Insuring data centre projects – a guide to key risks

Phenomenal demand for AI and cloud computing is generating a worldwide building boom, with global spending on data centres predicted to reach USD $7 trillion by 2030. Across Asia-Pacific, particularly in Singapore, Malaysia, Indonesia, Thailand, India and Australia, demand for hyperscale and cloud capacity continues to surge, driven by AI workloads, fintech ecosystems and smartnation initiatives. 

This expansion is creating a competitive yet highly regulated development landscape. Singapore’s Green Data Centre Roadmap is unlocking at least 300MW of near‑term capacity (with more tied to green energy), but approvals come with strict efficiency and sustainability criteria.

Project costs for the most ambitious facilities could reach $100 billion, presenting a complex risk profile spanning numerous lines of insurance. Developers, investors, contractors, and operators must navigate a complex risk landscape spanning property damage, third party exposures, bodily injury liabilities, and cyber/financial risks. This article provides an integrated view of the key insurance risk categories relevant to the sector. 

1 Construction Trends

Data Centre builds are increasingly comprised of more technologically advanced and energy-intensive facilities which lead to higher intensity of risks during construction and operational phases. It is crucial for stakeholders to be guided by an experienced insurance consultant to structure a comprehensive programme for effective insurable risk transfer.

2 Property Damage

Computer equipment and electronic information are a data centre’s most valuable assets and are particularly vulnerable to damage from power surges or outages caused by external grid issues, equipment malfunctions or maintenance errors. The cooling facilities are crucial, to maintain optimal operating temperatures and prevent hardware damage. Modern AI-driven centres have high thermal output, making cooling failures (including chiller, CRAC, CRAH or immersion cooling system faults) a leading cause of property loss.

The presence of lithium-ion batteries (BESS), dense cabling and elevated electrical loads will inevitably increase the fire risk. 

Escape of water incidents from pipeworks, sprinkler malfunctions can cause extensive equipment loss. 

Acoustics is also an often-overlooked risk. Exposure to high decibel sounds for prolonged periods of time can also be damaging to the equipment. 

Typhoon, flood, and earthquake risks remain central across many territories such as Japan, Philippines, Taiwan, Indonesia, and coastal Australia.

All these incidents can cause hefty property damage losses and may lead to  business interruption losses.  Considerations should also be given to the lead time needed for replacement of critical equipment and reinstatement period for the data centres. These will amplify the potential business interruption suffered.  Insureds should carefully scrutinise policy language with a trusted insurance consultant to ensure broad terms with adequate limits.   

3 Third Party Liability Claims

Data centres have significant environmental impacts, through huge consumption of energy and water (for cooling systems).

While many tech companies have net zero pledges and invest in renewables, 24/7 supply is difficult without advanced storage systems or reliable baseload input from alternative power such as nuclear or natural gas. Back-up generators often rely on fossil fuels, contributing to hazardous emissions and greenhouse gases. Data centre operations also cause noise disturbance, through constant operation of power sources, servers and fans.

These factors are creating conflicts with surrounding communities and contributing to an increase in liability claims against data centres, alleging nuisance and environmental harms. To limit potential exposures, data centres should implement robust risk management systems, ensuring adherence to all applicable local regulations and industry standards. Policy language on exclusions for pollution or contamination, and aggregation of loss, are often pivotal in determination of general liability claims.  

4 Cyber

Cyber insurance and technology E&O policies typically protect against a range of losses arising from data breaches, or disclosure of confidential information processed for customers. Policy limits should be commensurate with the scale and sensitivity of non-public data handled at the relevant location.

Contentious issues arise as to when unauthorised access leading to loss of data or impairment of data systems that trigger physical damage and resultant business interruption losses can be covered under a property policy. International concerns over unintended ‘silent cyber’ exposures have led major markets — including the Lloyd’s market — to require explicit cyber affirmative or cyber exclusionary wording in property and liability policies.

Cyber insurance was originally intended to address pure financial losses linked to data breach, network outage, malware, or ransomware. However, as cyber attacks grow in sophistication they can challenge traditional policy wordings and definitions as attacks on operational technology can cause property damage and in some cases bodily injury. Hence cyber coverage has evolved to include not only financial loss but physical property damage loss as well.

Through evolving technology and converging infrastructure risks, cyber intrusion giving rise to tangible property damage is becoming more frequent, for example through industrial controls or building management systems. This adds to complexity of claims assessment and forensic investigations and are certainly  more difficult than standard property or construction claims. A single incident could trigger indemnity under several policies, requiring co-ordination across insurers, subject to hierarchy provisions.

Global insurance markets increasingly view largescale (or otherwise known as wide spread) cyberattacks as potential systemic events capable of causing losses on the scale of natural catastrophes. While the UK has introduced sector-specific legislation recognising data centres as critical national infrastructure, similar risk themes are reflected in Singapore’s regulatory framework, where the Cybersecurity Act 2018, the Cybersecurity Code of Practice for Critical Information Infrastructure, and IMDA’s Advisory Guidelines for Data Centres emphasise heightened cyber resilience, incident reporting, and operational safeguards for essential digital infrastructure.

The market opportunity is substantial for investors, developers, contractors, and insurers with capacity and underwriting expertise, to support this essential and rapidly growing sector.