Skip to main content

Article

Data Centre Lifecycle Risk Management and Insurance Program in Asia: Everything you need to know

The Asia Pacific data centre market is forecast to grow at a compound annual growth rate (CAGR) of 12% from 2023 to 2028, reaching US$53.58 billion by 2028 [1] The top two markets in Asia, Singapore and Hong Kong, continue to consolidate their positions with 173 and 79 megawatts (MW) of capacity under construction.[2]  Meanwhile, Japan, Indonesia, and Vietnam are leveraging their connections to a growing network of undersea cables to fuel the growth of their data centre markets.

Behind the Asia data centre growth trend is an interconnected, evolving landscape of risks that the data centre value chain — such as data centre developers, operators, and tenants — must confront. 

Mapping the data centre value chain in Asia

The value chain begins with the landlords that lease out the space and typically provide network capacity and power, as well as the cooling equipment that keeps down server temperatures. They have to ensure that the structure meets certain specifications and regulatory standards, which may include a minimum Power Usage Effectiveness (PUE) rating. This is followed by data centre operators such as cloud vendors or telecommunications that lease the space, set up the IT equipment and manage the day-to-day operations of the data centre facility, as tenants.

At the same time, major technological companies and telecommunication, and international cloud service providers are taking an enterprise build-own-operate approach that cuts across the value chain. This model allows them to vigorously control and streamline the construction process and ensure the security and performance of their data centre operations. There are also a handful of Asia developers that manage data centres via various models through Real Estate Investment Trusts (REITs).

The interconnectedness of the data centre value chain puts the spotlight on the need for robust business continuity and liability risk management and insurance.

What are the risks facing the data centre developers, operators and tenants?

A data centre is a mission critical facility that requires high availability. Each data centre is typically categorised by its infrastructure capability across four tiers (Tier I to Tier IV). Developers, operators, and tenants of Tier IV data centres — the tier with the lowest fault tolerance — rely on robust, best-in-class risk mitigation and transfer solutions to ensure they are safeguarded against significant losses across the data centre lifecycle: plan, design, build, operate, and assess.

Data centre management: Risk and solutions matrix

Risks specific to the construction phase

In the construction phase, nearly all contracts are set up, as standard, for project owners and contractors to be covered by Construction All-Risk (CAR) and Third-party Liability (TPL) insurances, whereas non-recourse project financiers, including private equity firms, will expect the party raising the finance to procure these CAR insurances along with a Delay in Start-up (DSU) insurance component to mitigate the financial risk of project delays caused by physical damage to project works.

In particular, the DSU sum needs to be carefully evaluated to obtain the appropriate coverage as the revenue flowing from completed data centres can be immediate and significant, meaning any delay will be costly. At the same time, any unnecessary DSU insurance over-commitment will result in high premium costs for the duration of the loan and the future operational model — lease, co-location, or otherwise — will need to be factored in.

When bidding for data centre projects, contractors must pay particular attention to their contractual liability risks and need to include detailed information to meet stringent tender requirements, including their methods for performing hazard analysis. Contractors must display a good understanding and planning for the additional challenges of designing and building a data centre, and be aware of the differences in construction contracts from a project party that originates outside of Asia (e.g. the US).

Click on the key risk headers below to learn more about each type of risk and the respective insurance considerations.

There are physical risks that are unique to a certain typology of data centres in Asia: high-rise facilities in urban markets such as Singapore and Hong Kong that mostly range from five to seven storeys. Compared to low-rise, large-footprint data centres in the US and Europe, these ‘vertical’ data centres require extra air flow and cooling, and carries with it a slightly higher risk of physical damage by heat and fire that can be mitigated with risk engineering.

In many cases, the high demand for power also means that some data centre facilities have little option but to be sited in zones prone to natural catastrophes. Although physical climate risk modelling and risk engineering are important solutions to mitigating the impact of severe weather events such as typhoons, heatwaves and floods, a survey of data centre operators by Uptime Institute in 2020 found that 36% have yet to formally assess the vulnerability of data centres to climate change.[3] The survey highlights the need for more robust data centre risk management and business continuity planning.

Prior to underwriting property and casualty insurance against physical risks, insurers will request risk surveys to be carried out to check if previous post-loss recommendations (if any) have been acted upon, along with updated and accurate insurance valuations.

When it comes to insuring data centres for a variety of risks, one common area of scrutiny from insurers is whether the insured has an effective cyber security strategy in place. The strategy should reflect robust cyber risk management, continuous improvement and vigilance combining People, Process and Technology.

Owners and operators of data centres must also be aware of their statutory, contractual, or implied duty to protect data from unauthorised access or disclosure, operate within regulatory frameworks such as HIPAA, GLBA, FISMA, and GDPR, adhere to industry standards such as the PCI DSS, and continually exercise best practices in the backup and recovery of data to prevent breaches and customer data loss.

A logical first step to attaining resilience from cyber risks is the Cyber Self-Assessment, which enables the data centre stakeholder to accurately self-assess their current level of cyber preparedness and overall cyber maturity. With insights from the assessment’s report, organisations can improve their cybersecurity posture and take the right steps to insure and indemnify themselves with the appropriate level of cyber insurance as well as directors and officers (D&O) liability coverage if necessary, based on advice from Marsh’s experienced risk advisor.

Even though the possibility of physical security risk events on data centres may be remote in Asia, developers and operators should ensure their infrastructure has the ability to resist deliberate attempts at destruction and mischief. In some countries like Singapore, the Monetary Authority of Singapore (MAS) recommends operators undertake a threat and vulnerability risk assessment (TVRA) in its technology risk management guidelines to identify potential security threats and operational weaknesses in a data centre, and determine the level and type of protection that should be established as part of robust data centre operations management.[4] Furthermore, data centre hosting Singapore government data are likely to be subjected to the Singapore Infrastructure Protection Act to undergo a security-by-design process enforced by the Singapore Police Force.  

Such good practices are highly recommended as value-added reassurance by data centre owners and operators who intends to host other security-sensitive clients.

Some examples of physical security risks include theft, terrorist attacks using Improvised Explosive Devices (IEDs) and arson due to unauthorised entry, external attacks and sabotage. A TVRA should include a review of the data centre building infrastructure, its internal facilities, perimeter, and the surrounding environment. Actions should not only include retrofitting and enhancements such as anti-ram fencing and barriers, but also incorporate review and refining cyber hygiene and controls to ensure that cyberattacks cannot, for instance, obtain access credentials and remotely ‘open the door’ of data centres to physical attacks.[5]

The high energy demand and carbon emissions of data centres, especially in warmer climates that require more intensive cooling, can make operators’ green commitments and obligations more challenging to fulfil. In fact, about one-third of the servers in a typical data centre are more than four years old, according to a report by Sunbird. These aging servers consume 65% of the overall energy while contributing only 4% of the data centre’s total performance capabilities.[6]

For Singapore, new data centres now need to possess “best-in-class resource efficiency and decarbonisation”, which includes a PUE requirement of 1.3 or better. Developers and operators should consider mitigating risk through third-party and/or contractual liability cover when working with new vendors or retrofitting new energy-efficient and cooling technologies for existing facilities.

As more financiers and stock exchanges require Task Force for Climate-Related Financial Disclosures (TCFD) or Taskforce on Nature-related Financial Disclosures (TNFD) reporting, data centre stakeholders must also evaluate the role of carbon offsets as part of their environmental, society, governance (ESG) risk management strategy, and embed ESG risk into their enterprise risk management strategies.

Data centres also present a greater exposure to third-party risk than other real estate asset classes. Data centre operators must pay special attention to their third-party liability risk exposures, including construction third-party liability, service-level commitments and obligations to customers. In instances where unplanned outages could leave operators responsible for customer losses, Cyber and Error & Omissions (E&O) policies can provide the necessary coverage.

Obtaining coverage against third-party liability risks may not be straightforward, and a risk advisor can help you avoid any coverage gaps. Specifically regarding the Damage to Property of Others in Care, Custody, or Control (CCC) exclusion in liability insurance policies, we have found that a combination of contract terms, customer insurance requirements, and state laws may impact the degree to which the insurer is responsible. In these cases, Commercial General Liability and Cyber polices may be relied upon.

Data centres have become an integral part of business operations for many industries. Whether owned or leased, data centres present complex business interruption and contingent business interruption risks.

Data centre service interruptions can potentially cause direct loss of income or contingent loss impacting a vendor or service provider, not to mention the additional expenses that may be required to resume operations after a loss event, including costs from additional staff, overtime costs, and the leasing of equipment, and mitigating the risks of a data centre loss becomes critical

In particular, demand for data centres in locations beyond mature data centre markets like Singapore, Hong Kong, and Tokyo is expected to increase along with increasing 5G penetration in the region. These “edge location” data centres may have greater risk exposures to unplanned outages or issues due to human error. Stakeholders can rely on risk advisory expertise to accurately quantify these risks, including assessing the ability to utilise redundant capacity, and access insurance broking expertise to secure the appropriate insurance coverage when expanding into these emerging markets.

To adequately cover BI risks amid an inflationary environment and currency fluctuations, data centre developers and owners expanding into new markets or with a multinational footprint must also review their asset valuations and BI declared values regularly to minimise the likelihood of uninsured losses due to underinsurance penalties when a claim arises. Doing so may involve partnering with our Advisory valuation services and forensic consultants with the proven data and experience to accurately determine the appropriate asset values, BI declared values and maximum indemnity period to declare to insurers.

Your partner in mitigating and insuring against data centre risks

With a wide range of in-depth risk advisory, mitigation, risk financing and claims expertise in Asia’s construction, technology, real estate, and private equity sectors coupled with market knowledge, data and analytics capabilities, and an extensive network of insurers and private equity firms, Marsh can help you identify and solve pressing challenges at every stage of the data centre lifecycle. 

Asia's Data Centre Risks: Unravel the Blind Spots Webinar

Safeguard your data centre investment in a complex risk and insurance landscape

Schedule a non-obligatory chat with a Marsh representative today.

Sources

[1] - Asia Pacific Data Centre Market Report 2023: Demand for High-Density Data Centers by Businesses is Augmenting Sector Growth. Research and Markets. (2023). https://www.globenewswire.com/news-release/2023/03/03/2620074/28124/en/Asia-Pacific-Data-Centre-Market-Report-2023-Demand-for-High-Density-Data-Centers-by-Businesses-is-Augmenting-Sector-Growth.html

[2] - APAC Data Centre Update: H2 2022. Cushman & Wakefield (2022). https://www.cushmanwakefield.com/en/singapore/insights/apac-data-centre-update

[3] - Extreme weather affects nearly half of data centers. Uptime Institute (2021). https://journal.uptimeinstitute.com/extreme-weather-affects-nearly-half-of-data-centers/

[4]- Technology Risk Management Guidelines. Monetary Authority of Singapore (2021). https://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/TRM-Guidelines-18-January-2021.pdf

[5] - Hackers Scored Data Centre Logins for Some of the World’s Biggest Companies. Bloomberg (2023). https://www.bloomberg.com/news/features/2023-02-21/hackers-scored-corporate-giants-logins-for-asian-data-centers#xj4y7vzkg

[6] - Top 40 Data Centre KPIs. Sunbird. (2020). https://www.sunbirddcim.com/ebooks/top-40-data-center-kpis