Skip to main content
Marsh logo

Article

Invisible threats: How operational technology risks can physically impact data centers

This article explores how cyber and operational technology risks can cause physical damage and disrupt critical data center operations.

12/01/2025 · 4 minute read

Operational technology (OT) risk is an important but often overlooked aspect of data center risk management. Data centers rely heavily on OT systems to manage, control, and monitor industrial equipment and processes, such as energy management systems (EMS) and building management systems (BMS), which use controllers and sensors to regulate power, temperature, and access. While these industrial control systems (ICS) are essential for maintaining operational efficiency, they also introduce physical and operational risks, as well as cybersecurity vulnerabilities.

These risks can stem from software malfunctions, human error, hostile threat actors or both targeted and untargeted cyber events — each capable of disrupting critical infrastructure. Because data centers underpin essential services — including communications, healthcare, banking, and government operations — any operational technology event could have widespread consequences, impacting the reliability and safety of services that society depends on.

Implementing proactive OT risk management strategies can help safeguard these critical environments. Such measures enhance resilience against evolving technology risks and help protect the backbone of modern infrastructure.

OT considerations for data centers

Data center face numerous loss scenarios stemming from the operation of their own systems triggered by OT events, whether operational errors or cyber-attacks. An increasingly significant risk involves physical damage and resulting business interruption caused by such scenarios affecting the data center.

This risk highlights the convergence of technology and the physical environment, where OT is used to control critical physical infrastructure within data centers. Examples of an event impacting a data center’s OT include:

  • Software-related issues or human error that could override safety and security protocols, potentially leading to fires, floods, or temperature control failures.
  • Cyberattacks targeting heating, ventilation, and air conditioning (HVAC) systems, which may disrupt temperature regulation and cause physical damage to hardware and computer equipment.

Such incidents can lead to physical damage, operational disruptions, financial losses, and reputational damage. 

The documented frequency of physical loss events stemming from such incidents is low. However, the growing global footprint of data centers, their rising importance as core infrastructure, and the increasing integration of operational technology into their physical environments and processes collectively amplify the potential risk.

Complex risk profiles

The ambiguity of current risks facing data centers, particularly those involving the convergence of cyber and OT, stems from the interconnected nature of these systems, a lack of clear responsibility or visibility, and the potential for cascading, unpredictable impacts. This creates a complex and evolving threat landscape where traditional risk assessment methods may fall short. 

The intersection of technology and physical environment can present challenges for traditional insurance, as the impact of a single loss event (causing both physical damage and non-physical damage loss) to data centers is not usually covered under a single policy. For example, while cyber insurance typically covers data breaches, cyber extortion, and business interruption resulting from a cyber event, it generally excludes physical damage to property caused by that event. It is important to note that traditional property insurance policies do not always cover physical damage emanating from cyber-related causes either, which creates a significant coverage gap for businesses facing such risks.

Therefore, data center stakeholders often require a portfolio approach of tailored insurance policies to address risks associated with operational technology and connected systems. This approach may include a combination of coverage for property damage, business interruption, engineering risks, service level agreements (SLA), and cyber threats. 

Evolving insurance coverage to address technology risks and business continuity

Insurance solutions for data centers are evolving in response to the increasing scale, complexity, and risk profiles of digital infrastructure. 

Property Damage and Business Interruption (PDBI) insurance provides data center operators with the financial resources to repair or replace damaged equipment and cover the costs of business interruption. 

Where PDBI coverage is not otherwise possible, standalone physical cyber programs can be considered. Cyber physical damage coverage options, specifically designed to address cyber events that cause physical damage, remain an innovative and maturing subset of the market, providing comprehensive protection for data centers.

A recent Marsh report, developed in collaboration with Dragos — The 2025 OT Security Financial Risk Report — examines the potential financial impact of cyber incidents involving operational technology and provides insights into the evolving nature of these risks. Building on this expertise, Marsh is actively developing tailored solutions and working with insurers to deliver comprehensive “core” PDBI coverage options that align with the specific needs of data center operators.  

As data center technologies grow more sophisticated and usage intensifies, risk profiles will continue to evolve, demanding advanced security measures and risk management strategies. Furthermore, given the substantial property values tied to digital infrastructure, securing adequate insurance capacity is essential. Accordingly, the insurance and risk management landscape must adapt proactively to effectively safeguard data center assets and ensure uninterrupted business continuity.

How Marsh can help

For data centers, Marsh recommends that organisations carefully consider how non-physical events (such as human error or battery management system failures) can lead to physical damage and fully understand the associated risks and insurance implications.

Marsh offers tailored risk management and insurance solutions to help data center owners and operators identify exposures, quantify risks, and develop strategies aligned with their business objectives. Our approach aims to optimize capital, enhance security, and safeguard your operations now and into the future.

We recently launched our Data Center Insurance and Risk Management Services, dedicated to the entire lifecycle of data center operations, from initial project development and financing to construction and ongoing management. Our team of specialists support a wide range of sectors and business models involved in data centers, providing comprehensive risk management solutions tailored to your needs.

For more information, please contact your local Marsh representative.

The terms operational technology risks, cyber events, and cyber risks refer to related but distinct concepts:

  • Operational technology (OT) risks threaten the industrial control systems and physical processes that run critical infrastructure. These risks include physical damage, safety hazards, and operational disruptions caused by cyberattacks, system failures, and outdated legacy systems. Common issues, such as ransomware, insecure remote access, limited OT network visibility, and IT-OT convergence, can compromise safety, halt production, and lead to financial losses.
  • Cyber events are actual incidents or occurrences involving cyber activities that cause or have the potential to cause harm. These include specific attacks or failures such as data breaches, ransomware attacks, denial-of-service attacks, system outages, or unauthorized access. Cyber events are the realized occurrences that trigger insurance claims.
  • Cyber risks refer to the potential threats or vulnerabilities that could lead to cyber events. They represent the possibility or likelihood of cyber incidents occurring and the associated exposure to financial loss, operational disruption, reputational damage, or regulatory penalties. Cyber risks encompass the broader landscape of threats, including evolving tactics by cybercriminals, system weaknesses, and organisational vulnerabilities.

Insurance products are designed to assess and price cyber risks, providing coverage for losses resulting from cyber events. Understanding this distinction can help insurers and insureds manage exposures proactively and respond effectively when incidents occur.

If you would like discuss any topic raised in this article, please reach out to your Marsh contact or get in touch. 

Contact us

Our people

Jason Payne

Jason Payne

Data Centre Lead, Real Estate Practice, Marsh

  • United Kingdom

Angus Baker

Angus Baker

Associate, Advisory, Marsh UK (Cyber Practice)

  • United Kingdom

Related insights

Digital abstract face composed of lines and nodes

Article

Optimized benefits: AI and analytics for better engagement and performance

10/23/2025
Business man hand working

Article

How can AI transform your global benefits delivery?

10/21/2025
Multi-ethnic business people smiling during a meeting in conference room. Team of professionals having meeting in boardroom.

Video,Podcast

The transformative power of AI on benefits management

10/21/2025
Young business people shaking hands in the office. Finishing successful meeting. Three persons

Article

Data centers: Securing sufficient power through surety guarantees

10/02/2025
View more