TRIA and Terrorism Risk Mitigation: A Business Protection Overview

The Terrorism Risk and Insurance Act (TRIA)1, originally enacted in 2002, and twice extended by Congress (2005 and 2007), is scheduled to expire at the end of 2014. TRIA was enacted following the tragic 9/11 attack on the World Trade Center and Pentagon. The program is credited with stabilizing property insurance markets and the U.S. economy by providing federal financial protection should international terrorists mount a major attack on another domestic target – a significant benefit with minimal federal cost.

Fortunately, the TRIA financial backstop has not been activated since its inception, but it nonetheless remains an essential financial risk management tool for large and small businesses alike. As the congressional discussion about TRIA reauthorization intensifies in 2013 and 2014, questions may arise about steps business owners can take to protect their property against terrorism and the role of TRIA in these efforts.

This article provides business owners and commercial policyholders with a brief overview of TRIA and the relationship between terrorism risk, property protection mitigation, insurance, and TRIA. Although these issues are not as prominent as they were immediately following the 2001 attack, they remain an important element of a comprehensive business protection plan and our overall national security strategy.

TRIA in Brief

TRIA provides federal financial protection for large terrorism events. As a general matter, this would include attacks certified by the federal government that result in more than $25 billion to $30 billion in insured losses. Once the program is activated, financial responsibility is shared between the public and private sectors in a manner that allows insurers to respond quickly to policyholder claims, while assuring that federal payments are returned to the U.S. Department of the Treasury through a recoupment mechanism.

TRIA was put in place because of the unique difficulty that private insurers have in underwriting terrorism insurance. Unlike natural catastrophes such as hurricanes and earthquakes, most of the information private insurers need to understand and assess terrorism risk (essential elements to provide appropriate coverage) is rightly classified for purposes of national security. Moreover, unlike natural hazards, terrorist methods constantly evolve, and comprise intentional acts designed to maximize both direct and indirect/collateral damage. Intentional acts are very different in fundamentally important ways from fortuitous events, such as those wrought by Mother Nature. For example, unlike Mother Nature, terrorists can and will alter methods and targets where an original target has been hardened or otherwise protected.

Without TRIA, commercial policyholders, particularly in large urban areas, near landmark properties, or involved in critical infrastructure, would have trouble securing insurance coverage. This in turn would cause real estate and financial conditions to deteriorate – a situation that would be compounded should terrorists achieve their goals by mounting another successful attack.

Can Mitigation Reduce Terrorism Risk?

While much of the legislative discussion concerning the enactment and extension of TRIA has focused on its terrorism insurance aspects, questions also have arisen about whether it is possible to reduce terrorism risk through mitigation measures analogous to those used to reduce vulnerability to natural catastrophes.

The Insurance Institute for Business & Home Safety’s (IBHS) mission is to reduce losses due to natural and man-made disasters by building stronger, more disaster-resistant buildings; developing business continuity and recovery programs; and making individuals, businesses, and communities more resilient in the event of loss. As an organization dedicated to identifying building science solutions and communicating about effective mitigation techniques, IBHS would like to be able to state categorically that mitigation is the key to the availability and affordability of terrorism insurance and can obviate the need to extend the TRIA program. Unfortunately, this is not the case.

While progress has been made in identifying and implementing terrorism mitigation measures, terrorist events present unique challenges. As a result, even after best efforts to reduce the potential for loss, many businesses retain such significant and unpredictable risk that terrorism is considered uninsurable by private insurers, as discussed below.

Unique Challenges in Reducing Terrorism Risk

Federal Role in Prevention

Terrorism is not directed at the owners of individual businesses or buildings; instead, terrorists seek to attack U.S. political, economic, and cultural systems. As such, a large part of the responsibility for prevention against, preparation for, and response to terrorism lies with the federal government as part of homeland security. This also means that privacy, broader national security interests, and other societal constraints restrict private sector intelligence gathering and the implementation of terrorism countermeasures.

Fortunately, since September 11, 2001, there have been no additional, major terrorist attacks within the United States. However, the tragic September 11, 2012 attack on the U.S. diplomatic mission in Benghazi is yet another graphic reminder of the continuing resolve of extremist militant groups to kill and injure Americans and destroy U.S. property. In addition, the threat of cyber-terrorism and nuclear, biological, chemical and radiological attacks remain very real and catastrophic possibilities.

Technical and Practical Limitations of Building Science

In light of the challenges related to obtaining 100 percent success in terrorism prevention, physical security enhancements can play a role in reducing both human and economic consequences of a terrorist attack. In this regard, the building science community has identified a number of design and construction criteria to protect and strengthen buildings.2

As a general matter, there has been progress over the past decade in improving physical protections against potential terrorist attacks. Yet, it is important to recognize that there are substantial limitations to protecting property against the massive terrorist attacks to which TRIA was designed to respond. For example:

  • while many natural disaster mitigation standards are broadly applicable across building types and large geographic regions, security against terrorism tends to be much more site- or structure-specific, meaning that it is more difficult and expensive to identify and implement solutions;
  • many landscape and layout recommendations that have been identified by experts as providing protection against terror attacks are not feasible in an urban setting, where population densities may make a terrorist attack more costly and more deadly;
  • blast protection devices may be ineffective if the pressures exerted on a building by a massive explosion are too great; and
  • as is the case with natural disaster mitigation, terrorism mitigation must take a systems-based approach, rather than simply strengthening individual components that may still allow a building to fail if subject to a terrorist attack; this also makes solutions more expensive and harder to apply to existing buildings.

Continuity Planning: Imperative but insufficient

In the event that terrorists break through protective defenses, continuity planning can reduce the economic and psychological costs of an attack, thwarting terrorist objectives to inflict maximum direct and indirect damage. Indeed, business continuity experts believe that following a terrorist attack or other major crisis, resiliency planning may determine whether an individual business rebounds, declines, or disappears – depending on such critical factors as maintaining its customer base, retaining staff, improving morale, stabilizing operational expenses, strengthening reputation and brand, reducing liabilities, and developing a competitive edge over peers that fail to adequately prepare. That said, continuity planning alone cannot fundamentally reduce or alter the unique characteristics of terrorism risk so that it can be fully managed by private insurers.


To help business owners create a comprehensive and effective disaster recovery plan, IBHS has developed the OFB-EZ® (Open for Business-EZ) program, a free business continuity tool which guides small businesses through the process of developing a business continuity and property protection plan. By helping reduce potential losses and downtime in the event of a terrorist attack or other disaster, business continuity plans reduce the impact and severity of any business disruption, potentially making the difference between business survival and closure. Rather than accept closure and the income losses a business disruption brings, an OFB-EZ® plan can help identify alternatives that allow business to continue functioning in a different location or with different business processes.

A Hybrid Approach Should Include All Mitigation Options and TRIA

Recognizing that no individual or organization can truly be ready for a terrorist attack, building science technology, continuity planning, and financial risk management can be combined to create an integrated preparedness and response strategy. The Homeland Security Advisory Council is among the terrorism experts, which have advised that implementing these combined preparedness measures may perform better than any single option, at potentially lower overall costs.

Central to this hybrid approach is the protection provided by the high-level federal backstop in TRIA. Since 2001, the U.S. government has made significant investments in terrorism prevention, and there have been improvements in both building science and continuity planning, and continued improvements in mitigation and recovery optimization are possible. Unfortunately, terrorists seeking to damage the American way of life also have evolved in response to improved prevention and loss reduction measures.

Because TRIA is designed as a layer of coverage beyond what is available in the private insurance and reinsurance markets, the program triggers are set at a level that has been estimated to correspond to an event that is at least as damaging as the 9/11 attack on the World Trade Center. Realistically, the destruction from such a massive attack may not be significantly reduced by loss control measures that are practicable or cost-effective to implement. This is not a reason to abandon mitigation or initiatives to create a preparedness culture, but rather recognition that a comprehensive terrorism risk management strategy should include the federal financial risk management component provided by extension of TRIA in 2014.

1When enacted in 2002, the statute was named the Terrorism Risk Insurance Act of 2002 (TRIA). When extended in 2005, it was renamed the Terrorism Risk Insurance Extension Act of 2005 (TRIEA), and in 2007, renamed the Terrorism Risk Insurance Program Reauthorization Act (TRIPRA). To simplify the acronyms, this article uses the consistent term TRIA for all three statutes, which share the same overall structure and purpose.

2See, for example, the Federal Emergency Management Agency’s (FEMA) Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings (FEMA 426, December 2003), which includes “how-to” guidance with respect to site and layout considerations; building design; internal systems; chemical, biological, and radiological (CBR) detection and protection mechanisms; and evacuation routes. Other publicly available sources for terrorism mitigation information include the American Institute of Architects (; the American Society of Civil Engineers (; the International Code Council (; the National Council of Structural Engineers Associations (; and the National Institute of Standards and Technology (