debt service costs and reputational damage.
Energy
The availability of continuous supply of energy is crucial to power data-processing servers, network equipment, storage equipment, cooling systems, and monitoring systems, not least because data centre owners may be liable in case of power outages. Power purchase agreements (PPAs) provide certainty to buyers and sellers and avoid exposure to price volatility. However, if ‘force majeure’ relief in the contract applies to a power outage the risk falls on the power purchaser. Alternative power backup systems can ensure that the data centre can continue operating for a limited time in the event of unforeseen circumstances such as power outages. But it is crucial to clarify who will cover the cost of replacement power if the contracted power fails. Data centres often rely on local power supply, which can become a political or even a security issue if the power availability drops, and local communities are affected. Although grid blackouts are rare, there is currently little appetite to offer coverage for outages to energy clients.
Power can also be generated on-site for example through a wind or solar park, but also small modular reactors. The supply of power can be structured as islanded power, self-supply of power, or as contracted supply. For these options, owners and developers need to consider the interdependency of risks. If the power station the data centre relies on goes down, do you have a plan B? How much will it cost you?
Property management
Business interruption costs arising from a loss-of-income scenario is one of insurers’ main concerns in relation to data centres. Such a scenario may arise following any event that gives a tenant the right to seek relief under their occupational contract with the data centre owner and in certain circumstances may offer the tenant the opportunity to renegotiate the terms of this agreement.
An inconsistent or interrupted energy supply is among the key risks likely to cause business interruption and potentially result in tenant loss. Maintaining data server equipment itself is likely to be the tenants’ responsibility; however, failure of the power supply to monitoring or cooling systems will increase the risk of fire and associated damage to data centre equipment. This may lead to a loss of tenants’ data and may cause disruption to tenants’ business operations. Certain servers may also include an automatic switch-off protocol if the necessary cooling systems become ineffective. This failure alone may be enough for a tenant to break their contract.
Datacentres can also have a significant environmental impact since servers require large volumes of power. Likewise, cooling systems draw on huge amounts of water. This large footprint poses a risk, both to the natural environment immediately surrounding a data centre and more broadly.
Operators of retrofit data centres, or those installed within a pre-existing building, need to pay attention to the location of the data centre not only in relation to the surrounding tenants’ operations but also to the exposure to environmental perils.
Cyber
Data centre infrastructure management platforms (DCIM) which monitor and control all facilities and environments can provide unauthorised access points to hackers to perform cyber-attacks. These can disrupt the cooling and ventilation of the server rooms, for example, and cause servers to overheat and fail. An attack to the main power feed can result in a similar outcome. Bad actors are known to gain access to internet-connected uninterruptible power supply (UPS) devices which, if disconnected, could also have a devastating effect on the data centre. Data centres that get taken offline can face costly service interruptions, hardware damages, customer data losses, and even potential lawsuits. Each device and point of access can introduce opportunities for unauthorised access. Apart from impacting the operability, temperature, humidity, or voltage, changes can, in a worst-case scenario, also cause physical damage to the equipment. Any such event can constitute a breach of contractual duties and consequently result in the loss of a client, income, and reputational damage.
Transactional risks
Investors are targeting data centres at various stages of development, from shovel-ready to midway through construction, or with fully operational sites.
Data centre specific transactional risks:
Supply chain disruptions can affect cost and timelines — recent high inflation has driven up prices for some materials and there are extended delivery times for items such as chillers, generators and lighting.
Property rights and title to the assets, particularly in multi-jurisdictional transactions can introduce several issues. On occasion, the title has not been registered, or there have been gaps in planning and/or permissions (i.e. rights of way or easements).
Intellectual property, information technology, data protection and cyber are seen as higher-risk areas and are becoming a focus in the diligence process.
Due diligence sampling methods on larger transactions are coming under greater scrutiny, and they need to be well planned to avoid gaps in coverage.
For further information, please contact your Lockton representative, or visit the Lockton Data Centres page (opens a new window).