Skip to main content
Marsh logo

Article

Invisible threats: How operational technology risks can physically impact data centres

This article explores how cyber and operational technology risks can cause physical damage and disrupt critical data centre operations.

01/12/2025 · 6 minute read

Operational technology (OT) risk is an important but often overlooked aspect of data centre risk management. Data centres rely heavily on OT systems to manage, control, and monitor industrial equipment and processes, such as energy management systems (EMS) and building management systems (BMS), which use controllers and sensors to regulate power, temperature, and access. While these industrial control systems (ICS) are essential for maintaining operational efficiency, they also introduce physical and operational risks, as well as cybersecurity vulnerabilities.

These risks can stem from software malfunctions, human error, hostile threat actors or both targeted and untargeted cyber events — each capable of disrupting critical infrastructure. Because data centres underpin essential services — including communications, healthcare, banking, and government operations — any operational technology event could have widespread consequences, impacting the reliability and safety of services that society depends on.

Implementing proactive OT risk management strategies can help safeguard these critical environments. Such measures enhance resilience against evolving technology risks and help protect the backbone of modern infrastructure.

OT considerations for data centres

Data centres face numerous loss scenarios stemming from the operation of their own systems triggered by OT events, whether operational errors or cyber-attacks. An increasingly significant risk involves physical damage and resulting business interruption caused by such scenarios affecting the data centre.

This risk highlights the convergence of technology and the physical environment, where OT is used to control critical physical infrastructure within data centres. Examples of an event impacting a data centre’s OT include:

  • Software-related issues or human error that could override safety and security protocols, potentially leading to fires, floods, or temperature control failures.
  • Cyberattacks targeting heating, ventilation, and air conditioning (HVAC) systems, which may disrupt temperature regulation and cause physical damage to hardware and computer equipment.

Such incidents can lead to physical damage, operational disruptions, financial losses, and reputational damage. 

The documented frequency of physical loss events stemming from such incidents is low. However, the growing global footprint of data centres, their rising importance as core infrastructure, and the increasing integration of operational technology into their physical environments and processes collectively amplify the potential risk.

Complex risk profiles

The ambiguity of current risks facing data centres, particularly those involving the convergence of cyber and OT, stems from the interconnected nature of these systems, a lack of clear responsibility or visibility, and the potential for cascading, unpredictable impacts. This creates a complex and evolving threat landscape where traditional risk assessment methods may fall short. 

The intersection of technology and physical environment can present challenges for traditional insurance, as the impact of a single loss event (causing both physical damage and non-physical damage loss) to data centres is not usually covered under a single policy. For example, while cyber insurance typically covers data breaches, cyber extortion, and business interruption resulting from a cyber event, it generally excludes physical damage to property caused by that event. It is important to note that traditional property insurance policies do not always cover physical damage emanating from cyber-related causes either, which creates a significant coverage gap for businesses facing such risks.

Therefore, data centre stakeholders often require a portfolio approach of tailored insurance policies to address risks associated with operational technology and connected systems. This approach may include a combination of coverage for property damage, business interruption, engineering risks, service level agreements (SLA), and cyber threats. 

Evolving insurance coverage to address technology risks and business continuity

Insurance solutions for data centres are evolving in response to the increasing scale, complexity, and risk profiles of digital infrastructure. 

Property Damage and Business Interruption (PDBI) insurance provides data centre operators with the financial resources to repair or replace damaged equipment and cover the costs of business interruption. 

Where PDBI coverage is not otherwise possible, standalone physical cyber programmes can be considered. Cyber physical damage coverage options, specifically designed to address cyber events that cause physical damage, remain an innovative and maturing subset of the market, providing comprehensive protection for data centres.

A recent Marsh report, developed in collaboration with Dragos — The 2025 OT Security Financial Risk Report — examines the potential financial impact of cyber incidents involving operational technology and provides insights into the evolving nature of these risks. Building on this expertise, Marsh is actively developing tailored solutions and working with insurers to deliver comprehensive “core” PDBI coverage options that align with the specific needs of data centre operators.  

As data centre technologies grow more sophisticated and usage intensifies, risk profiles will continue to evolve, demanding advanced security measures and risk management strategies. Furthermore, given the substantial property values tied to digital infrastructure, securing adequate insurance capacity is essential. Accordingly, the insurance and risk management landscape must adapt proactively to effectively safeguard data centre assets and ensure uninterrupted business continuity.

How Marsh can help

For data centres, Marsh recommends that organisations carefully consider how non-physical events (such as human error or battery management system failures) can lead to physical damage and fully understand the associated risks and insurance implications.

Marsh offers tailored risk management and insurance solutions to help data centre owners and operators identify exposures, quantify risks, and develop strategies aligned with their business objectives. Our approach aims to optimise capital, enhance security, and safeguard your operations now and into the future.

We recently launched our Data Centre Insurance and Risk Management Services, dedicated to the entire lifecycle of data centre operations, from initial project development and financing to construction and ongoing management. Our team of specialists support a wide range of sectors and business models involved in data centres, providing comprehensive risk management solutions tailored to your needs.

For more information, please contact your local Marsh representative.

The terms operational technology risks, cyber events, and cyber risks refer to related but distinct concepts:

  • Operational technology (OT) risks threaten the industrial control systems and physical processes that run critical infrastructure. These risks include physical damage, safety hazards, and operational disruptions caused by cyberattacks, system failures, and outdated legacy systems. Common issues, such as ransomware, insecure remote access, limited OT network visibility, and IT-OT convergence, can compromise safety, halt production, and lead to financial losses.
  • Cyber events are actual incidents or occurrences involving cyber activities that cause or have the potential to cause harm. These include specific attacks or failures such as data breaches, ransomware attacks, denial-of-service attacks, system outages, or unauthorised access. Cyber events are the realised occurrences that trigger insurance claims.
  • Cyber risks refer to the potential threats or vulnerabilities that could lead to cyber events. They represent the possibility or likelihood of cyber incidents occurring and the associated exposure to financial loss, operational disruption, reputational damage, or regulatory penalties. Cyber risks encompass the broader landscape of threats, including evolving tactics by cybercriminals, system weaknesses, and organisational vulnerabilities.

Insurance products are designed to assess and price cyber risks, providing coverage for losses resulting from cyber events. Understanding this distinction can help insurers and insureds manage exposures proactively and respond effectively when incidents occur.

Our people

Sam Tiltman

Sam Tiltman

Digital Infrastructure Industry Leader, UK, and Technology Industry Growth Leader, UK

  • United Kingdom

Jason Payne

Jason Payne

Data Centre Lead, Real Estate Practice, Marsh UK

  • United Kingdom

Angus Baker

Angus Baker

Associate, Advisory, Marsh UK (Cyber Practice)

  • United Kingdom

Sian French

Sian French

Managing Director, Global Head of Coverage, Marsh

  • United Kingdom

Shannan Fort

Shannan Fort

International Cyber Product Leader

  • United Kingdom

Serena France-Hayhurst

Serena France-Hayhurst

UK Cyber Placement Leader, Cyber Risk

  • United Kingdom

Related insights

Placeholder Image

Newsletter

Data Centre Insurance and Risk Management Insights

25/11/2025
Focused analyst working with data in an office environment

Article

Emerging Technologies & Risk Management in Data Centres

01/09/2025
Data centre worker reviewing tablet next to wires

Article

Data Centre Resilience: Key Strategies for Reliability and Risk Management

22/07/2025
Solar power station

Article

Navigating the Sustainability Challenge in Data Centre Development

16/07/2025
Innovative renewable energy network displayed in high-tech visualization, emphasizing sustainability and connectivity.

Article

Regulatory Challenges and Sustainability in Data Centres

11/07/2025
Construction engineers discussion with architects at construction site or building site of highrise building with Surveying for making contour plans is a graphical representation of the lay in land.

Article

Ensuring resilience: The role of insurance in data centre construction

23/06/2025
Flow of digital information

Article

Powering the future of data centres

03/03/2025
Placeholder Image

Article

Why risk mitigation starts with contractual negotiations

03/03/2025