I had my first claim involving a data centre years before they became so sexy. A massive storm smashed into a Midwest town, putting out the power to the whole place for several days. We had a claim from the data centre’s owners straight away.

To give credit where due, the facility we’d insured turned out the most resilient operation in town. It kept on running because it had backup generators in place to ensure continuous supply. So the claim wasn’t for BI. The locals had noticed the lights were on, and they needed juice. The bulk of the claim was to cover the cost of armed guards recruited to protect our client from Mad Max-style energy thieves.

The incident made me a cloud believer. It had happened just weeks after the basement of our office building was flooded when a man with a JCB ploughed through the water main under the construction site next door. Our own servers were kept down there, and they didn’t operate under three feet of water. That was when I first realised that the cloud has some serious benefits. It’s more reliable and more secure.

Five or so years ago, everyone was talking about the complete migration of corporate computing to the cloud. Since then, though, many planned ‘full migration’ initiatives have stalled or been reduced to a selective transfer. These days, larger insurance firms (and corporations in other sectors, too) tend to have hybrid setups. They rely on some legacy on-premises servers, some private cloud housed at remote data centres, and some public cloud from the big providers: AWS, MS Azure, and Google.

Migration hesitation persists for multiple reasons. One issue is the increasingly complex jurisdictional regulatory patchwork. It’s driven by factors such as Solvency II data requirements, local supervisory expectations, and the GDPR’s ongoing interpretation of ‘who can access our data’ (a question often answered differently by various state-level Data Commissioners). These not only factor into on where data sits, but also play on which foreign government’s legal systems and processes can compel access to the data held.

Concentration risk is another factor. The three hyperscalers I mentioned underpin most of the data centre industry, with a combined market share approaching 70%. That creates an enormous systemic exposure. I always chuckle when asked what would happen to underwriting platforms if AWS and Azure were to go down worldwide. Survival would probably be a much higher priority than logging onto your workbench!

The resilience calculation plays a role in the halting cloud migration. Insurers routinely price business interruption for clients, but sometimes they underestimate their own exposure. Cloud providers offer SLAs, not guarantees, and as headlines (as well as the vendors of cloud outage insurance) frequently remind us, the cloud does indeed go down. So without a failover (the cute IT term for an alternative server), when the cloud stops, your business will grind to a halt.

Complete migration has also been prevented by the cost of optionality. Staying hybrid or keeping some on-premises capability isn’t just legacy drag. It can be a deliberate hedge. However, it’s one that comes at the cost both of operational complexity and of the need for talent. Servers don’t run themselves.

In short, redundancy is sound risk management for multiple reasons. Yet not all the people I have spoken to have an actual recovery plan to be implemented when a cloud region they rely on fails. In fact, in this age of DORA it’s surprisingly, worryingly few.

To make that worse, the risk of sustained downtime looks to me to be exacerbated by the current geopolitical climate. It isn’t difficult to imagine challenges. Tariffs could be imposed suddenly on the three big cloud providers, causing them to power down your server. Or new legal requirements could insist that data pertaining to certain classes of client must be hosted only in certain specific regions.

Insurers advise clients daily on concentration risk, supply chain resilience, and business continuity. However, many have quietly handed their own operational backbone to one or two US cloud companies, and continue to hope for the best. That looks to me more like a collective blind spot than sophisticated risk management.

Here’s my suggestion. Use the industry’s own logic against complacency, and underwrite yourself. Ask questions about your own infrastructure. Audit your systems. Review your digital supply chain. If you don’t like the answers, it’s time to act on your own data centre risk.  

I remain a cloud believer. I argue often that cloud first is the best policy. However, it is wise – nay, essential – to be cloud-provider agnostic (we are), and to have failover options ready to go.

Guillaume Bonnissent is CEO of Quotech.