Indeed, an investigation into what business is doing to improve security and business continuity in the wake of last September's devastating assault suggests that last fall's consensus estimate of $75 billion in private sector security outlays was, if anything, a bit conservative. Admittedly, some $35 billion in spending–in the form of increased premiums on various forms of insurance–comes as less than voluntary. But experts agree that the expenditures have moved away from the initial reflexive rush for quick fixes and essentially mandatory items–hiring more security guards, buying more surveillance cameras and erecting better fences–to making systemic improvements.

Tom Cavanagh, a senior researcher at The Conference Board, a business-funded think tank, says companies are buying everything from back-up computer systems to new buildings to help them disperse their operations and key personnel. "What you're starting to see now are longer term expenditures," he says.

That $75 billion, combined with another $50 billion to $75 billion in government spending at all levels, works out to be close to 1.5% of GDP. Says Peter Orszag, a senior fellow at the Brookings Institution: "That's not likely to have a very serious impact on a $10 trillion economy, but it's not bupkes either." Certainly, at the corporate level where increased spending on security and business continuity is trending toward 5% of corporate operating budgets at typical companies, according to a recent Deloitte Consulting survey, the hit against already shrinking profits for most is creating even more headaches for over-stressed CFOs.

What's more, security spending is likely to continue at high levels. Deloitte's study indicates that next year's levels may be this much or more–anywhere from $46 billion to $77 billion, excluding increased insurance costs–as many companies get into a position to implement some of their more long-term structural alterations to business as usual.

According to Cavanagh, some companies are now establishing a new senior executive position: chief security officer. This top-level manager would oversee all elements of security, from the guards at the door to business continuity planning and supply line protection. "It's something we find a lot of companies now contemplating," says Cavanagh. AOL Time Warner Inc. was among a handful that moved quickly, hiring its first CSO shortly after the attack on the Twin Towers.

Security Line Item

With expenditures running high and many companies looking at reorganizing their security operations into one functional department, the heading "security" may even start showing up as a line item on company books, accounting industry experts say–at least at those corporations that opt for a functional approach to accounting. "Once a functional category is large enough relative to other operations, it may get a separate line," says Roman Weil, an accounting professor at the University of Chicago Graduate School of Business.

Indeed, in some regulated industries, such as utilities or companies producing hazardous chemicals, regulators could require such a categorical listing. "Some companies resist doing this kind of thing because it gives inside information to their competitors," says Weil. Of course, knowing how much different companies in an industry are spending on security might be of interest to potential terrorists, too.

Understandably, companies that actually felt the hit last September tend to be a little ahead of the pack in preparations. For instance, at the U.S. headquarters of the $49 billion French bank BNP Paribas in New York, Robert Fucito, head of crisis management and business continuity, says the key lesson of 9/11 was "being prepared and planning for the worst case scenario." Today, he says, the company has identified that worst-case scenario as "loss of access to both our buildings in lower Manhattan for up to three days, or loss of one building permanently, with loss of life." In preparation, the company has spent some $250,000 this year on consulting fees, increasing its reliance on electronic records, which will now be stored outside of New York City, and setting up a system that enables it to run all operations out of either of its two Manhattan buildings. Last September, the company's back-up data was in its main World Financial Center offices, from which staff was barred for several days.

Still, BNP Paribas was lucky. When the Twin Towers collapsed, the company switched operations to a building on the east side of lower Manhattan, which it acquired when BNP bought Paribas two years before. "We were able to send most people home, while key people went over to our building across town, where we closed out all positions before the end of the day," says Fucito. Plans to sell that east-side office building have since been scrapped. Instead, the office space has become an integral part of the company's security and business continuity plan.

Crisis planning is now much longer-term, too. "Our old plan was for 10 days," says Fucito. "Now we are doing crisis planning for six months or longer–enough time to allow us to find new space." The company also goes as far as to conduct two full-scale business continuity drills a year: Employees walk down 30 flights of stairs and then rendezvous at a prearranged gathering point.

In its survey of 300 companies, Deloitte found that there is an expectation that security costs will level off in 2004, though there may be another escalation in 2005. "This is typical of technological change," says Lynda Taskett, a Deloitte partner who headed up the study. "Whenever you put in a new solution, it takes a year or more to shake out the problems. Then, you have to reinvest and upgrade to fix those problems."

Deloitte, which maintained offices in lower Manhattan, was directly involved in the disaster. It lost one employee, who was in the World Trade Center when the planes hit, and suffered almost $250 million in lost income. "When you look at a number as large as that, you can see that you can set the limit on what should be spent on security and business continuity planning pretty high," says Taskett.

But even though recent months have seen a renewed corporate commitment, many still worry that some key industries have failed to allocate adequate funds for the task–a case still of more talk than action. "My sense is that everyone these days is security conscious, but when it comes to continuity planning, more is being discussed still than is being done," says David Gluckman, a property costs engineer at Willis.

Doing Enough

"Companies have a lot to worry about now," acknowledges David Wyss, chief economist at Standard & Poor's Corp. "The economy has slowed, and some companies may be more worried about their auditors these days than terrorists. Most companies are better prepared for another terrorist hit than they were in September [2001], but there are some industries-chemicals, petrochemicals and utilities, for example-that haven't done enough." In general, Wyss thinks that private sector spending on security should be running "about 50% higher" to get the job done adequately.

Some in Washington agree. In fact, Congress is considering the Chemical Security Act, which would force security and safety mandates on the chemical industry. One red flag for politicians: At least 100 plants that produce deadly chemicals are located in areas with populations of one million.

Strongly opposed by the industry, the bill has made it through the Senate Environment and Public Works Committee and is expected to make it to the Senate floor this term. It has yet to be considered by the House.

While U.S. businesses still seem to be feeling their way to a definition of what constitutes adequate security, a new paradigm is developing in which threats of terror and disruption become a given in the nation's business environment, much as they are in other parts of the world. And any way you slice it, for harried CFOs, that translates into a little more pressure on that increasingly tenuous bottom line.