Insurance and Emergency Preparedness: The 9/11 Commission Recommendations

CRS Report for Congress
Insurance and Emergency Preparedness:
The 9/11 Commission Recommendations
October 25, 2004
Rawle O. King
Analyst in Industry Economics
Government and Finance Division

Congressional Research Service ˜ The Library of Congress

Insurance and the Emergency Preparedness:
The 9/11 Commission Recommendations
Summary
The September 11, 2001, terrorist attack on the World Trade Center exposed
vulnerabilities in the private sector’s ability to respond to and recover from
emergencies and disasters. These events have caused government and business
leaders, disaster experts and insurance experts, and industry representatives to rethink
emergency preparedness and business continuity planning for the private sector. In
its final report, released on July 22, 2004, the National Commission on Terrorist
Attacks Upon the United States (9/11 Commission) urged the Department of
Homeland Security (DHS) to help the private sector improve its capacity to respond
to terrorist attacks by adopting emergency preparedness and business continuity
standards developed by the National Fire Protection Association (NFPA 1600) and
adopted by the American National Standards Institute (ANSI). The 9/11
Commission also recommended that DHS take steps to encourage the insurance and
credit-rating industries to voluntarily consider a company’s compliance with NFPA

1600 when assessing insurability and creditworthiness.

The 9/11 Commission did not provide guidance on the meaning of
“insurability,” or on how an emergency preparedness standard might be integrated
into insurance underwriting and pricing systems. Several issues could arise when
insurers consider a company’s compliance with NFPA 1600 in the course of
assessing insurability. First, if the 9/11 Commission recommendations on private
sector emergency preparedness and business continuity standards are implemented,
will the federal government broaden the scope and meaning of insurability to enhance
private sector preparedness? While the 9/11 Commission did not recommend a
federal mandate to the states to have insurers incorporate NFPA 1600 standards into
policies, underwriting guidelines, or both (along with an appropriate actuarial-based
reduction in rates or preferential risk treatment), this scenario might emerge as an
unintended regulatory and legal issue for Congress. Second, most insurance experts
would agree that despite an increase in the analytical capabilities of insurers to assess
terrorism risk, there is a continued need for sufficient data and non-anecdotal
research to demonstrate the potential insurance cost savings from adoption of
emergency preparedness standards. Third, the linking of emergency preparedness
and business continuity standards to insurability, which is essentially what the 9/11
Commission envisions, will arguably work only if individuals and businesses have
incentives to engage in voluntary mitigation action. Most experts observe that these
actions will occur only when (1) individuals and businesses have knowledge and
belief that a significant risk exists; (2) they measure the cost and benefit of taking
steps to reduce losses; and then (3) they decide to act in order to survive. Finally,
representatives of the business continuity industry note that before insurers can
effectively implement the NFPA 1600 standards, policymakers, business leaders, and
insurers must address the specific relevance of the business continuity planning
(BCP) elements in the NFPA 1600 standard to insurance underwriting and pricing.
This report analyzes potential issues that might arise by complying with NFPA 1600.
This report will be updated as legislative developments warrant.

Contents
Introduction ......................................................1
Emergency Preparedness and NFPA 1600 Standards .....................2
Major Participants in Emergency Preparedness...........................3
Federal Government............................................3
State and Local Governments....................................3
Private Sector.................................................3
Insurance Industry.............................................4
Insurability of Risk and Standards ....................................5
Standards in Insurance Underwriting and Pricing.........................7
Potential Issues for Congress........................................9
Conclusions .....................................................12

Insurance and Emergency Preparedness:
The 9/11 Commission Recommendations
Introduction
The use of insurance as a tool in emergency management and business
continuity management (BCM) planning has taken on a new sense of urgency among
policymakers and business leaders in light of terrorist attacks and the continued threat
of emergencies and disasters.¹ Terrorist attacks, earthquakes, hurricanes, tornadoes,
power outages, and cyber attacks are just a few of the potential issues facing all
organizations. Realizing that unpredictable disruption and downtime in the private
sector could affect the U.S. economy, possibly with billions of dollars in lost or
interrupted operations, the National Commission on Terrorist Attacks Upon the
United States (9/11 Commission) recommended that the NFPA 1600 “Standard on
Disaster/Emergency Management and Business Continuity Programs,” developed by²
the National Fire Protection Association and endorsed by American National
Standards Institute (ANSI),³ serve as the national preparedness standard for all
organizations, including governments and businesses. The NFPA 1600 Standard
defines how the private sector should prepare for a catastrophe and continue or
recover its critical functions in the event of a disruption or major disaster. The 9/11
Commission’s final report, dated July 22, 2004, also urged the Department of
Homeland Security (DHS) to promote private sector adoption of NFPA 1600 and to
encourage the insurance and credit-rating industries to consider a company’s⁴
compliance with this standard when assessing insurability and creditworthiness.
Several reasons were cited for the 9/11 Commission’s recommendation to adopt
the NFPA 1600 Standard:

¹ Business continuity management (BCM) planning is concerned with assuring continuous
business processes after a disruption. BCM is a key component of comprehensive
emergency management, which encompasses disaster planning and preparedness, hazard
identification and mitigation, emergency response, disaster recovery, business continuity
and crisis management.
² [http://www.nfpa.org/catalog/home/AboutNFPA/NFPAOverview/NFOAOverview.asp],
visited Aug. 11, 2004.
³ [http://www.ansi.org/news_publications/news_story.aspx?menuid=7&articleid=718],
visited Aug. 11, 2004.
⁴ U.S. National Commission on Terrorist Attacks Upon the United States, The 9/11
Commission Report (Washington: GPO, 2004), p. 398. The report is available online at
[http://www.9-11commission.gov], visited September 28, 2004.

^!private sector organizations own and manage the vast majority of the
critical infrastructure in the United States;
^!the first people called upon to respond to a terrorist attack will likely
be civilians; and
^!the private sector remains largely unprepared for a terrorist attack
because of a lack of a private sector emergency management
preparedness standard on rescue, restart, and recovery of operations.
Emergency Preparedness and
NFPA 1600 Standards
One of the key findings of the 9/11 Commission was the need for the private
sector to prepare for potential future terrorist attacks and other emergencies. The

9/11 Commission Report stated:

Private-sector preparedness in not a luxury; it is a cost of doing business in the
post-9/11 world. It is ignored at a tremendous potential cost in lives, money, and⁵
national security.
According to the 9/11 Commission, America’s vulnerability to terrorists attacks
and other emergencies stem in part from the lack of a widely acceptable national
standard for emergency preparedness and business continuity planning in the private
sector. Although the NFPA 1600 Standard currently serves as a benchmark for
emergency management and business continuity programs in both the public and
private sectors, the private sector has not widely embraced the standard. NFPA 1600
offers methodologies for defining and identifying risks and vulnerabilities, and
provides planning guidelines that address the restoration of physical infrastructure,
the health and safety of personnel, crisis communications procedures, and
management structures for both short-term recovery and ongoing long-term
continuity of operations. The standard is not a series of detailed requirements; it is
a basic outline of what belongs in a disaster/emergency management program. It is
designed to apply to a wide range of entities, including government agencies, private
companies, nonprofit agencies, and other organizations with emergency management
responsibilities.⁶
Business preparedness and the adoption a national preparedness standard are
widely considered key to recovery, and the U.S. Department of Homeland Security
(DHS) has arguably taken steps in this direction. On September 23, 2004, the DHS,
in partnership with the Advertising Council and several business organizations,
established the “Ready Business” national public service advertising campaign to
educate and empower companies on how to prepare for and respond to natural and

⁵ Ibid.
⁶ For more information, see CRS Report RL32520, Emergency Management Preparedness
Standards: Overview and Options for Congress, by Keith Bea.

human-caused disasters.⁷ The “Ready Business” campaign is an extension of DHS’s
successful “Ready” campaign, which reportedly has helped millions of individuals
and families prepare for emergencies.⁸ The “Ready Business” campaign offers
businesses practical information on such things as evacuation plans, fire safety, and
protecting business investments by securing facilities and equipment and reviewing
insurance coverage.⁹
Major Participants in Emergency Preparedness
The federal government is only one participant in a complex set of interlocking
institutions the nation utilizes for managing the consequences of disasters and
emergencies. The other major participants are state and local governments and the
private sector, which includes individuals, businesses, and insurance companies. The
role of these major participants in emergency management preparedness is examined
below.
Federal Government
The federal government provides early warning and financial and technical
assistance for emergency planning. It also provides emergency assistance to help
individuals, businesses, and public entities recover from the consequences of a major
disaster. Benefits under these programs generally are triggered by a range of federal
authorities.¹⁰
State and Local Governments
State and local governments play critical roles through land use controls, the
adoption and enforcement of building codes, and the regulation of insurance markets.
Local governments are also the first line of action for post-disaster response and
recovery. If localities are overwhelmed, they may request assistance from the state
or federal government. These institutions and the incentives they create are highly
interdependent.
Private Sector
The private sector — individuals and businesses — can pre-fund and diversify
risk by financing potential losses through insurance, reinsurance, self-insurance, and

⁷ [http://www.dhs.gov/dhspublic/interapp/press_release/press_release_0523.xml], visited
September 30, 2004.
⁸ [http://www.dhs.gov/dhspublic/display?theme=44&content=4049&print=true], visited
September 30, 2004.
⁹ [http://www.dhs.gov/dhspublic/display?theme=43&content=4034&print=true], visited on
October 1, 2004.
¹⁰ For references to federal assistance programs, see CRS Report RL31734, Federal Disaster
Recovery Programs: Brief Summaries, by Ben Canada.

capital from financial institutions and the investment community. Individuals and
businesses may also use damage prevention or loss mitigation techniques to reduce
the frequency and extent of damage.
Insurance Industry
The insurance mechanism is considered an efficient tool in not only the
management of risks, but also emergency management preparedness.¹¹ According
to emergency management experts, many companies do not plan for or have adequate
internal financial resources to pay for expenses associated with recovery from a
major disaster. They rely on external financial resources — e.g., insurance industry
payments or government disaster assistance — to recover from a disaster. Insurance
payments can serve as a major source of funds to rebuild communities and put lives
back together after a disaster. In order to better prepare the nation for possible future
terrorists attacks, the 9/11 Commission recommended that insurance companies
consider a company’s compliance with the voluntary national emergency
preparedness and business continuity standard (NFPA 1600) when assessing
insurability.
When a business is forced into a total or a partial shutdown because of damage
inflicted by a natural or human-caused disaster, the economic consequences to the
business and the community are costly. The business property may be physically
damaged and remain unavailable for use due to a disruption of essential utility
services (e.g., electricity, gas, telecommunications, sewer, and water) and/or access
to critical suppliers; employees may not be able to come to work because the work
site remains dangerous; and customers may not be able to reach the premises due to
infrastructure damage.
Businesses typically cover their direct costs of rebuilding, renovating, or
replacing the damaged property and the indirect cost of lost income by either insuring
themselves by setting aside money to cover possible losses (self-insurance) or
purchasing commercial insurance. Self-insuring disaster loss exposures might occur
either intentionally or by default. Businesses may intentionally self insure by
determining how much loss they can fund internally (“retain”), adopting a plan for
funding those retained losses, and buying insurance to cover larger losses. Many
businesses make no advance plans for financing losses and, by default, self-fund
unpredictable losses. This usually happens because a business fails to identify a
hazard, believes it has no options for addressing the hazard, or relies on the
government to cover all its post-disaster needs.

¹¹ Some economists argue that when insurance is compared to disaster relief and/or federal
tax policy, the insurance mechanism is the most efficient and equitable method of
compensating disaster victims for several reasons: (1) it provides a better method to reduce
risk by incorporating incentives for individuals and firms to adopt loss reduction measures;
(2) it provides more complete compensation for damages; (3) it is considered more equitable
because the people who pay for protection will typically receive the benefits; (4) it gives
people more control over their degree of protection; and (5) it is more efficient in dispensing
payments.

Commercial insurance offers the opportunity to cover the cost of recovery after
a major disaster. In January 1986, the property and casualty insurance industry
unveiled the Simplified Commercial Lines Portfolio (SCLP) policy as a new
approach to commercial insurance. The SCLP has seven separate sets of coverages
from which the insured can pick and choose.¹² Businesses may use use one policy
to meet most of their insurance needs.¹³ Basic protection for buildings and personal
property in the SCLP, for example, is provided under the Building and Personal
Property Coverage form (BPP). Business income and interruption and extra expense
coverage protects a business against temporary loss of net income rather than its
property. It is customarily included by endorsement on an insured’s commercial
property coverage. As with all types of policies, there are broad policy coverage
exclusions with respect to certain hazards (floods, earthquakes, wind, and acts of
terrorism) and the actions of the insured.
While commercial insurance does not guarantee a business’s post-disaster
survival, it is an important strategic element in emergency preparedness and business
continuity planning in the private sector. Given the importance of insurance in
managing disaster risks, it was reasonable to expect the 9/11 Commission to
recommend that the insurance industry consider a company’s compliance with a
national emergency standard when assessing insurability. The challenge is to find a
way to incorporate a company’s adherence to an emergency standard into the
insurer’s decision to insure a risk — i.e., insurability.
Insurability of Risk and Standards
The term “insurability” refers to the process by which an insurance company
sets a premium that accurately reflects the applicable risk. While the setting of a
price is important, it is also critical for the insurer to be able to offer a policy that is
marketable. What makes a risk insurable and an insurance policy marketable? This
report will discuss insurability in the next section. With respect to marketability, it
is important to note that a particular risk might meet the insurability conditions, but
the policy will not come to the market if the insurer lacks the confidence that there
is sufficient demand to cover the cost. In theory, demand occurs because the
potential policyholder is risk-averse and willing to pay a relatively small premium for
protection against a large loss. Demand might also depend on the existence of
standards (or criteria) that provide threshold limits governing professional behavior¹⁴
accepted by all potentially insured parties. These standards are typically imposed

¹² The SCLP policy provides coverages for commercial property, liability, crime, boiler and
machinery, commercial auto, inland marine, and farm.
¹³ Under SCLP, workers’ compensation must be purchased separately.
¹⁴ State licensing boards and professional societies typically prepare standards of
professional behavior, and the insurance industry will incorporate these standards into their
pricing or underwriting schemes. Professional standards promulgated by the state licensing
board will be consistent with the standards of proof required and the exceptions to a finding
of negligence that are codified in state statue. The practical impact of the standard in the
(continued...)

through government regulation or financial institution requirements, not the insurer.
Insurance experts observe that two conditions must be met for a particular risk
to be insurable: the ability to identify and quantify the risk; and the ability to set
premiums for each potential customer or class of customers.
First, in order to identify the risk, the insurer must estimate the frequency of
specific events occurring and the magnitude of the loss should the event occur. The
insurer needs loss experience data from many kinds of perils and hazards to perform
this task. Unfortunately, from the standpoint of establishing rates, some events, like
acts of terrorism, are very infrequent and there is limited data available upon which
to base premiums. Insurers must therefore rely on scientific studies and computer-
generated and mathematical models to develop estimates of the frequency of events,
as well as the damage that is likely to occur from these events.
Second, for a risk to be insurable, the insurer needs the ability to set premiums
in such a manner that the company makes a profit. The insurance industry has well
developed methods of classifying and selecting what risks to insure, and what price
to charge. Insurers apply certain business tests of insurability when considering what
premium to set for a particular risk.¹⁵ This process is called “underwriting” and is
analogous to what the 9/11 Commissioners refer to as “insurability.” The act of
underwriting requires underwriters to exercise judgment based on a clear
understanding of the hazards associated with each kind of coverage as well as
adverse selection,¹⁶ moral hazards¹⁷ and correlated risk facing various entitites in the
private sector.¹⁸
In deciding whether to issue an insurance policy, the underwriter gathers
information from many sources, including the application itself, the recommendation

¹⁴ (...continued)
medical profession, for example, is to enhance the marketability of medical malpractice
liability insurance for physicians. The professional standard created the demand for the
insurance product that protects the doctor from civil liability, the patient from medical error,
and the insurer from losses stemming from inappropriate professional behavior.
¹⁵ For example, insurers generally use a four-test criteria to determine the insurability of
risks (i.e., whether to underwrite a risk): (1) calculability of the risk, which refers to the
presence of sufficient loss data to statistically estimate the chance of future losses and
possible variations from the estimate; (2) certainty of loss, which refers to the ability to
define the loss that has occurred; (3) the absence of catastrophic potential or the possibility
that the losses may be of sufficient magnitude to destroy the financial stability of the insurer;
and (4) whether insured losses are accidental rather than intentional.
¹⁶ Adverse selection occurs when the insurer cannot distinguish between the probability of
loss for different risk categories. The insurer loses money on a policy if only poor risks
purchase the coverage.
¹⁷ Moral hazard occurs when there is a tendency of insurance protection to change the
behavior of the customer such that the policyholder does not try to avoid misfortune, and
may act to bring it on.
¹⁸ Correlated risk occurs when there is the simultaneous occurrence of many losses from a
single event. The impact of correlated risks is the possibility of insurer insolvency.

of the agent or broker who accepts the application, insurance company inspectors and
engineers, private inspection companies, and other insurance industry support
organizations that maintain centralized files for certain types of risks.
Underwriters also rely on various standards and procedures. Using data and
other information generated internally or from insurance support agencies, insurers
typically publish internal underwriting company guidelines and pricing charts that
help underwriters perform their job in a manner consistent with the company’s
business strategy. In support of this industry-wide practice, the A. M. Best Company
publishes the Best’s Underwriting Guide for Commercial Lines and Best’s Loss
Control Engineering Manual, which are technical guides designed for insurance
inspection, underwriting, loss control, and safety engineering personnel. These
guides cover more than 700 risk classifications, offering information on loss
exposure and loss prevention in various categories of businesses that are covered by
the different types of property and casualty lines of insurance.
As an illustration, an insurance underwriter reviewing an application for
insurance from a barber shop might refer to the Best’s Underwriting Guide for
Commercial Lines under Standard Industrial Classification (SIC) code 7231 (beauty
shop) or SIC 7241 (barber shop) to obtain the standards that might apply to the
various risks facing these businesses. In this case, the underwriter might refer to the
Guide and determine whether the barber shop’s cleaning supplies and hair solutions
are in compliance with NFPA 30, Flammable and Combustible Liquids Code. NFPA

30 covers the storage, handling, and use of flammable and combustible liquids,

including waste liquids.
Building from the 9/11 Commission recommendation and the above illustration
of the role standards play in business practices, DHS could encourage insurers,
advisory organizations and rating bureaus to consider integrating NFPA 1600
Standard into their underwriting and pricing schemes so that the private sector —
reflecting the 700 risk classifications — could undertake efficient risk management
processes and hence be better prepared to respond to emergencies. Businesses that
comply with the standards set by insurers might be granted less expensive insurance
rates.
Standards in Insurance Underwriting and Pricing
Major insurance industry participants, including insurers, trade associations,
advisory organizations, and rating bureaus, already support the establishment of
emergency preparedness management and business continuity planning standards for
individuals and businesses. Four examples of activities might be presented.
First, with respect to potential cyber attacks, the insurance industry currently
plays an important role in securing cyberspace by creating national standards for risk-¹⁹
transfer (insurance) mechanisms, working with the government to increase the

¹⁹ [http://www.securityfocus.com/news/361], visited October 25, 2004.

awareness of cyber risks²⁰ and collaborating with leaders in the disaster preparedness
industry to promote best practices for businesses.²¹
Second, the Insurance Service Office (ISO) administers the Public Protection
Classification (PPC) program, which grades a community’s public fire protection
capabilities.²² Under the PPC program, each local fire department’s firefighting
capability is ranked on a scale of 1-10 under ISO’s Fire Suppression Rating Schedule
(FSRS). Each community’s insurance rates are based, in part, on this FSRS rating.
The FSRS includes factors such as water supply and whether its fire fighters are full-
time paid employees or volunteers.
The PPC program has played a critical role in the property and casualty
insurance business and the availability of affordable homeowners’ and commercial
property coverage. Virtually all U.S. insurers of homes and business property use
ISO’s PPC to establish appropriate fire insurance premiums for residential and
commercial properties. The ISO classification is correlated to actuarially derived
rating factors used in setting fire insurance premiums. The rating factors are
developed using historical loss experience data and represent a relationship between
loss experience and the PPC.
Third, the use of ISO’s Building Code Effectiveness Grading Schedule is
another way in which emergency preparedness standards are incorporated into
insurance underwriting and pricing. In the 1980s, the insurance industry discovered
that the level of building code enforcement affected the cost of claims. However, it
was not until Hurricane Andrew in 1992 that a new organization, the Insurance
Institute for Property Loss Reduction (IIPLR) launched a study to develop better
wind and seismic building codes so structures could better withstand the force of
storms and earthquakes. The work of the IIPLR led to the development by ISO of a
building code compliance rating system, similar to the fire protection rating system.
The ISO Building Code Effectiveness Grading Schedule (BCEGS) assesses the
building codes in effect in a particular community and the community enforcement
of these codes. The BCEGS takes into account factors such as (1) the size of the
community’s building code enforcement budget relative to the amount of building
activity; (2) the professional qualifications of building inspectors; and (3) past code
enforcement levels. By incorporating the BCEGS into the underwriting and pricing
process, communities have incentives to undertake mitigation activities such as the
use of certain roofing material, the installation of hurricane shutters, and the
identification of appropriate load combinations for buildings.

²⁰ [http://www.propertyandcasualty.com/content/news/article.asp?docid={0981135a-fe11-

4684-ae57-cf909d5d6e18}&V NET COOK IE=NO].

²¹ See [http://www.tripwiresecurity.com/press/pr.cfm?prid=49], visited October 25, 2004.
²² The Insurance Services Office, Inc. (ISO) is a private, independent organization that
provides statistical and actuarial information, policy forms and related services to
insurers. ISO also serves insurance regulators, fire departments, and other organizations
that provide information about risk. For more information on ISO’s PPC, see
[http://www.iso.com/products/2400/prod2403.html], visited October 4, 2004.

With the availability of BCEGS, insurers and state insurance regulators
combined forces under the auspices of the National Association of Insurance
Commissioners (NAIC) to develop and encourage states to adopt model insurance
laws, regulations and guidelines on building codes. Insurers now offer discounts on
property insurance premiums to property owners and businesses located in
communities with enforced, up-to-date building codes that conform to BCEGS
standards. Communities with a BCEGS grade of 1 (reflecting exemplary
commitment to building-code enforcement), for example, can demonstrate better loss
experience, resulting in lower insurance premiums. The BCEGS program was
initially implemented in states with high exposure to wind (hurricane) and seismic
exposure, but now is available throughout the rest of the country.
Fourth, since the early 1900s, the construction industry has attempted to
formulate standardized practices for every aspect of the building industry, and the
insurance industry recognizes those standards in its insurance policies and pricing
schemes.²³ In fact, the first model building codes in the United States were
developed in 1905 by the National Board of Fire Underwriters, an insurance industry
organization.
Potential Issues for Congress
Several potential insurance-related issues could arise as policymakers consider
the 9/11 Commission’s recommendation on emergency preparedness and business
continuity standards in the private sector.
First, if the 9/11 Commission recommendations on private sector emergency
preparedness and business continuity standard are implemented, will the federal
government broaden the scope and meaning of insurability to enhance future private
sector preparedness? While the 9/11 Commission did not recommend a federal
mandate to the states to have insurers insert NFPA 1600 Standards into policies and
underwriting guidelines along with an appropriate actuarial-based reduction in rates
or preferential risk treatment, such an unintended regulatory and legal scenario might²⁴
emerge in the future. What are the implications for state insurance regulation of
insurance underwriting and pricing should the states adopt the NFPA 1600
standards?
Several things are known about insurance regulation, particularly with respect
to rates: (1) insurance is regulated by the states; (2) the rate regulation process — i.e.,
prior approval vs open competition — may vary for different kinds of insurance

²³ For more information on ANSI-accredited NFPA 5000, Building Construction and Safety
Code, see [http://www.contractormag.com/articles/newsarticle.cfm?newsid=126], visited
October 25, 2004.
²⁴ Congress specifically reaffirmed the authority of states to regulate the insurance industry
when it enacted the McCarran-Ferguson Act of 1945 (PL 79-15; 59 Stat. 33, March 9,
1945). Thus, under current law, the regulation of the business of insurance in the United
States is carried out at the state level, and this business is substantially exempt from federal
antitrust laws.

within the same jurisdiction; and (3) states may change the method used to oversee
rates for a given kind of insurance if market conditions change.²⁵ Thus, depending
on the type of rate regulation system in a particular state, a regulator could require a
reduction in rates to reflect adoption of certain standards. Could this reduction in
rates be judged a federal mandate, given that the DHS might instruct insurers to
consider NFPA 1600 in their pricing and underwriting system? What would be the
role of Congress to resolve this matter, given the existence of the McCarran-Ferguson
Act of 1945 that delegates the regulation of the business of insurance to the states?
From an insurance company perspective, it makes good business sense to
provide insurance services and price and sell policies that incorporate elements of
emergency preparedness and business continuity standards. The reason is simple: a
reduction in potential losses through emergency preparedness standards could lead
to lower claims for insurance companies. Any federal involvement (or perception of
involvement) in insurance rate-making (regulation) would be widely viewed as a
departure from the stance the Congress has taken since the enactment of the
McCarran Ferguson Act of 1945 that leaves exclusively the regulation of the business
of insurance to the states. Since 1945, Congress has on several occasions
investigated the availability and affordability of insurance and the efficiency and
adequacy of state insurance regulation, but chose to leave things as they are without
intervening in state rate regulation. State insurance regulators have always responded
to congressional concerns in such a manner as to avoid congressional intervention in
the state insurance regulatory process.
Second, insurers have a long way to go when it comes to assessing the link
between terrorism risk and adoption of emergency preparedness standards in a non-
anecdotal manner. While terrorism modeling has come a long way since 9/11, it is
no substitute for the actuarially credible data on which most insurance rates are based
(potentially millions of observations over extended periods of time). Instances of
major terrorist attacks, especially in the United States, are few. The only three data
points in the United States are the two World Trade Center terrorists attacks and the
1995 Oklahoma City bombing (domestic terrorism). While it stands to reason that
the risk mitigation measures taken by businesses — i.e., compliance with NFPA
1600’s emergency preparedness and business continuity standards — would likely
reduce the probability and severity of some types of attacks, it is unclear if the
aggregate risk would be reduced (shift to soft targets, different means of attack, etc.).
The dynamic strategies of would-be terrorists are impossible to fully insure against
— in contrast to insuring against natural disasters. Given their fiduciary and
regulatory responsibility to shareholders, most insurers are not likely to voluntarily
reduce rates without data that quantify the level of savings that can be achieved with
the adoption of standards designed to reduce aggregate risk. Could this situation
hamper the full adoption of standards within the insurance industry?

²⁵ State insurance regulators have adopted several methods of regulating insurance rates that
fall into two categories: “prior approval” and “competitive.” Prior approval means the
insurer must file the rates with the regulator and obtain approval before using them in the
market. Competitive rate regulation allows insurers to adopt new rates without having to
wait for regulatory approval, albeit rates must still be filed with the regulator.

Third, the linking of emergency preparedness and business continuity standards
to insurability, which appears to be what the 9/11 Commission envisions although
not specifically mentioned in the 9/11 Report, would work only if individuals and
businesses have incentives to engage in voluntary mitigation action. Most experts
observe that these actions would occur only when individuals and businesses have
knowledge and belief that a significant risk exists, they measure the cost and benefit
of taking steps to reduce losses, and then decide to act in order to be prudent.
The point here is that any effort to enhance the nation’s emergency management
response capabilities by linking emergency preparedness and business continuity
standards to insurability (underwriting and pricing) must involve committed
individuals and businesses. Two fundamental issues are (1) what incentives would
most likely motivate private individuals and businesses to engage in voluntary
mitigation action; and (2) at what expected loss level or threshold does the mitigation
of risks shift from being a set of private mitigation decisions to the level of a public
problem possibly requiring federal regulation? That is, should the government set
the primary standards for mitigation risks? Experts in the disaster and insurance
arenas generally agree that voluntary action by individuals and businesses is
necessary in order to reduce disaster risks. Voluntary action is likely to occur when
there is knowledge and belief that a significant risk exists, and when the following
criteria are met:
^!the risk is large when compared to other issues that demand attention
and resources;
^!there are significant incentives (i.e., premium or deductible
reductions or both) to warrant a decision to invest in mitigation
action; and
^!the risk of loss cannot be transferred to others (i.e., insurance and/or
government relief not available).
Finally, representatives of the business continuity industry note that before
insurers can effectively implement the NFPA 1600 standards, policymakers, business
leaders, and insurers must address the specific reference to business continuity
planning (BCP) in the standard itself.²⁶ BCP is a comprehensive process that
includes disaster recovery, business recovery, business resumption, contingency
planning and crisis management. Some business continuity experts have argued that
business continuation is embedded within emergency management and disaster
recovery planning provisions of the standard. From an insurance company
perspective, more refinement of the NFPA 1600 might be needed that includes
features of business continuity planning that an insurer can more readily adopt in its
underwriting and pricing schemes.
Given the demonstrated expertise insurers possess in working with the building
industry and other industries in the private sector, the DHS could encourage insurers,
insurance industry associations, advisory organizations and rating bureaus to

²⁶ [http://www.davislogic.com/NFPA1600.htm], visited October 25, 2004.

integrate NFPA Standard 1600 into their marketing, underwriting, and pricing
schemes.
Conclusions
The September 11, 2001 terrorist attack on the World Trade Centers exposed
vulnerabilities in the private sector’s ability to respond to and recover from
emergencies and disasters. According to the 9/11 Commission, this vulnerability
stems in part from the lack of a widely acceptable national standard for emergency
preparedness and business continuity planning in the private sector.
It was not surprising that the 9/11 Commission alluded to the insurance industry.
The insurance industry is a major source of post-disaster recovery financing and
insurers are accustomed to either using or getting other customers to use standards
in its normal business practices.
The Department of Homeland Security (DHS) was designated to take the lead
in encouraging the insurance and credit-rating industries to voluntarily consider a
company’s compliance with NFPA 1600 when assessing insurability and
creditworthiness. The 9/11 Commission, however, did not provide guidance on the
meaning of “insurability” or how an emergency preparedness standard might be
integrated into insurance underwriting and pricing systems.
The key to understanding this 9/11 Commission recommendation rests with a
grasp of the connection between the insurability of risk and standards. The term
“insurability” refers to the process by which an insurer sets a premium that accurately
reflects the applicable risk. While the setting of an insurance premium is important,
the marketability of policies that incorporates NFPA 1600 Standards is equally
important. There must be market demand for the policy if it is to be offered by an
insurer. One way to effect demand for a policy that indirectly requires businesses to
adopt emergency management preparedness standards might be through the
imposition of those standards by government regulation, by financial institution
requirements or both. Another way to stimulate demand would occur naturally by
the reaction of potential customers who are risk averse and are willing to pay a
premium for protection against a large loss.