My colleague Stewart Baker has written about Stuxnet, an impending cyber-threat to U.S. infrastructure. Some companies are starting to ask how they can prepare for this and related threats. That raises a broader question: what are the practical measures companies can take to prepare for emergencies?
Aside from posts on Security Debrief (see my own as well as those by Cooper and Conners), surprisingly little attention has been given to DHS’s pragmatic private sector preparedness program. PS-Prep, as that program is known, allows businesses of all stripes to become certified as meeting DHS-approved emergency preparedness standards. The program has potentially enormous consequences across the entire private sector. Since virtually all businesses care about money, it’s worth underscoring two related ways in which the PS-Prep program can affect the bottom line.
First, it’s likely that insurance companies will start weighing certifications when assessing risks and fixing premiums. When you insure your home, for example, the insurance company’s assessment of risk and your insurance premium often are affected by considerations such as whether you have a burglar alarm, fire alarm or both. PS-Prep certifications for businesses will likely function in much the same way: a business’s insurance premium may be lower or higher based in part on whether the business has been certified under PS-Prep.
Second, after emergencies, companies sometimes face litigation and government investigations. People who have been physically or financially damaged typically assert that more should have been done to prepare for the emergency. The aftermath of the September 9 pipeline explosion in San Bruno, California provides a recent example. That explosion, which killed eight people and caused massive property damage, is the subject of lawsuits and government investigations. A Senate panel recently focused on the pipeline company’s response to the explosion, with California’s Senator Boxer saying that, “it doesn’t sound to me that there was a response plan in place that actually functioned.”
The massive oil spill in the Gulf of Mexico is another obvious example of an emergency followed by lawsuits and government investigations. In both cases, an emergency response plan certified to DHS standards could have been of substantial help to companies defending against allegations that their response plans were deficient.
Indeed, one reason that insurance premiums may be lower for companies certified under PS-Prep is that certifications can improve litigation odds. If a company has to prove that response plans were adequate, a certification that the company met DHS standards can be a powerful element of proof.
A month of headlines from any major news outlet will include stories about disasters of various sorts. With that in mind, businesses should consider how to utilize PS-Prep.
