Data center operators are running into extensive rigor from cyber insurance underwriters who are asking about the controls keeping mission-critical cyber-physical systems (CPS) available and reliable. Operational resilience is the guiding principle underwriters use in developing the security questionnaires and evaluations used to determine the insurability of operational environments. Data centers, therefore, must demonstrate they can withstand not just a bevy of IT-related cyberattacks such as ransomware, but also maintain operations in the event of attacks against building management systems (BMS), power and cooling systems, physical access controls, and much more.
This relatively new rigor from underwriters also reflects an acknowledgement that data centers are playing a vital role in the development of advanced technologies, especially the booming universal adoption of artificial intelligence (AI). The training of AI’s large-language models (LLMs) requires the high-powered computing and advanced networking fabrics data centers provide; these models must operate from within secure digital and physical infrastructures.
This is an environment—and attack surface—that has expanded far beyond just IT systems to include operational technology (OT), smart internet-of-things assets, and other CPS. Data center operators seeking coverage that, in the event of a breach, essentially transfers financial risk away from their bottom line are being asked to demonstrate that foundational controls and safeguards are in place.
The Expanding Cyber-Physical Attack Surface of Modern Data Centers
These individual risks multiply the impact of one another; incidents that disrupt operations threaten physical hardware systems and other equipment, trigger outages for customers, threaten service-level agreements (SLAs), and may introduce severe regulatory penalties. Recovery is also potentially long and expensive.
Underwriters, meanwhile, examine existing controls in the context of whether organizations—especially those in critical infrastructure sectors—can continue operations during and after a breach. Questionnaires determining the insurability of a data center, for example, will ask about the presence of controls that ensure operational continuity, including virtual and physical network segmentation, access management, access controls, third-party risks, as well as the reliability of incident response mechanisms and backup and recovery procedures.
CISOs and underwriters understand that operations cannot be the weak link that causes disruption to data center uptime.
Bridging the Gap From Financial Risk to Operational Resilience
Several foundational data center resilience practices consistently align with modern cyber insurance expectations. In order to meet underwriters’ demands around controls and also reduce risk within the data center environment, the following best practices should be adhered to:
Data Center Asset Management
Visibility into CPS assets can be challenging given the complexities of OT assets, many of which inside data centers such as power generation and BMS are considered legacy technologies. CISOs facing this new rigor from underwriters to examine the resilience of operational environments must ensure visibility extends beyond servers and endpoints to include programmable logic controllers (PLCs), BMS assets, UPS controllers, intelligent PDUs, HVAC systems, sensors, and remote management interfaces. Continuous monitoring of these assets helps detect unauthorized changes, insecure protocols, vulnerable firmware, or anomalous communications before they become operational disruptions.
Original equipment manufacturers (OEMs), meanwhile, have contributed to a fragmentation of asset information characterized by a lack of consistent product identifiers transmitted over the various OT and CPS protocols in production. Operators, as a result, don’t have a single source of operational truth to work from, and that impedes not only their asset visibility but also visibility into risky exposures, especially of internet-facing assets.
Claroty’s CPS Library aims to resolve that issue. The CPS Library takes an AI-driven approach providing deep visibility into assets—a complete classification that collects product identifiers from firmware versions and serial numbers of products down to the rack slot. Deep visibility is a building block of data center operational resilience.
Segmentation as a Compensating Control for Data Centers
Isolation via physical and virtual network segmentation is a key control underwriters expect to see for internet-facing CPS assets in data centers. A flat network threatens to increase the blast radius of a cyberattack. Strict access controls and separation between network segments limit an attacker’s ability to spread malware and other illicit activity between operational systems.
Underwriters with an eye on maintaining uptime requirements and overall data center reliability expect to see digital and physical segmentations between zones that reduce the risk for disruption. The Claroty Platform leverages its asset visibility capabilities to enable segmentation and other facets of network protection that focuses on eliminating entire classes of risk.
Data Center Secure Remote Access
Data center environments must often extend privileged access to third parties to ensure operational continuity; those include contractors, integrators, technology partners, and others. This is an aspect of data center security that underwriters are especially concerned with. Data center operators must have a mapping of remote access routes into infrastructure. An attacker with stolen credentials or one who exploits weak or default credentials can access data center infrastructure management platforms and cause disruption or damage to CPS.
Strong MFA enforcement, just-in-time privileged access, session monitoring, password vaulting, and vendor access governance are now baseline expectations. This is especially important for data centers where third-party contractors often maintain operational infrastructure remotely.
The Claroty Platform supports the session recording, auditing, and role-based access controls that would be necessary to properly defend a CPS environment and demonstrate compliance with industry and legal regulations.
Data Center Cybersecurity Fundamentals to Consider
Backup and recovery is an aspect of operational resilience where underwriters expect to see verified evidence. Insurers expect organizations to demonstrate recovery testing, offline or immutable storage, recovery time objectives, and resilience against ransomware targeting backup systems themselves. For data centers, this extends beyond data restoration to operational continuity planning. Backup generators, redundant power systems, spare hardware availability, failover capabilities, and environmental redundancy all contribute to insurability because they directly impact recovery timelines and downtime exposure.
Data center CISOs, CIOs, and COOs should prioritize continuous threat monitoring across IT and OT environments in order to identify abnormal activity within CPS. As data centers inch closer to recognition as a critical infrastructure sector, they become an increasingly valuable threat vector for attackers wishing to cause disruption at scale.
Security leaders should also be vigilant about incident response testing in order to maintain operational resilience. Exposure management programs must also evolve beyond traditional IT vulnerability management. Underwriters expect data center leaders to understand all their exposures beyond exploitable software and firmware flaws. Compensating controls must address shortcomings that cannot be patched or updated in a timely manner.
Insurers recognize this challenge but increasingly expect compensating controls such as segmentation around end-of-life assets that cannot be patched.
For operational leaders, the implication is clear: cyber insurance readiness now depends heavily on operational resilience within cyber-physical infrastructure. Data center resilience is no longer only about hardware redundancy; it must also ensure that CPS-specific security controls are enforced that protect the uninterrupted availability of the physical systems that sustain digital business operations.
To achieve those levels of uptime and reliability, data center operators and security leaders must begin with asset inventories that extend beyond servers and switches and also discover CPS assets that are vital to operations. Underwriters also expect controls such as network segmentation utilized in order to isolate zones and deter lateral movement. This is a key mitigation that preserves uptime. In addition to other foundational access controls, secure remote access must be part of a data center risk reduction strategy. Third parties are vital to the data center ecosystem, but privileged access to CPS must be mapped, managed, and audited in order to secure access and ensure compliance.
