Insured Success

Reed Smith insurance attorneys Amy Koss, Stephen Raptis and Anthony Crawford survey the unique risk landscape facing data center owners and operators. Because no off-the-shelf “data center policy” yet exists, the trio explores how traditional coverages – property, cyber, technology E&O, and general liability – can be layered to safeguard both the bricks-and-mortar infrastructure and the critical information coursing through it. If you build, host, or rely on data centers, this episode is your blueprint for intelligent risk transfer. This is latest episode in our Data Center series.

Transcript: 

Hello: Hello and welcome to Insured Success, a podcast brought to you by Reed Smith's Insurance Recovery Lawyers from around the globe. In this podcast series, we explore trends, issues, and topics of interest affecting commercial policyholders. If you have any questions about the topics discussed in this podcast, please contact our speakers at insuredsuccess@reedsmith.com. We'll be happy to assist. 

Amy: Welcome to Insured Success and our Data Center series. My name is Amy Koss. I'm an Insurance Recovery associate attorney in Reed Smith's Philadelphia office, and I'm joined today by Steve Raptis, an Insurance Recovery partner in our D.C. Office, and Anthony Crawford, an Insurance Recovery partner in our New York office. As part of the Insurance Recovery Group, we represent policyholders in complex insurance disputes and counsel corporate policyholders on coverage issues. In today's episode, we're going to discuss the unique risks that data center owners and operators should consider when purchasing their insurance coverage. Data centers have been popping up all over the place, and they're really being integrated into our way of life. For example, very recently, OpenAI launched its Stargate project, and as part of that project, OpenAI intends to invest over $500 billion in building and supporting AI infrastructure over the next four years. And these infrastructure efforts are only going to continue to increase as technological advancements like AI and the Internet of Things become enmeshed with the way that we live our lives and the way that we do business. And much like anything else, with big investment comes big risk. So we're going to talk today about what owners and operators of data centers should consider as they look to ensure their risks, especially those risks that are unique to data centers. Stephen, Anthony, how are we doing today? 

Stephen: Hi, Amy. Doing well. Thank you. 

Amy: Great. So as I mentioned, data centers carry a unique set of risks. What should data center owners look for when shopping for insurance and reviewing different policy options? 

Stephen: It's a great question, Amy, and I know from personal experience where I live in northern Virginia, data centers are everywhere, and every large piece of unused property seems to be in the process of being transformed into a data center. So it is just including what we hear in newspaper reports and trade press about this being an expanding industry. There's no doubt about it. Everywhere you look, there are more and more data centers coming up and AI is only going to increase that demand over time. And we know that the insurance industry is usually pretty good about coming up with specialized products once an industry hits a certain critical mass, they will start to produce specialized insurance products for that industry. And one might think that the data center industry is large enough now that it would have its own specialized insurance products. But in fact, we have not seen that. And we've talked to a number of insurance brokers to see if they might be aware of specialized products that are out in the marketplace. And they told us that they're not, at least not yet. So where that leaves data center owners and operators is that they need to take traditional off-the-shelf, for the most part, insurance policies and make those fit into their risk management portfolio in terms of how do we protect our assets, how do we protect our business. There aren't data center-specific policies. So they need to go out the marketplace and buy their traditional policies, but try to get those crafted as well as they can to their particular situation. And the good thing is that a lot of these policies that have traditionally been out there, including cyber policies, errors and omissions policies, those kind of policies are not written on a standard form, and so they tend to be more negotiable, whereas your property, general liability policies, those are written on standard industry forms and may be a little bit harder to negotiate, but even those can be changed in the endorsements. 

Amy: Thanks, Steve. So, in terms of some of the risks that these data centers are facing that are particular to data centers, what do some of those include? 

Stephen: The first kind of risk that may be the most prevalent risk is with respect to property, and that's the data center's physical operations. How does it protect its actual physical workings at a particular data center? And then there is sort of the more technical insurance, which would include errors and omissions coverage and cyber coverage, which is intended to protect largely against liability. But there is some first party coverage in the cyber as well that we'll talk about. And then finally, there's general liability coverage that covers property damage and bodily injury that might occur as a result of the data center's operations. 

Amy: So in terms of protecting the actual physical assets of the data center, what kinds of coverage are we talking about? What can data center owners and operators look for? 

Anthony: That's an excellent question. And, you know, the simple answer is starting out, the data center owners are going to look at their property policies. So, you know, these property insurance policies generally cover both the physical structure of the building as well as the assets inside of the building, which, you know, this is going to be something that is going to be significant and important to policyholders. Now, these policies traditionally cover loss due to physical damage from events such as, you know, it can be either sort of natural events such as earthquakes, some type of flooding, or it could be other man-made events such as fires. You know, also thinking about things such as water in truth. These property policies, as I said before, also look at sort of the assets inside, which is going to play into it hugely when we're talking about data centers, because you're talking about a lot of computer and electronic components that are going to be there. Data centers and the physical structure of the data center itself. We also, there is a component of property insurance that includes coverage for business interruption losses. And basically, this is where some type of physical loss has occurred at a business property, and there is an associated loss of business income because of that damage. So traditionally, you see where a fire burns down a factory or damages a factory, they're not able to produce the widgets that they do. They're able to get coverage for the lost income because they're not able to sell their widgets. They'll be looking at something similar here with data centers. Now, there are some unique components in terms of looking at property coverage for data centers because traditionally, these things, these policies cover sort of tangible assets. Well, one of the biggest components of a data center is that they have a lot of soft data that they're storing on the physical computer components within the structure. That data in and of itself, it may or may not be covered under the traditional policy. So policyholders may need to look to other policies or looking to look to get some type of endorsements added to their property policies in order to make sure that there are no gaps in the coverage because, you know, arguably one of the most important aspects of the data center is the data itself. There are some other considerations that we should look at, policyholders should look at when looking to insure their data centers. And that's concerns about a traditional extra coverage that's usually not sort of thought about or discussed heavily and negotiated in the underwriting process, and that's service interruption coverage. By their very nature, it's pretty clear that having uninterrupted access to electricity is pretty important to data centers. So policyholders need to look specifically at this coverage that's traditionally found in property policies and sort of work with the insurance company and the brokers to tailor that coverage so that it provides meaningful coverage for service interruption losses at the data center. And, you know, there can be different components of that. So, for example, some may provide coverage when there is a damage to the power supply or it may provide only coverage if there's sort of a power surge. But, you know, at the end of the day. This is something that policyholders will have to heavily scrutinize to make sure that they are not going to lose out on coverage if, for instance, there is some type of interruption with the service provided by the utility companies. Another thing that property holders need to take in consideration are sort of risk mitigation requirements that may be found in policies, specifically when talking about making sure that there's fire suppression systems and how that language is worded in the policies. Because traditionally, these policies require or may specify that there need to be sprinkler systems in place. But if you think about the nature of this risk with data centers. Having traditional water sprinkler systems in place may not necessarily be the best solution for data centers in that these fire suppression efforts may cause further damage using water. So policyholders should look to negotiate with their insurance carriers to make sure that they can use alternative means of fire suppression and have sort of that coverage or that understanding written into the policy. So something that would be more inert that would look to suppress any fires, but at the same time, not damage the computer equipment inside, which would occur if you were using traditional water sprinklers. 

Stephen: Anthony, those were terrific thoughts. One other type of coverage that we've seen with respect to property policies is, It's not unique to data centers because, again, there's not really unique data center coverage, but there is a specific coverage that is often available for coverage that attaches to property policies or can be purchased as a separate policy called specialized electronic data processing. Sometimes it's referred to as EDP coverage that will specifically apply to lost data. But regardless of whether or not you buy that EDP coverage, one thing that you really need to make sure that you're careful about is reviewing your property policy next to your cyber policy. And we haven't talked about cyber policies yet. We will. But it's important to do that because traditionally the property policy has covered the hard assets, the computer hardware, and it's carved out coverage for data. That's not always the case, but sometimes it is. And the cyber policy will pick up to replace the lost data. But again, cyber coverage may not, it may only respond where there's been a third party act or an exfiltration, that kind of thing. it may not respond to a natural disaster. So it's very important that you look at those two policies together as a data center operator to coordinate them and make sure that both your hard assets and your soft assets are being covered to the fullest extent possible. 

Amy:Really great points. So, and you guys previewed this a little bit just now, but how about the equally important non-physical side of running a data center? For example, technology errors and omissions coverage. What should data center owners look for there? 

Stephen: Just for a little bit of background, errors and omissions coverage, it's sometimes referred to as professional liability coverage. And what that does is it covers the policy holder for providing for any errors and omissions that may occur in the course of providing professional services. So if you own or operate a data set and you're doing data processing, data maintenance. Data storage, whatever that may be, for third parties, then it's important that you have errors and omissions coverage in case something goes wrong in the course of providing that service. And long before data centers became as prevalent as they are now, there is a specialized product that's developed in the insurance marketplace. It's often referred to as technology E&O or technology errors and emissions coverage. And it's really focused largely on technology companies and trying to write coverage that fits the type of services that they provide a little more cleanly than perhaps traditional E&O coverage did. And so, for instance, technology, you know, coverage is often. Well, it's certainly cognizant of the fact that in the technology industry, that the actors, the service providers in that industry are often dependent on services provided by others, particularly utility services. And as Anthony alluded to earlier, power services in the data industry, that's the lifeline. And so we've seen these technology errors and emissions policies. Generally speaking, they're intended to cover service outages from the insured to its customers. But there are often exclusions where the cause of the problem was the failure of third-party services provided to the policyholder, the data center owner. Now, if those... If those failures are within the data center's own control, they're often covered. For instance, if the cooling system breaks down, that's likely not to be excluded in terms of any liabilities that the data center owner may have to its customers. That's likely to be included within the coverage. But if it's a failure, a blackout or a failure by the power company to supply adequate power, and as a result, the data center can't do its job and therefore customer servers don't run and that kind of thing, and customer service customers are seeking some kind of liability against data center owner, that's likely to be excluded. And so when data center owners and operators buy this coverage, they need to be very cognizant. They need to very carefully read those exclusions to figure out, okay, what kind of outages are going to take me outside coverage in terms of liability to my customers and what's going to leave me inside the scope of coverage? And again, these are the kind of policies that tend to be more negotiable. And so to the extent that the language is not good, there may be an opportunity there for the data center owner operator to try to negotiate either the exclusion out of the policy or narrow the exclusion in a way that shifts more liability back to the insurer. 

Amy: Great. So it sounds like there's some room for these owners to get the coverage they need, even if it's not built right into the product off the shelf. So cyber insurance has been a hot topic in the insurance industry recently. Is there anything specific that data center owners should consider when purchasing their cyber coverage? 

Anthony: That's an excellent question. Yes. You know, first and foremost, there are some extra considerations that data centers are going to have to look at. First and foremost, they need to look at, you know, what kind of data are they dealing with and storing and, you know, what's the potential liabilities they face there. And that will depend on kind of what they're doing and what the nature of that data is. So, for example, you know, if it's hosting, you know, if it's a situation where the data center is only hosting the company, you know, the policyholder's data itself, its own data. So there's no third authorities involved. You know, there could be some type of liability that they may face for, you know, breaching their customer or their employees data, for example. When you look at other things, such as, you know, if this is, for example, something that's hosting sort of Bitcoin data or, you know, some type of blockchain operations and stuff. The liabilities change and the value of the data becomes very, very, very important. And, you know, there is no real sort of off the shelf answer to this because it's, you know, as we've been reiterating throughout this podcast, you know, this is new kind of new territory, sort of older, you know, in some traditional ways, but also new territory in terms of, you know, the data that we're looking at. So how do policyholders and insurance companies price out this type of insurance when looking to protect the data? Those are going to be questions that, you know, ultimately the industry and policyholders are going to have to work out together. What policyholders should be cognizant of is looking carefully at any exclusions or limitations to coverage such that, you know, they are they're not basically buying a policy that doesn't cover the risks that are associated, particularly the unique risks associated with their specific operations. And avoiding those coverage gaps. And I think that time ultimately will tell how that shakes out and whether or not the insurance industry can get to some sort of standardized policy or policy language. But for now, it is likely going to continue to be sort of bespoke manuscript policy endorsements at a minimum. 

Amy: So policyholders should really keep an eagle eye out to make sure that the coverage they're buying covers exactly what they need. Great. 

Anthony: Absolutely. And, you know, as with the property coverage, the other coverages that are discussed here, this is, you know, it's going to require a little bit more effort on the part of policyholders and their brokers to ensure that, you know, the proper coverage is being put in place specifically to those, you know, areas that would traditionally not necessarily be captured in the more standard form policies. 

Amy: So, what is often thought of as the catch-all of insurance, the general liability coverage, how can data center operators leverage their general liability coverage to maximize their risk protection? 

Stephen: Maybe just for a little bit of background, general liability coverage is the oldest coverage, insurance coverage, that's around for companies. And what it's intended to do is protect against property damage and bodily injury. And so, primarily anyway. And so companies always bought this for anything from slip and falls to some sort of accident that was caused by their operations where people were injured or property was damaged. That's the background of that coverage. You look at data centers, they're big, clean, neat-looking operations, and you wonder, well, how is general liability coverage implicated there? And I think the answer that we're seeing, at least where I live in Northern Virginia, is that a lot of the neighbors are expressing displeasure in being neighbors of data centers for various reasons, including that they sometimes say that they're noisy and that they emit fumes that may be toxic from time to time, including diesel fumes and other things from the operation of generators and so forth. And they're concerned that there may be other emissions that they're not aware of that may be causing long-term health problems or may make their property harder to sell, ultimately diminish its value. And I think it's probably only a matter of time until those generalized complaints become lawsuits and legal action and. And traditionally, those were the kinds of things that general liability policies protected against. With one big caveat, that after the mid-1980s, those policies started containing specific exclusions for pollution, and pollution was broadly defined. And so the challenge for data center operators is what can they do to protect against that risk from an insurance perspective if their general liability policy is going to cut out most of the coverage for certainly substances that are coming out of the facility, but possibly arguably also noise and other things we may not generally think of as pollution, and pollution is very broadly defined. So one thing that they can do is they can try to negotiate back the scope of those exclusions when they're buying the coverage. The other thing they can do is buy specialized pollution liability policies that have been around for a long time that are specifically designed to protect against liability if there is some sort of pollution event that ends up causing damage or allegedly causing damage to a neighbor's property or causes some kind of bodily injury or disease, that's the kind of thing that's intended to protect against that risk. Again, it's not unique to data center risks because we don't have unique data center policies yet, but it's a policy that's been around for quite a while that can be adapted well for that purpose. 

Amy: So it sounds like the big takeaway from this is that these data center owners and operators should really be on the lookout to make sure that the policies they're buying match the coverage that they need for their unique situation. Anthony and Steve, do you guys have any final thoughts you want to share before we wrap up? 

Anthony: Yeah, sure. I mean, one of the biggest takeaways from this discussion that we've had is that policyholders need to be vigilant in working with their brokers and the insurance companies to make sure that they actually are getting the coverage in place that they need to protect themselves and their assets, given the unique nature of data centers. So it's important that policyholders work with insurance professionals to make sure that they are getting that coverage. And when I say insurance professionals, I also include sort of ourselves and those attorneys that specialize in insurance coverage issues to sort of act as an extra set of eyes, extra set of an advisor to make sure that not only are they getting the best prices for the coverage that they're looking for, but they're also getting coverage that's going to actually respond if something should happen that they need the insurance coverage to respond to. 

Amy: As we wrap up here, a big thank you to Anthony and Steve for the wealth of information they shared, and a thank you to the folks who tuned in to listen. Be sure to look out for our next episodes in our series, and if anyone out there would like to discuss anything you heard today, all of our attorneys are on our website, and we'd be glad to hear from you. Take care. 

Stephen: Thank you, Amy, as well. 

Amy: Thanks, Steve.

Outro: Insured Success is a Reed Smith production. Our producer is Ali McCardell. This podcast is available on Spotify, Apple Podcasts, Google Podcasts, PodBean, and reedsmith.com. To learn more about Reed Smith's insurance recovery group, please contact insuredsuccess@reedsmith.com. 

Disclaimer: This podcast is provided for educational purposes. It does not constitute legal advice and is not intended to establish an attorney-client relationship, nor is it intended to suggest or establish standards of care applicable to particular lawyers in any given situation. Prior results do not guarantee a similar outcome. Any views, opinions, or comments made by any external guest speaker are not to be attributed to Reed Smith LLP or its individual lawyers. 

All rights reserved.

Transcript is auto-generated.