For other versions of this document, see http://wikileaks.org/wiki/CRS-RL32646 ------------------------------------------------------------------------------ Order Code RL32646 CRS Report for Congress Received through the CRS Web Insurance and Emergency Preparedness: The 9/11 Commission Recommendations October 25, 2004 Rawle O. King Analyst in Industry Economics Government and Finance Division Congressional Research Service ~ The Library of Congress Insurance and the Emergency Preparedness: The 9/11 Commission Recommendations Summary The September 11, 2001, terrorist attack on the World Trade Center exposed vulnerabilities in the private sector's ability to respond to and recover from emergencies and disasters. These events have caused government and business leaders, disaster experts and insurance experts, and industry representatives to rethink emergency preparedness and business continuity planning for the private sector. In its final report, released on July 22, 2004, the National Commission on Terrorist Attacks Upon the United States (9/11 Commission) urged the Department of Homeland Security (DHS) to help the private sector improve its capacity to respond to terrorist attacks by adopting emergency preparedness and business continuity standards developed by the National Fire Protection Association (NFPA 1600) and adopted by the American National Standards Institute (ANSI). The 9/11 Commission also recommended that DHS take steps to encourage the insurance and credit-rating industries to voluntarily consider a company's compliance with NFPA 1600 when assessing insurability and creditworthiness. The 9/11 Commission did not provide guidance on the meaning of "insurability," or on how an emergency preparedness standard might be integrated into insurance underwriting and pricing systems. Several issues could arise when insurers consider a company's compliance with NFPA 1600 in the course of assessing insurability. First, if the 9/11 Commission recommendations on private sector emergency preparedness and business continuity standards are implemented, will the federal government broaden the scope and meaning of insurability to enhance private sector preparedness? While the 9/11 Commission did not recommend a federal mandate to the states to have insurers incorporate NFPA 1600 standards into policies, underwriting guidelines, or both (along with an appropriate actuarial-based reduction in rates or preferential risk treatment), this scenario might emerge as an unintended regulatory and legal issue for Congress. Second, most insurance experts would agree that despite an increase in the analytical capabilities of insurers to assess terrorism risk, there is a continued need for sufficient data and non-anecdotal research to demonstrate the potential insurance cost savings from adoption of emergency preparedness standards. Third, the linking of emergency preparedness and business continuity standards to insurability, which is essentially what the 9/11 Commission envisions, will arguably work only if individuals and businesses have incentives to engage in voluntary mitigation action. Most experts observe that these actions will occur only when (1) individuals and businesses have knowledge and belief that a significant risk exists; (2) they measure the cost and benefit of taking steps to reduce losses; and then (3) they decide to act in order to survive. Finally, representatives of the business continuity industry note that before insurers can effectively implement the NFPA 1600 standards, policymakers, business leaders, and insurers must address the specific relevance of the business continuity planning (BCP) elements in the NFPA 1600 standard to insurance underwriting and pricing. This report analyzes potential issues that might arise by complying with NFPA 1600. This report will be updated as legislative developments warrant. Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Emergency Preparedness and NFPA 1600 Standards .....................2 Major Participants in Emergency Preparedness . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Federal Government . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 State and Local Governments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Private Sector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Insurance Industry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Insurability of Risk and Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Standards in Insurance Underwriting and Pricing . . . . . . . . . . . . . . . . . . . . . . . . . 7 Potential Issues for Congress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Insurance and Emergency Preparedness: The 9/11 Commission Recommendations Introduction The use of insurance as a tool in emergency management and business continuity management (BCM) planning has taken on a new sense of urgency among policymakers and business leaders in light of terrorist attacks and the continued threat of emergencies and disasters.1 Terrorist attacks, earthquakes, hurricanes, tornadoes, power outages, and cyber attacks are just a few of the potential issues facing all organizations. Realizing that unpredictable disruption and downtime in the private sector could affect the U.S. economy, possibly with billions of dollars in lost or interrupted operations, the National Commission on Terrorist Attacks Upon the United States (9/11 Commission) recommended that the NFPA 1600 "Standard on Disaster/Emergency Management and Business Continuity Programs," developed by the National Fire Protection Association2 and endorsed by American National Standards Institute (ANSI),3 serve as the national preparedness standard for all organizations, including governments and businesses. The NFPA 1600 Standard defines how the private sector should prepare for a catastrophe and continue or recover its critical functions in the event of a disruption or major disaster. The 9/11 Commission's final report, dated July 22, 2004, also urged the Department of Homeland Security (DHS) to promote private sector adoption of NFPA 1600 and to encourage the insurance and credit-rating industries to consider a company's compliance with this standard when assessing insurability and creditworthiness.4 Several reasons were cited for the 9/11 Commission's recommendation to adopt the NFPA 1600 Standard: 1 Business continuity management (BCM) planning is concerned with assuring continuous business processes after a disruption. BCM is a key component of comprehensive emergency management, which encompasses disaster planning and preparedness, hazard identification and mitigation, emergency response, disaster recovery, business continuity and crisis management. 2 [http://www.nfpa.org/catalog/home/AboutNFPA/NFPAOverview/NFOAOverview.asp], visited Aug. 11, 2004. 3 [http://www.ansi.org/news_publications/news_story.aspx?menuid=7&articleid=718], visited Aug. 11, 2004. 4 U.S. National Commission on Terrorist Attacks Upon the United States, The 9/11 Commission Report (Washington: GPO, 2004), p. 398. The report is available online at [http://www.9-11commission.gov], visited September 28, 2004. CRS-2 ! private sector organizations own and manage the vast majority of the critical infrastructure in the United States; ! the first people called upon to respond to a terrorist attack will likely be civilians; and ! the private sector remains largely unprepared for a terrorist attack because of a lack of a private sector emergency management preparedness standard on rescue, restart, and recovery of operations. Emergency Preparedness and NFPA 1600 Standards One of the key findings of the 9/11 Commission was the need for the private sector to prepare for potential future terrorist attacks and other emergencies. The 9/11 Commission Report stated: Private-sector preparedness in not a luxury; it is a cost of doing business in the post-9/11 world. It is ignored at a tremendous potential cost in lives, money, and national security.5 According to the 9/11 Commission, America's vulnerability to terrorists attacks and other emergencies stem in part from the lack of a widely acceptable national standard for emergency preparedness and business continuity planning in the private sector. Although the NFPA 1600 Standard currently serves as a benchmark for emergency management and business continuity programs in both the public and private sectors, the private sector has not widely embraced the standard. NFPA 1600 offers methodologies for defining and identifying risks and vulnerabilities, and provides planning guidelines that address the restoration of physical infrastructure, the health and safety of personnel, crisis communications procedures, and management structures for both short-term recovery and ongoing long-term continuity of operations. The standard is not a series of detailed requirements; it is a basic outline of what belongs in a disaster/emergency management program. It is designed to apply to a wide range of entities, including government agencies, private companies, nonprofit agencies, and other organizations with emergency management responsibilities.6 Business preparedness and the adoption a national preparedness standard are widely considered key to recovery, and the U.S. Department of Homeland Security (DHS) has arguably taken steps in this direction. On September 23, 2004, the DHS, in partnership with the Advertising Council and several business organizations, established the "Ready Business" national public service advertising campaign to educate and empower companies on how to prepare for and respond to natural and 5 Ibid. 6 For more information, see CRS Report RL32520, Emergency Management Preparedness Standards: Overview and Options for Congress, by Keith Bea. CRS-3 human-caused disasters.7 The "Ready Business" campaign is an extension of DHS's successful "Ready" campaign, which reportedly has helped millions of individuals and families prepare for emergencies.8 The "Ready Business" campaign offers businesses practical information on such things as evacuation plans, fire safety, and protecting business investments by securing facilities and equipment and reviewing insurance coverage.9 Major Participants in Emergency Preparedness The federal government is only one participant in a complex set of interlocking institutions the nation utilizes for managing the consequences of disasters and emergencies. The other major participants are state and local governments and the private sector, which includes individuals, businesses, and insurance companies. The role of these major participants in emergency management preparedness is examined below. Federal Government The federal government provides early warning and financial and technical assistance for emergency planning. It also provides emergency assistance to help individuals, businesses, and public entities recover from the consequences of a major disaster. Benefits under these programs generally are triggered by a range of federal authorities.10 State and Local Governments State and local governments play critical roles through land use controls, the adoption and enforcement of building codes, and the regulation of insurance markets. Local governments are also the first line of action for post-disaster response and recovery. If localities are overwhelmed, they may request assistance from the state or federal government. These institutions and the incentives they create are highly interdependent. Private Sector The private sector -- individuals and businesses -- can pre-fund and diversify risk by financing potential losses through insurance, reinsurance, self-insurance, and 7 [http://www.dhs.gov/dhspublic/interapp/press_release/press_release_0523.xml], visited September 30, 2004. 8 [http://www.dhs.gov/dhspublic/display?theme=44&content=4049&print=true], visited September 30, 2004. 9 [http://www.dhs.gov/dhspublic/display?theme=43&content=4034&print=true], visited on October 1, 2004. 10 For references to federal assistance programs, see CRS Report RL31734, Federal Disaster Recovery Programs: Brief Summaries, by Ben Canada. CRS-4 capital from financial institutions and the investment community. Individuals and businesses may also use damage prevention or loss mitigation techniques to reduce the frequency and extent of damage. Insurance Industry The insurance mechanism is considered an efficient tool in not only the management of risks, but also emergency management preparedness.11 According to emergency management experts, many companies do not plan for or have adequate internal financial resources to pay for expenses associated with recovery from a major disaster. They rely on external financial resources -- e.g., insurance industry payments or government disaster assistance -- to recover from a disaster. Insurance payments can serve as a major source of funds to rebuild communities and put lives back together after a disaster. In order to better prepare the nation for possible future terrorists attacks, the 9/11 Commission recommended that insurance companies consider a company's compliance with the voluntary national emergency preparedness and business continuity standard (NFPA 1600) when assessing insurability. When a business is forced into a total or a partial shutdown because of damage inflicted by a natural or human-caused disaster, the economic consequences to the business and the community are costly. The business property may be physically damaged and remain unavailable for use due to a disruption of essential utility services (e.g., electricity, gas, telecommunications, sewer, and water) and/or access to critical suppliers; employees may not be able to come to work because the work site remains dangerous; and customers may not be able to reach the premises due to infrastructure damage. Businesses typically cover their direct costs of rebuilding, renovating, or replacing the damaged property and the indirect cost of lost income by either insuring themselves by setting aside money to cover possible losses (self-insurance) or purchasing commercial insurance. Self-insuring disaster loss exposures might occur either intentionally or by default. Businesses may intentionally self insure by determining how much loss they can fund internally ("retain"), adopting a plan for funding those retained losses, and buying insurance to cover larger losses. Many businesses make no advance plans for financing losses and, by default, self-fund unpredictable losses. This usually happens because a business fails to identify a hazard, believes it has no options for addressing the hazard, or relies on the government to cover all its post-disaster needs. 11 Some economists argue that when insurance is compared to disaster relief and/or federal tax policy, the insurance mechanism is the most efficient and equitable method of compensating disaster victims for several reasons: (1) it provides a better method to reduce risk by incorporating incentives for individuals and firms to adopt loss reduction measures; (2) it provides more complete compensation for damages; (3) it is considered more equitable because the people who pay for protection will typically receive the benefits; (4) it gives people more control over their degree of protection; and (5) it is more efficient in dispensing payments. CRS-5 Commercial insurance offers the opportunity to cover the cost of recovery after a major disaster. In January 1986, the property and casualty insurance industry unveiled the Simplified Commercial Lines Portfolio (SCLP) policy as a new approach to commercial insurance. The SCLP has seven separate sets of coverages from which the insured can pick and choose.12 Businesses may use use one policy to meet most of their insurance needs.13 Basic protection for buildings and personal property in the SCLP, for example, is provided under the Building and Personal Property Coverage form (BPP). Business income and interruption and extra expense coverage protects a business against temporary loss of net income rather than its property. It is customarily included by endorsement on an insured's commercial property coverage. As with all types of policies, there are broad policy coverage exclusions with respect to certain hazards (floods, earthquakes, wind, and acts of terrorism) and the actions of the insured. While commercial insurance does not guarantee a business's post-disaster survival, it is an important strategic element in emergency preparedness and business continuity planning in the private sector. Given the importance of insurance in managing disaster risks, it was reasonable to expect the 9/11 Commission to recommend that the insurance industry consider a company's compliance with a national emergency standard when assessing insurability. The challenge is to find a way to incorporate a company's adherence to an emergency standard into the insurer's decision to insure a risk -- i.e., insurability. Insurability of Risk and Standards The term "insurability" refers to the process by which an insurance company sets a premium that accurately reflects the applicable risk. While the setting of a price is important, it is also critical for the insurer to be able to offer a policy that is marketable. What makes a risk insurable and an insurance policy marketable? This report will discuss insurability in the next section. With respect to marketability, it is important to note that a particular risk might meet the insurability conditions, but the policy will not come to the market if the insurer lacks the confidence that there is sufficient demand to cover the cost. In theory, demand occurs because the potential policyholder is risk-averse and willing to pay a relatively small premium for protection against a large loss. Demand might also depend on the existence of standards (or criteria) that provide threshold limits governing professional behavior accepted by all potentially insured parties.14 These standards are typically imposed 12 The SCLP policy provides coverages for commercial property, liability, crime, boiler and machinery, commercial auto, inland marine, and farm. 13 Under SCLP, workers' compensation must be purchased separately. 14 State licensing boards and professional societies typically prepare standards of professional behavior, and the insurance industry will incorporate these standards into their pricing or underwriting schemes. Professional standards promulgated by the state licensing board will be consistent with the standards of proof required and the exceptions to a finding of negligence that are codified in state statue. The practical impact of the standard in the (continued...) CRS-6 through government regulation or financial institution requirements, not the insurer. Insurance experts observe that two conditions must be met for a particular risk to be insurable: the ability to identify and quantify the risk; and the ability to set premiums for each potential customer or class of customers. First, in order to identify the risk, the insurer must estimate the frequency of specific events occurring and the magnitude of the loss should the event occur. The insurer needs loss experience data from many kinds of perils and hazards to perform this task. Unfortunately, from the standpoint of establishing rates, some events, like acts of terrorism, are very infrequent and there is limited data available upon which to base premiums. Insurers must therefore rely on scientific studies and computer- generated and mathematical models to develop estimates of the frequency of events, as well as the damage that is likely to occur from these events. Second, for a risk to be insurable, the insurer needs the ability to set premiums in such a manner that the company makes a profit. The insurance industry has well developed methods of classifying and selecting what risks to insure, and what price to charge. Insurers apply certain business tests of insurability when considering what premium to set for a particular risk.15 This process is called "underwriting" and is analogous to what the 9/11 Commissioners refer to as "insurability." The act of underwriting requires underwriters to exercise judgment based on a clear understanding of the hazards associated with each kind of coverage as well as adverse selection,16 moral hazards17 and correlated risk facing various entitites in the private sector.18 In deciding whether to issue an insurance policy, the underwriter gathers information from many sources, including the application itself, the recommendation 14 (...continued) medical profession, for example, is to enhance the marketability of medical malpractice liability insurance for physicians. The professional standard created the demand for the insurance product that protects the doctor from civil liability, the patient from medical error, and the insurer from losses stemming from inappropriate professional behavior. 15 For example, insurers generally use a four-test criteria to determine the insurability of risks (i.e., whether to underwrite a risk): (1) calculability of the risk, which refers to the presence of sufficient loss data to statistically estimate the chance of future losses and possible variations from the estimate; (2) certainty of loss, which refers to the ability to define the loss that has occurred; (3) the absence of catastrophic potential or the possibility that the losses may be of sufficient magnitude to destroy the financial stability of the insurer; and (4) whether insured losses are accidental rather than intentional. 16 Adverse selection occurs when the insurer cannot distinguish between the probability of loss for different risk categories. The insurer loses money on a policy if only poor risks purchase the coverage. 17 Moral hazard occurs when there is a tendency of insurance protection to change the behavior of the customer such that the policyholder does not try to avoid misfortune, and may act to bring it on. 18 Correlated risk occurs when there is the simultaneous occurrence of many losses from a single event. The impact of correlated risks is the possibility of insurer insolvency. CRS-7 of the agent or broker who accepts the application, insurance company inspectors and engineers, private inspection companies, and other insurance industry support organizations that maintain centralized files for certain types of risks. Underwriters also rely on various standards and procedures. Using data and other information generated internally or from insurance support agencies, insurers typically publish internal underwriting company guidelines and pricing charts that help underwriters perform their job in a manner consistent with the company's business strategy. In support of this industry-wide practice, the A. M. Best Company publishes the Best's Underwriting Guide for Commercial Lines and Best's Loss Control Engineering Manual, which are technical guides designed for insurance inspection, underwriting, loss control, and safety engineering personnel. These guides cover more than 700 risk classifications, offering information on loss exposure and loss prevention in various categories of businesses that are covered by the different types of property and casualty lines of insurance. As an illustration, an insurance underwriter reviewing an application for insurance from a barber shop might refer to the Best's Underwriting Guide for Commercial Lines under Standard Industrial Classification (SIC) code 7231 (beauty shop) or SIC 7241 (barber shop) to obtain the standards that might apply to the various risks facing these businesses. In this case, the underwriter might refer to the Guide and determine whether the barber shop's cleaning supplies and hair solutions are in compliance with NFPA 30, Flammable and Combustible Liquids Code. NFPA 30 covers the storage, handling, and use of flammable and combustible liquids, including waste liquids. Building from the 9/11 Commission recommendation and the above illustration of the role standards play in business practices, DHS could encourage insurers, advisory organizations and rating bureaus to consider integrating NFPA 1600 Standard into their underwriting and pricing schemes so that the private sector -- reflecting the 700 risk classifications -- could undertake efficient risk management processes and hence be better prepared to respond to emergencies. Businesses that comply with the standards set by insurers might be granted less expensive insurance rates. Standards in Insurance Underwriting and Pricing Major insurance industry participants, including insurers, trade associations, advisory organizations, and rating bureaus, already support the establishment of emergency preparedness management and business continuity planning standards for individuals and businesses. Four examples of activities might be presented. First, with respect to potential cyber attacks, the insurance industry currently plays an important role in securing cyberspace by creating national standards for risk- transfer (insurance) mechanisms,19 working with the government to increase the 19 [http://www.securityfocus.com/news/361], visited October 25, 2004. CRS-8 awareness of cyber risks20 and collaborating with leaders in the disaster preparedness industry to promote best practices for businesses.21 Second, the Insurance Service Office (ISO) administers the Public Protection Classification (PPC) program, which grades a community's public fire protection capabilities.22 Under the PPC program, each local fire department's firefighting capability is ranked on a scale of 1-10 under ISO's Fire Suppression Rating Schedule (FSRS). Each community's insurance rates are based, in part, on this FSRS rating. The FSRS includes factors such as water supply and whether its fire fighters are full- time paid employees or volunteers. The PPC program has played a critical role in the property and casualty insurance business and the availability of affordable homeowners' and commercial property coverage. Virtually all U.S. insurers of homes and business property use ISO's PPC to establish appropriate fire insurance premiums for residential and commercial properties. The ISO classification is correlated to actuarially derived rating factors used in setting fire insurance premiums. The rating factors are developed using historical loss experience data and represent a relationship between loss experience and the PPC. Third, the use of ISO's Building Code Effectiveness Grading Schedule is another way in which emergency preparedness standards are incorporated into insurance underwriting and pricing. In the 1980s, the insurance industry discovered that the level of building code enforcement affected the cost of claims. However, it was not until Hurricane Andrew in 1992 that a new organization, the Insurance Institute for Property Loss Reduction (IIPLR) launched a study to develop better wind and seismic building codes so structures could better withstand the force of storms and earthquakes. The work of the IIPLR led to the development by ISO of a building code compliance rating system, similar to the fire protection rating system. The ISO Building Code Effectiveness Grading Schedule (BCEGS) assesses the building codes in effect in a particular community and the community enforcement of these codes. The BCEGS takes into account factors such as (1) the size of the community's building code enforcement budget relative to the amount of building activity; (2) the professional qualifications of building inspectors; and (3) past code enforcement levels. By incorporating the BCEGS into the underwriting and pricing process, communities have incentives to undertake mitigation activities such as the use of certain roofing material, the installation of hurricane shutters, and the identification of appropriate load combinations for buildings. 20 [http://www.propertyandcasualty.com/content/news/article.asp?docid={0981135a-fe11- 4684-ae57-cf909d5d6e18}&VNETCOOKIE=NO]. 21 See [http://www.tripwiresecurity.com/press/pr.cfm?prid=49], visited October 25, 2004. 22 The Insurance Services Office, Inc. (ISO) is a private, independent organization that provides statistical and actuarial information, policy forms and related services to insurers. ISO also serves insurance regulators, fire departments, and other organizations that provide information about risk. For more information on ISO's PPC, see [http://www.iso.com/products/2400/prod2403.html], visited October 4, 2004. CRS-9 With the availability of BCEGS, insurers and state insurance regulators combined forces under the auspices of the National Association of Insurance Commissioners (NAIC) to develop and encourage states to adopt model insurance laws, regulations and guidelines on building codes. Insurers now offer discounts on property insurance premiums to property owners and businesses located in communities with enforced, up-to-date building codes that conform to BCEGS standards. Communities with a BCEGS grade of 1 (reflecting exemplary commitment to building-code enforcement), for example, can demonstrate better loss experience, resulting in lower insurance premiums. The BCEGS program was initially implemented in states with high exposure to wind (hurricane) and seismic exposure, but now is available throughout the rest of the country. Fourth, since the early 1900s, the construction industry has attempted to formulate standardized practices for every aspect of the building industry, and the insurance industry recognizes those standards in its insurance policies and pricing schemes.23 In fact, the first model building codes in the United States were developed in 1905 by the National Board of Fire Underwriters, an insurance industry organization. Potential Issues for Congress Several potential insurance-related issues could arise as policymakers consider the 9/11 Commission's recommendation on emergency preparedness and business continuity standards in the private sector. First, if the 9/11 Commission recommendations on private sector emergency preparedness and business continuity standard are implemented, will the federal government broaden the scope and meaning of insurability to enhance future private sector preparedness? While the 9/11 Commission did not recommend a federal mandate to the states to have insurers insert NFPA 1600 Standards into policies and underwriting guidelines along with an appropriate actuarial-based reduction in rates or preferential risk treatment, such an unintended regulatory and legal scenario might emerge in the future.24 What are the implications for state insurance regulation of insurance underwriting and pricing should the states adopt the NFPA 1600 standards? Several things are known about insurance regulation, particularly with respect to rates: (1) insurance is regulated by the states; (2) the rate regulation process -- i.e., prior approval vs open competition -- may vary for different kinds of insurance 23 For more information on ANSI-accredited NFPA 5000, Building Construction and Safety Code, see [http://www.contractormag.com/articles/newsarticle.cfm?newsid=126], visited October 25, 2004. 24 Congress specifically reaffirmed the authority of states to regulate the insurance industry when it enacted the McCarran-Ferguson Act of 1945 (PL 79-15; 59 Stat. 33, March 9, 1945). Thus, under current law, the regulation of the business of insurance in the United States is carried out at the state level, and this business is substantially exempt from federal antitrust laws. CRS-10 within the same jurisdiction; and (3) states may change the method used to oversee rates for a given kind of insurance if market conditions change.25 Thus, depending on the type of rate regulation system in a particular state, a regulator could require a reduction in rates to reflect adoption of certain standards. Could this reduction in rates be judged a federal mandate, given that the DHS might instruct insurers to consider NFPA 1600 in their pricing and underwriting system? What would be the role of Congress to resolve this matter, given the existence of the McCarran-Ferguson Act of 1945 that delegates the regulation of the business of insurance to the states? From an insurance company perspective, it makes good business sense to provide insurance services and price and sell policies that incorporate elements of emergency preparedness and business continuity standards. The reason is simple: a reduction in potential losses through emergency preparedness standards could lead to lower claims for insurance companies. Any federal involvement (or perception of involvement) in insurance rate-making (regulation) would be widely viewed as a departure from the stance the Congress has taken since the enactment of the McCarran Ferguson Act of 1945 that leaves exclusively the regulation of the business of insurance to the states. Since 1945, Congress has on several occasions investigated the availability and affordability of insurance and the efficiency and adequacy of state insurance regulation, but chose to leave things as they are without intervening in state rate regulation. State insurance regulators have always responded to congressional concerns in such a manner as to avoid congressional intervention in the state insurance regulatory process. Second, insurers have a long way to go when it comes to assessing the link between terrorism risk and adoption of emergency preparedness standards in a non- anecdotal manner. While terrorism modeling has come a long way since 9/11, it is no substitute for the actuarially credible data on which most insurance rates are based (potentially millions of observations over extended periods of time). Instances of major terrorist attacks, especially in the United States, are few. The only three data points in the United States are the two World Trade Center terrorists attacks and the 1995 Oklahoma City bombing (domestic terrorism). While it stands to reason that the risk mitigation measures taken by businesses -- i.e., compliance with NFPA 1600's emergency preparedness and business continuity standards -- would likely reduce the probability and severity of some types of attacks, it is unclear if the aggregate risk would be reduced (shift to soft targets, different means of attack, etc.). The dynamic strategies of would-be terrorists are impossible to fully insure against -- in contrast to insuring against natural disasters. Given their fiduciary and regulatory responsibility to shareholders, most insurers are not likely to voluntarily reduce rates without data that quantify the level of savings that can be achieved with the adoption of standards designed to reduce aggregate risk. Could this situation hamper the full adoption of standards within the insurance industry? 25 State insurance regulators have adopted several methods of regulating insurance rates that fall into two categories: "prior approval" and "competitive." Prior approval means the insurer must file the rates with the regulator and obtain approval before using them in the market. Competitive rate regulation allows insurers to adopt new rates without having to wait for regulatory approval, albeit rates must still be filed with the regulator. CRS-11 Third, the linking of emergency preparedness and business continuity standards to insurability, which appears to be what the 9/11 Commission envisions although not specifically mentioned in the 9/11 Report, would work only if individuals and businesses have incentives to engage in voluntary mitigation action. Most experts observe that these actions would occur only when individuals and businesses have knowledge and belief that a significant risk exists, they measure the cost and benefit of taking steps to reduce losses, and then decide to act in order to be prudent. The point here is that any effort to enhance the nation's emergency management response capabilities by linking emergency preparedness and business continuity standards to insurability (underwriting and pricing) must involve committed individuals and businesses. Two fundamental issues are (1) what incentives would most likely motivate private individuals and businesses to engage in voluntary mitigation action; and (2) at what expected loss level or threshold does the mitigation of risks shift from being a set of private mitigation decisions to the level of a public problem possibly requiring federal regulation? That is, should the government set the primary standards for mitigation risks? Experts in the disaster and insurance arenas generally agree that voluntary action by individuals and businesses is necessary in order to reduce disaster risks. Voluntary action is likely to occur when there is knowledge and belief that a significant risk exists, and when the following criteria are met: ! the risk is large when compared to other issues that demand attention and resources; ! there are significant incentives (i.e., premium or deductible reductions or both) to warrant a decision to invest in mitigation action; and ! the risk of loss cannot be transferred to others (i.e., insurance and/or government relief not available). Finally, representatives of the business continuity industry note that before insurers can effectively implement the NFPA 1600 standards, policymakers, business leaders, and insurers must address the specific reference to business continuity planning (BCP) in the standard itself.26 BCP is a comprehensive process that includes disaster recovery, business recovery, business resumption, contingency planning and crisis management. Some business continuity experts have argued that business continuation is embedded within emergency management and disaster recovery planning provisions of the standard. From an insurance company perspective, more refinement of the NFPA 1600 might be needed that includes features of business continuity planning that an insurer can more readily adopt in its underwriting and pricing schemes. Given the demonstrated expertise insurers possess in working with the building industry and other industries in the private sector, the DHS could encourage insurers, insurance industry associations, advisory organizations and rating bureaus to 26 [http://www.davislogic.com/NFPA1600.htm], visited October 25, 2004. CRS-12 integrate NFPA Standard 1600 into their marketing, underwriting, and pricing schemes. Conclusions The September 11, 2001 terrorist attack on the World Trade Centers exposed vulnerabilities in the private sector's ability to respond to and recover from emergencies and disasters. According to the 9/11 Commission, this vulnerability stems in part from the lack of a widely acceptable national standard for emergency preparedness and business continuity planning in the private sector. It was not surprising that the 9/11 Commission alluded to the insurance industry. The insurance industry is a major source of post-disaster recovery financing and insurers are accustomed to either using or getting other customers to use standards in its normal business practices. The Department of Homeland Security (DHS) was designated to take the lead in encouraging the insurance and credit-rating industries to voluntarily consider a company's compliance with NFPA 1600 when assessing insurability and creditworthiness. The 9/11 Commission, however, did not provide guidance on the meaning of "insurability" or how an emergency preparedness standard might be integrated into insurance underwriting and pricing systems. The key to understanding this 9/11 Commission recommendation rests with a grasp of the connection between the insurability of risk and standards. The term "insurability" refers to the process by which an insurer sets a premium that accurately reflects the applicable risk. While the setting of an insurance premium is important, the marketability of policies that incorporates NFPA 1600 Standards is equally important. There must be market demand for the policy if it is to be offered by an insurer. One way to effect demand for a policy that indirectly requires businesses to adopt emergency management preparedness standards might be through the imposition of those standards by government regulation, by financial institution requirements or both. Another way to stimulate demand would occur naturally by the reaction of potential customers who are risk averse and are willing to pay a premium for protection against a large loss. ------------------------------------------------------------------------------ For other versions of this document, see http://wikileaks.org/wiki/CRS-RL32646