Blog

AI-Powered Data Centres, New Powered Data Centres – New Cyber Physical Risks and How Insurers Can Respond

 Neil Arklie | February 26, 2026

Artificial intelligence is reshaping data centre design. Servers are packed tighter, power draws swing wildly, automation runs deeper, and the line between IT and facilities control systems is blurring. Because the two worlds are now linked, a cyber-attack that starts in the IT layer can quickly spill over into the physical plant and OT infrastructure. The result is not just a data breach but a real world outage, equipment damage, or even a safety incident.

 

Download the PDF: Insuring AI Data Centers Against Cyber-Physical Risk

 

1. The Data Centre Becomes a Cyber Physical System

Traditional data centres were mostly IT-focused: servers, storage, and networking gear lived in a building that was managed separately. Today, the building’s power distribution units, cooling plants, fire suppression systems, and even physical security cameras are all controlled by programmable devices.

  • Power train – Intelligent breakers, DC-bus monitors, and software-defined voltage regulators.
  • Cooling train – Variable speed fans, liquid cool loops, and AI tuned temperature setpoints.
  • Facilities management – Building automation platforms that can be accessed remotely for firmware upgrades or troubleshooting.

When these “operational technology” (OT) components sit on the same network as the servers, a malicious actor can move from stealing data to shutting down a chiller or tripping a breaker. The loss pathway changes from “information only” to “information plus physical.”

 

2. How AI Amplifies the Exposure

AI does more than add compute cycles. It changes how the facility operates in several ways:

AI driven effect

Why it matters for risk

Higher density – GPUs and ASICs pack more power into a smaller footprint.

Power spikes become common, so automated load balancing and rapid shutoff are essential.

Dynamic workload placement – Workloads migrate in real time based on cost or latency.

Remote commands to reroute power or cooling are frequent, increasing the attack surface.

Remote operations – Vendors often manage firmware updates or health checks from offsite locations.

Each remote session is a potential entry point for a cyber intruder.

Fasttrack builds – Companies erect modular pods in weeks rather than months.

Design documentation may lag deployment, leaving gaps in governance.

These factors multiply the chance that a cyber event will affect physical equipment. Insurers therefore, need to look beyond classic “data breach” policies.

 

3. Underwriting Signals to Watch

  1. Segmentation & allowlisting – Are the IT and OT networks separated by firewalls or VLANs? Do devices only accept traffic from approved IP ranges?
  2. Change control discipline – How quickly can patches be applied to powertrain firmware? Is there a documented rollback plan?
  3. Vendor access governance – Which third parties have remote console rights? Are those rights reviewed regularly?
  4. Redundancy & dependency mapping – Does a single compromised controller affect multiple cooling loops or power feeds?
  5. Physical security integration – Are badge readers and video surveillance systems also networked, and if so, are they hardened?

When any of these controls are missing or weak, the insurer should treat the exposure as “tail risk” – a low-probability but high-severity scenario.

 

4. Typical Loss Scenarios

Scenario

How a cyber act triggers a physical outcome

Malicious firmware update on a smart PDU causes a sudden overload, tripping breakers, and shutting down an entire rack.

Business interruption lasting hours, plus replacement cost for damaged servers.

Compromised BMS (building management system) disables the chilled water pump, raising inlet temperatures beyond safe limits.

Automatic thermal shutdown of GPUs, leading to costly hardware replacement and data loss.

Ransomware that encrypts SCADA logs prevents operators from seeing abnormal pressure readings in the cooling system.

An undetected coolant leak causes equipment corrosion and a firehazard event.

Phishing-derived credentials give an attacker remote shell on the HVAC controller, allowing them to open vents during a heatwave.

Overheating of critical infrastructure, triggering emergency shutdowns and SLA penalties.

These examples illustrate why insurers must consider  property damage, business interruption, and liability together, rather than treating cyber loss as purely informational.

 

Download the PDF: Get the underwriting signals, coverage model, and policy structure in one document

 

5. Gaps in Traditional Policies

Most commercial cyber policies focus on data breach costs: forensic investigations, notification, and regulatory fines. They often exclude:

  • Physical damage caused by a cyber act (e.g., broken equipment).
  • Business interruption that stems from a loss of power or cooling.
  • Liability for third-party tenants whose services are disrupted.

Consequently, a data centre operator could face uncovered losses that easily exceed the cyberpolicy limit.

6. Practical Steps for Insurers

  1. Ask for a detailed OT inventory – List all programmable devices, firmware versions, and network connections.
  2. Require a risk assessment report – Preferably from a third-party engineering firm that can map dependencies across power, cooling, and IT.
  3. Include a “physicalcyber” clause – Explicitly state that damage caused by a cyber act is covered under property limits.
  4. Offer a “phasedhandover” extension – Provide up to 12 months of operational coverage for projects that roll out in stages (as seen in Marsh’s Nimbus and Zurich’s Project Guard).
  5. Encourage proactive controls – Offer premium discounts for network segmentation, MFA on remote access, and regular penetration testing of OT systems.

By embedding these requirements into the underwriting process, insurers can price the risk more accurately and help data centre owners improve their security posture.

7. Bottom Line

AI is turning data centres into tightly coupled cyberphysical ecosystems. A breach that starts in the IT layer can now cascade into power failures, cooling loss, and even safety incidents. Traditional cyber policies do not capture these new loss pathways, creating a coverage gap that can leave operators exposed to multi-million dollar claims.

Insurers should respond with hybrid solutions—such as Marsh’s Nimbus and Zurich’s Data Centre Project Guard—that combine builders risk, operational property, and a physical cyber endorsement. At the same time, they must demand robust segmentation, change control, and vendoraccess governance from their clients.

When underwriting with these lenses, the industry can better align pricing with reality, reduce tail risk, and support the continued growth of AI-driven data centre infrastructure.

 

Download Insuring AI Data Centers Against Cyber-Physical Risk — a practical guide to AI-driven exposures and coverage design aligned to modern loss pathways.