Risk briefing: Getting to grips with new business requirements to protect against terrorism

In the wake of the Manchester Arena bombing in 2017, when Islamic extremist Salman Abedi detonated a suicide vest at an Ariana Grande concert – killing 22 people while injuring many more – one victim’s mother began a movement.

After the incident, Martyn Hett’s mother, Figen Murray, was shocked to discover that the owners and operators of publicly accessible premises were not legally required to implement security measures to protect against terrorism.

Following a campaign led by Murray, as well as being influenced by a changing terrorism threat landscape, the UK government introduced the Terrorism (Protection of Premises) Bill, also known as Martyn’s Law or the Protect Duty, to Parliament on 2 May 2023.

What it means for businesses

Martyn’s Law is designed to protect the public in places where they congregate by placing requirements on venues to adopt resilience measures against terrorism. In the current draft form of the legislation, any venue with a capacity for more than 100 people that is being used for a purpose listed in the bill, such as entertainment, leisure, or food and drink, will have to comply.

A further enhanced tier of venues with a capacity for over 800 people will also be subject to additional requirements, such as taking measures to reduce the risk of a terrorist attack occurring and maintaining a security document informed by an assessment of terrorism risk.

The bill represents a significant shift in how businesses will be required to consider the risk of terrorist activity, with the insurance sector having an important role to play in facilitating increased resilience by taking the opportunity to educate insureds.

“Businesses that can clearly demonstrate the steps they’ve taken towards complying with the regulation may see improved underwriting terms”

Standard commercial and property policies usually exclude terrorism-specific cover, for example, and Martyn’s Law will create an increased demand for exactly this sort of insurance.

Insurers will also now need to examine to what extent businesses are complying with the regulation when underwriting any risks associated with terrorism – businesses that can clearly demonstrate the steps they’ve taken towards complying with the regulation may see improved underwriting terms, for example.

Lucy Dennison, legal director at DAC Beachcroft, explained: ”If [an insured] presents [its] risk and can demonstrate compliance with the act, then that could be seen very positively by insurers.”

Positive development

The Protect Duty is expected to become law at some point during 2024, with the government affirming its commitment to the legislation during the King’s Speech in November 2023.

In March this year, a Home Office consultation on a more proportionate approach for those businesses falling into tier one was concluded. The results of the consultation have yet to be published.

Commenting on the potential ramifications of the bill coming into force, DAC Beachcroft partner Duncan Strachan noted that the bill does not create a statutory duty for “claimants to seek damages based on any failure to meet the requirements in the bill”.

Rather, Martyn’s Law is an exercise in clarifying that organisations have a duty to look after the public, a requirement that Strachan said “existed already”.

 ”Now’s a good time for insurers, risk managers and brokers to think about what their liability policies cover and whether there is cover for terrorist attacks included.”

He added: ”The legislation is there as a positive thing to try to help organisations understand what they need to do [to] keep the public safe – to prevent an attack, during an attack and after an attack.

“It should be seen as a good thing – it doesn’t need a knee-jerk reaction from the market to say ’this is a new risk, we need a new product and premiums need to be increased for this cover to be made available’.”

Indeed, Strachan explained that the introduction of Martyn’s Law presented the insurance market with an opportunity for “a renewed focus on terrorism”.

He said: ”Now’s a good time for insurers, risk managers and brokers to think about what their liability policies cover and whether there is cover for terrorist attacks included.”

“The bill will really shine a spotlight on terrorist events, which will mean that policyholders are going to have to look at how they prepare and respond in the event of a terrorist attack”

Martyn’s Law will also impact directors’ and officers’ (D&O) insurance because adherence to the new legislation will fall under directorial responsibility.

Strachan noted: “With a D&O policy, if you have a designated individual who is then subject to an investigation or regulatory proceedings then insureds need to consider whether that policy responds to terrorism.”

Dennison added: “The bill will really shine a spotlight on terrorist events, which will mean that policyholders are going to have to look at how they prepare and respond in the event of a terrorist attack, which will inevitably mean that they will be looking to ensure they have the right cover in place.

“Insurers definitely need to be ready for that.”

Broker insight

In its Managing risk for growth and economic security manifesto, launched earlier this year (11 January 2024), broker body Biba made overtures to the potential challenges and insurance impacts of the Protect Duty.

Although Biba welcomed the intent behind the legislation, it stressed “the need to be proportionate in the application of the new Duty”.

It also called on the UK government to examine the liabilities that would be placed on accountable persons for enhanced tier venues to ensure the insurance industry could provide “adequate and affordable D&O” cover.

And where insurers have a role to play, Biba called on underwriters to ensure that public liability policies covering terrorism after the Duty becomes law will be offered at “risk reflective premiums”.

“It will be important for businesses to have the ability within their D&O policies or legal expenses policies to defend any case brought against them”

Speaking to sister publication Insurance Times, Biba head of technical services Mike Hallam explained: ”We are hopeful that suitable and adequate insurance will remain available.

”It will be important for businesses to have the ability within their D&O policies or legal expenses policies to defend any case brought against them by the new regulator that will be created to oversee the Duty for failing to comply – in a similar way that such policies would respond to a case brought today by the health and safety executive.

“Equally, it will be important that public liability policies continue to respond in the unlikely event that a terrorist attack does occur and a business is found to have failed in [its] duty of care to keep visitors and employees safe from the risk of an attack and to actively manage the risk of terrorism.”

Biba itself has pledged to work with specialty insurers to “develop a holistic insurance product that caters for the new liabilities created by the Duty in case of any withdrawal of cover by mainstream insurers”.

What next for businesses?

Under the proposed law, premises will be considered ‘standard tier’ if they have capacity of 100-799 or ‘enhanced tier’, if they have a capacity of 800 or more.

The updated requirements for smaller businesses, set out in the consultation, are centred around outcomes rather than processes. For example, it will remove the requirement to complete any specific terrorism training.

Instead, those responsible for these premises will be asked to put in place procedures such as evacuation and lock-ins in the event of an attack.

The government claims that the new ‘reasonably practicable’ approach is better suited to the wide range of organisations because they will assess and implement procedures that are suitable to their individual circumstances.

“The updated requirements for smaller businesses, set out in the consultation, are centred around outcomes rather than processes.”

This aligns with other regulatory regimes, such as Health and Safety, which require reasonably practicable steps.

A Martyn’s Law regulator will be established to monitor compliance and advise premises. Premises within standard tier will be required to notify the regulator that they are within the scope of this legislation.

This revised approach is designed to be low to no financial cost, with associated costs largely driven by the time taken to communicate them to staff.