Geopolitical flashpoints are no longer a distant headline for the data center industry — they are a direct operational and financial exposure with real implications for coverage and claims. Recent maritime incidents, energy supply shocks and damage to subsea cables in the Red Sea and beyond show how conflict far from a facility’s footprint can ripple through power, fuel, and connectivity dependencies that keep hyperscale and AI infrastructure online, with even major cloud providers reporting latency and service degradation as traffic is rerouted. These cascading events collide with a hardening insurance market for data centers and new exclusionary language, creating risks and opportunities for recovery depending on how policies are structured, and claims are framed from day one.
Many data center losses stemming from an outage will not involve damage to the insured premises but will flow from upstream disruption to “dependent property” such as tankers, ports, pipelines, generation assets or transmission networks — implicating service interruption and contingent business interruption (CBI) coverage. Disputes under these coverages are likely to turn on how broadly “dependent property” is defined or how “direct” the impacted supplier needs to be under the policy language to trigger coverage.
When cooling curtailments, grid instability or water scarcity force shutdowns to prevent equipment damage, policyholders should preserve arguments that loss of functionality or physical impairment can satisfy “physical loss or damage” requirements under all‑risk property forms unless clearly excluded, recognizing that outcomes will turn on precise wording and governing law.
Cyber risks pose separate but related challenges. State‑linked actors are intensifying operations against critical infrastructure, blurring the line between traditional cyber risk and acts connected to armed conflict. Recent U.S. and allied government advisories describe Iranian‑affiliated activity against water, energy and other operational technology environments in the wake of Middle East hostilities, underscoring that attacks on third‑party utilities or network providers can directly impact data center uptime. Some insurers may seek to exclude losses stemming from cyber attacks through state-sponsored proxies when sovereign involvement is alleged but unproven, particularly when losses stem from damage to upstream infrastructure or mixed‑motive cyber activity. However, coverage will likely turn on the specific policy language and specific facts at issue.
Carriers are also moving quickly to curtail emerging exposures through endorsement. ISO introduced new optional general liability exclusions for generative AI — CG 40 47, CG 40 48 and CG 35 08 — with broad “arising out of” language that could touch embedded AI functionality in data center operations or services layered atop them, while some insurers rolled out absolute AI exclusions in D&O and technology E&O forms.
Data center operators should pay close attention to the scope of these endorsements. CG 40 47 excludes bodily injury and property damage arising out of generative AI content, CG 40 48 targets personal and advertising injury from AI-generated material, and CG 35 08 limits coverage when generative AI contributes to a professional services failure. For facilities that host or enable third-party AI applications or that use AI internally for building management, predictive maintenance, or security monitoring, the “arising out of” trigger is broad enough to capture losses that operators may not immediately associate with AI. Similarly, absolute AI exclusions in D&O policies could leave officers and directors exposed in shareholder or regulatory actions alleging misrepresentation of AI capabilities, inadequate AI governance, or failure to disclose AI-related operational risks. Such claims are becoming more common as regulators and plaintiffs scrutinize corporate AI disclosures.
These market shifts heighten the need to audit renewals for silent AI risk, negotiate carve‑backs in which AI is inseparable from core operations, and align cyber, property/BI, and liability programs so that gaps do not open precisely where geopolitical and technology risks converge. Operators should also coordinate their AI governance frameworks with their insurance programs: An organization that can demonstrate robust AI risk assessment, acceptable use policies, and vendor diligence protocols will be better positioned to negotiate favorable terms at placement and to defend against post-loss allegations that AI-related risks were unmanaged.
McGuireWoods’ insurance recovery, data centers, and artificial intelligence teams advise owners, developers, operators and downstream customers on how to structure programs and position claims in this environment — from broadening service interruption and CBI terms to reflect real‑world dependencies, to stress‑testing war and cyber exclusions and refining claim narratives to protect coverage when attribution is contested. If your organization is building, powering or relying on AI‑ready capacity, now is the time to review your policies and contingency plans in light of current conflicts and the latest market endorsements. Contact McGuireWoods’ insurance professionals to discuss tailored strategies to mitigate risk and preserve recovery before the next disruption hits.