Terrorism Risk and Insurance
A Look at the Insurance Industry's Response to Changes in Terrorism
February 2017 | By Ingrid Sapona
Terrorism has evolved in a variety of ways. In the 1990s and early 2000s, most terrorism attacks that made the international news were perpetrated by organized, recognized groups like Al Qaeda, Hezbollah, and so on. The 9/11 attack in the U.S. is an example of such terrorism. More recently, terrorist attacks have been carried out by lone attackers (or small groups of attackers), for example, the Boston Marathon bombing and the October 2014 attack on Parliament Hill in Ottawa). Such attacks are typically not organized or directed by a particular terrorism organization. Instead, they are often described as “inspired by” some terrorist group’s rhetoric or ideas. Often these terrorists are individuals who are self-radicalized, meaning these individuals were drawn to a known terrorist organization through the writings and videos released by known terrorist organizations.
The methods used by terrorists and the targets have also evolved. With 9/11 style attacks, terrorist organizations often chose high explosive attacks on high-value targets or symbols. As Aon points out, armed attacks have overtaken bombings as the main terrorist tactic in Europe. From 2010-2015 the vast majority of attacks in Western countries were perpetrated by bombings. Since the beginning of 2015, however, 52% of attacks in western countries have been armed attacks, while 30% have been bombings. And, when bombs have been used (for example the March 22, 2016 attacks in Brussels at the airport and at a metro station), they are often smaller bombs, making it harder to detect through purchasing of bomb-making materials. Another noteworthy phenomenon has been the increased use of concurrent attacks (like the March 2016 Brussels attacks), sequential targeting, and mixing of suicide devices with active shooter attacks.
In terms of targets, more recently, terrorists have targeted civilians rather than the state. According to Aon, terrorists “appear to be placing an increasing emphasis on targeting societies rather than states, and aiming to inflict more casualties ….” Indeed, “the venues of the worst attacks in 2015 were clusters of civilians: mass transportation, bars & restaurants, entertainment venues, hotels and tourist resorts.” The Risk Advisory Group, which has partnered with Aon in creating a Terrorism and Political Violence Map since 2007, reports that during the first three quarters of 2016 they recorded 502 attacks against public gatherings. The geographic reach of terrorism is also evolving. The Middle East is still the most active region for terrorism, with 40% more attacks than the most active region of South Asia. But, according to Aon, though attacks have fallen in Western countries, 2015 was the most lethal year for terrorist violence in Europe in nearly a decade. Aon cites the Islamic State (IS) as the major driver behind the spread of instability far beyond the group’s territorial control in parts of Syria, Iraq, and Libya, noting that "the group or its followers have mounted mass-casualty attacks against the United States, France, Belgium and Russia over the past year."
The shift in terrorist focus from traditional targets like military, police, and government interests to civilians raises the risk of terrorism on businesses. Indeed, certain business sectors have been particular targets, including transportation, retail, extractive industries, critical infrastructure, and the financial sector. With terrorism attacks aimed at civilians, the direct damage to property is often relatively minimal, but high in terms of lives and suffering. As well, such attacks can bring indirect costs to businesses due to business interruption.
Terrorism is generally excluded from standard liability policies (like CGL policies). Given the evolution of terrorism and the increased possibility of a terrorist attack on civilian targets, businesses and organizations should be considering their exposure and taking steps to mitigate their risks. Obviously, terrorism insurance is one tool to transfer the risk. But, the take-up rate for terrorism coverage is pretty low in Canada, according to James Gregory, Regional Director of Aon Risk Solutions’ Crisis Management group in Toronto. Though he did not provide specific statistics about the general take-up rate in Canada, Gregory noted that certain Canadian businesses definitely are concerned about the risks. “In fact, to the best of our knowledge, the largest aggregation of terrorism insurance in the word is in downtown Toronto,” says Gregory. When asked why it might be that there’s such a concentration of terrorism insurance coverage, Gregory suggests it is due to the relatively low cost of terrorism insurance.
Information about the take-up rates for terrorism insurance published by Marsh shows there’s quite a variation depending on industry and region. According to Marsh, for example, in the U.S. in 2015, media companies have purchased property terrorism insurance at a higher rate than any other industry. The take-up rate for media companies was 79%. The next highest take-up rate in the U.S. was education (75%), hospitality and gaming (74%), health care (73%), financial institutions (71%), real estate (71%) and power & utilities (70%). Interestingly, in the U.S., the 2015 take-up rate for energy and mining was only 33% (down from 47% in 2013). In the U.S., take-up rate by region was pretty steady from 2012-2015: the rate in the Northeast was 72%, while it was lowest in the South (54%) and 57% and 59% in the Midwest and West, respectively.
Insured losses resulting from the 9/11 event were about $32.5 billion. Because much of the financial cost ended up being borne by reinsurers, after 9/11 many withdrew from the market, and primary insurers ended up excluding terrorism from their policies. So, businesses were not able to purchase terrorism coverage. To “help ensure the continued widespread availability and affordability of commercial property and casualty insurance for terrorism risk, and to allow for the private markets to stabilize and build insurance capacity to absorb any future losses for terrorism events,” in 2002 the U.S. Congress enacted the Terrorism Risk Insurance Act (TRIA).
TRIA required insurers to make terrorism insurance available for commercial property and casualty losses resulting from certified acts of terrorism and provided a “shared public and private compensation for such insured losses.” In effect, "TRIA made the government an insurer of last resort; a reserve partner to help pay insurance claims resulting from large-scale terror attack … but only after affected businesses and insurance companies have paid their insurance deductibles." As a result, in the U.S. insurers must offer terrorism cover in all property and casualty policies on terms that are materially similar to those offered for other risks.
TRIA was extended in 2007 and again in 2015 under the name: the Terrorism Risk Insurance Program Reauthorization Act of 2015 (TRIPRA). The key triggers for TRIPRA (and its predecessor TRIA) are that:
- the terrorist act must satisfy the definition of an “act of terrorism”;
- the act must be “certified” by the U.S. Secretary of the Treasury with the agreement of the Secretary of State and Attorney General in consultation with the Secretary of Homeland Security, as qualifying within the Act’s definition;
- the terrorism event must involve losses that exceed a threshold amount ($140 million in 2017).
Interestingly, to date TRIPRA has not paid out because no act of terrorism has been certified.
The U.K., France, Israel, and Spain all have mandatory terrorism pools, while about 20 other countries have elective pools. Pool schemes allow property insurers to extend terrorism coverage based on the rules of the legislation that establishes the pool. Pool Reinsurance Company Ltd. (Poole Re) is the U.K.’s version. It is an elective scheme set up in 1993 after various terror incidents perpetrated by the IRA that made it hard for insurers and reinsurers to provide traditional terror cover. According to Pool Re, to date it has paid out claims of more than £600 million. Pool Re’s cover is on an “all risks” basis, including attacks involving chemical, biological, radiological, and nuclear (CBRN) devices to the full insured value. Cyber terrorism is still excluded, however.
There is no terrorism pool in Canada and Aon’s Gregory doesn’t anticipate one being established here because terrorism coverage is available. “Terrorism pools are typically set up when it’s difficult to buy such insurance in the regular market. … here in Canada I don’t think there’s an appetite by the Canadian government to set up a pool because terrorism insurance is readily available in the market,” Gregory says.
As with all insurance, the starting point for determining coverage is the definition – in this case, the definition of “an act of terrorism.” When looking for coverage, insureds should always consider how the policy defines terrorism. Under TRIPRA, for example, the definition of what constitutes terrorism is restricted to an event that’s certified by the applicable federal government authorities. If an act is not certified, it simply won’t meet the policy’s definition.
“From Aon’s perspective, we’ve developed our own definition of what an act of terrorism is and it’s quite broad. Under our definition it’s an act committed for political, religious, or ideological purposes,” says Gregory. Aon’s standard policy wording also includes coverage for sabotage, which is basically a subversive act committed for political, religious or ideological purposes.
Standard definitions of terrorism do not cover political risks, losses resulting from strikes, riots, civil commotion, rebellion, revolution, war and insurrection, or cyber-terrorism. But, broader definitions are available. “You can get a broader policy that provides coverage for riots, strikes, and civil commotion. That would cover, for example, damage caused by protesters surrounding a G20 event,” says Gregory. “The broadest version available would include war, civil war, revolution and so on. You can also add NCBR – nuclear, chemical, biological, and radiological risk, but that’s very expensive and capacity is limited,” he says.
Terrorism insurance can be bought for both first party and third party exposures. In Canada, businesses can take out standalone terrorism insurance or they can seek an endorsement to add it to their property policy. “Some insurers have treaty restrictions on their reinsurance that prohibits them from providing coverage for terrorism. In that case, they’d want a standalone policy,” says Aon’s Gregory.
By comparison, in the U.S., TRIPRA coverage is normally made available as part of an “all risk” property policy, but businesses can also purchase standalone property terrorism insurance. The most obvious benefit of a standalone policy in the U.S. is that the definition would not be limited to incidents that are certified by the federal government and that coverage can be bought for 100% of the losses incurred.
Another benefit of a standalone policy is that the limits available on standalone policies are often higher than might be available under an endorsement. Standalone policies can also have separate limits providing broader coverage for a specific location, for example, if a business had exposure in a part of the world potentially exposed to war that could be provided as part of a blended placement, coverage can also be purchased for multiple years. Coverage for business interruption can also be included. The wording for business interruption coverage would cover the specified period of indemnity set out in the policy.
Coverage enhancements available
As the types of terrorist acts are evolving, so too are the types of coverage enhancements being sought. For example, though the potential property damage from a terrorist attack might be relatively small (especially as compared to the property loss with the 9/11 attack, for example), the business disruption costs attributable to even a relatively small attack can be significant. If a government puts a region under curfew, or cordons off an area, for example, businesses in the area could be disrupted for an indefinite period.
Here are some of the coverage enhancements available:
Business interruption coverage – keep in mind that in the case of a terrorist attack, a business may not suffer direct physical damage but may end up being closed for a period because of a terrorist attack. Therefore, business interruption coverage claims that require direct physical loss or damage may not be sufficient.
Political violence coverage – this coverage can be separate, or part of a terrorism policy.
Extra expense for evacuating people due to a threat
Coverage for cancelled reservations
Coverage for cancelled events
Coverage for NCBR (nuclear, chemical, biological, and radiological risks) – the coverage is for incidents like anthrax and ricin attacks, viruses, and so-called dirty bombs, for example, where someone gets their hands on radioactive material and exposes others to radiation. Coverage for NCBR incidents is usually limited to a prescribed area, for example, a central business district, or perhaps within a 5-15 km (3-10 mile) radius of a specific location. The coverage is very expensive and not many insurers write it, according to Aon’s Gregory.
Active assailant situations – this is a relatively new type of coverage in Canada, says Gregory. “This provides coverage for incidents where someone arrives on the insured’s property with some sort of weapon and they are not politically motivated. Such policies pay for physical damage, costs related to psychological counselling of survivors, and loss of attraction. They even cover costs incurred to investigate threats made against the insured,” he says.
At this point, there are no particular underwriting issues related to terrorism insurance. For first party coverage, underwriters look for a schedule of values. The schedule should include information about what the assets are and where they’re located.
Terrorism insurance is relatively inexpensive. Terrorism coverage premiums generally are determined as a percentage of the premium for property insurance, and it’s “usually a small percentage of the premium,” according to Gregory. The percentage varies based on the industry the insured is in and the region the coverage is for. The median premium for terrorism insurance for companies in the U.S. Northeast – the most expensive region in the U.S. – was $29/million in 2015. According to Marsh, in the U.S., companies in major metropolitan areas are likely to pay a higher premium for their terrorism coverage. Interestingly, Marsh believes that the trend is to for terrorism insurance premiums to decrease and coverage to improve.
Managing and mitigating terrorism risks
When it comes to managing terrorism risk, businesses need to understand and assess their exposure to terrorism and related risks. Determining the risk is becoming more challenging because:
- the bar to committing a terrorist act is lower than ever before, and
- the spectrum of impacts has expanded, as mass casualty attacks are increasingly perpetrated with weapons rather than bombings.
The range of factors a business should assess when determining terrorism risks include:
- The attractiveness of the business or location as a terrorist target – consider the nature of the business, the ownership, the location of the business, the number of people on the premises, the attractiveness of adjacent businesses, and so on.
- Exposures related to particular assets and physical facilities – consider the level of security, the accessibility of entries, how sturdy structures are, evacuation plans, and so on.
- Financial exposures – consider the risk to capital, business disruption due to direct damage and from collateral damage, determine appropriate insurance limits and deductibles, and so on.
Businesses should also assess their crisis management framework in terms of its effectiveness in the event of a terrorist attack. For example, does the crisis management program address the investigation of threats, does it address evacuation procedures, does it address post-event psychological counselling for survivors, does it include an active shooter protocol, and so on.
There are a number of analytical tools and models that can help businesses assess their terrorist risk and determine how much terrorism insurance they need. Businesses can do the analysis themselves, or they can engage experts. Aon, for example, does Probable Maximum Loss (PML) assessments that involve quantifying and qualifying exposure to terrorism risk and such assessment can cover both potential property damage and potential bodily human costs. “PML assessments are a service clients pay for, but what they end up paying for the service can often be offset by premium savings they see as a result of purchasing a data-driven limit rather than guessing how much terrorism coverage they need,” says Gregory.
As Aon notes, terrorist attacks are now regarded as a foreseeable risk. While many businesses realize they may be exposed to property loss related to terrorism attacks, as terrorism has evolved, so have the risks. As a result, businesses should also consider their exposure to risks like business interruption due to terrorist acts, as well as first and third party exposures. For example, if a business doesn’t have an active shooter response protocol, or if it has one that is inadequate, it could face liability claims in the event of such an attack.
Businesses should work with brokers and risk experts to ensure they have realistically assessed their risks related to terrorism and to help them find ways of managing and mitigating the risks. Fortunately, the insurance industry’s response to terrorism has also evolved, so most Canadian businesses should be able to find relatively affordable terrorism coverage that meets their specific needs.