Insurers writing the construction boom in hyperscale data centres are grappling with more than just very large single‑site exposures. According to S&P Global Ratings, the bigger danger may be how often the same risk quietly reappears across different policies and even into reinsurance treaties – creating “cross‑liability” accumulations that are hard to see.
Speaking to Insurance Business, S&P analysts Patricia Kwan and Charles‑Marie Delpuech said that, for now, most of the industry’s focus is on the property damage and construction side of the equation. But as campuses multiply and interconnect, both physical and systemic accumulation will become much harder to manage.
Delpuech said the starting point is familiar territory for commercial property writers. “On the accumulation, you have technically two types of accumulation,” he explained. “You have the accumulation because of the concentration of physical assets in a single location… and then you can run peril exposure – what if you have a tornado or something coming through the zone, how exposed you will be.” That is standard catastrophe‑modelling practice: “It’s managing your geophysical footprint.”
Hyperscale campuses, however, sit at the centre of dense webs of contracts and supply chains, and that is where the picture becomes more complicated. “What comes on top with data centres is the dependency to multiple stakeholders and interconnectedness between those stakeholders,” Delpuech said. “You have so many different types of insurance products that can be covered that you could be exposed to the same risk through different insurance policies… this can create concentration.”
An insurer might insure the project’s builders under a construction all‑risks policy, cover a key supplier’s cargo exposures for critical equipment, and write liability or other lines for tenants or operators – all without fully realising how those lines point back to the same physical campus or group of campuses. “The main point is that this cross‑liability risk could be difficult to track if you don’t have the right transparency tool to track your exposure,” Delpuech said. “We expect best‑in‑class insurers to have the ability to track their concentration.”
The challenge does not end at the primary level. Once risks are bundled into reinsurance treaties, it can become even harder to pick out where the same data centre appears multiple times. Delpuech noted that while primary carriers typically have the clearest picture of their own exposures, “you have the reinsurance industry that take on their risk. Sometimes the risk gets bundled into treaties and [it may be] more difficult to really identify those concentrations.”
For now, one important limiting factor is how business interruption cover is structured. S&P’s analysts said that in many programs, BI for data centres is still tied tightly to traditional, localised property damage triggers.
“We understand that the business interruption type of insurance that is typically offered is typically limited to physical damage,” Delpuech said. “Business interruption from, for instance, a power outage that could be systemic may not be offered… you are mostly exposed to a failure due to a fire or something similar.” That helps cap the current level of systemic BI exposure from truly nationwide events, but it also means a significant slice of risk is left outside the traditional insurance market.
Delpuech said this is one reason why S&P still sees most of the immediate demand around data centres in the construction phase. “The focus is really on where the demand comes from, and the demand is really on the construction risk,” he said. “You want to insure the building first – this is what will need to be insured first. Then the other part, business interruption and all those other things, maybe there is less focus at this stage because this is not where most of the exposure lies until these hyperscale data centres are in operation.”
That balance may not last. As more campuses come online, operators and their insurers will have to confront tougher questions about cyber‑driven outages, supply chain failures and other non‑damage triggers that could hit multiple sites at once.
“These are risks that insurers underwrite not only on data centres,” Delpuech said of cyber and technology exposures. “What the insurance industry has done a pretty good job on in recent years is to really clarify what we call affirmative cyber insurance coverage, technically where you make the coverage of cyber risk explicit in your wording.” For data centres, he expects that “to cover cyber risk you will need specific policies… in your typical construction risk it is not going to be covered.”
Those specialist cyber policies will still have to contend with the complex ways cyber events can cascade through physical and virtual infrastructure. Delpuech pointed to the reliance on cooling systems as an example: “When you think of the reliance on cooling infrastructure in data centres, those are exposed to cyber attack and this could result in physical damage,” he said. “This is something you could expect to be covered,” along with business interruption linked to such attacks. Non‑physical losses – from malware to data theft – add further layers of exposure.
Even outside pure cyber, Kwan noted that questions are being raised about how broader perils could play out across these new hubs. “This is where we ask this question about civil unrest, terrorism, and how that would make its way into losses,” she said. Feedback from specialist intermediaries so far has been that “these facilities have a high level of security and safety measures,” and that a total loss scenario “should be very remote,” but she stressed that scenario analysis around contagion and fail‑safes will remain essential.
From a ratings standpoint, S&P will be looking for evidence that insurers writing big data centre accounts are not just chasing limit growth, but also investing in the tools to understand where and how their exposures stack up. That means more than just cat models: it implies granular visibility across lines, entities and treaties, as well as stress tests that go beyond a single site being hit by a storm.
