27 July 2022

Simon Cutmore, Director Risk Management

Following a number of terrorist incidents, notably the Manchester Arena bombing and the London Bridge attack, the government is bringing forward legislation to protect the public. The Protect Duty, also known as Martyn’s Law after Martyn Hett, a victim of the Manchester bombing, is expected to come into force in 2023.

When enacted, there will be a statutory duty for the owners and operators of publicly accessible locations to take proportionate measures to protect the public from terrorist attacks.

The 5 requirements of Martyn’s Law

  1. Engage with freely available counter-terrorism advice and training.
  2. Conduct vulnerability assessments of operating places and spaces.
  3. Mitigate the risks and vulnerabilities identified in these assessments.
  4. Develop and implement a counter-terrorism plan.
  5. Local authorities are required to plan accordingly for the threat of terrorism.

Who will the legislation be aimed at?

The Protect Duty is wide ranging and encompasses; venues, organisations, businesses, local authorities and public authorities. There are three broad categories:

  • Public Venues - Events, sports and entertainment venues, tourist attractions and shopping centres with a capacity of over 100 people
  • Large Organisations - Businesses such as retail, restaurants, and pub chains employing more than 250 staff – even if they are not at the same site.  
  • Public Spaces - Those responsible for public spaces and any event organisers making use of them.

The Insurance implications

While The Protect Duty is focused on risk management there are broader insurance ramifications.

Insurers – It is expected that organisations will do the most that they can, rather than the least. Insurers are likely to scrutinise risks and seek demonstrable and proportionate levels of compliance when underwriting risks and in the event of claims.

Insurance – On the face of it, Public Liability and Employers’ Liability insurance are the primary covers that will be the focus for businesses and organisations who are affected. There is terrorism cover within these policies, but the limits may need to be reassessed and action taken to bridge gaps if required. Non-damage business interruption is also a linked consideration. Many businesses were forced to close temporarily following the Manchester arena bombing and the Borough Market attack in London.

Risk Register – for organisations that are affected, either through the size or nature of their activities, it could mean additional requirements within the risk register to fulfil regulatory requirements.

Enterprise Risk Management (ERM) – There could be wider and potentially systemic exposures for the business which need to be managed at a strategic level. For example, this could include the types of location and exposure to adjacent properties that could be at higher risk.

Directors & Officers – Regardless of the size of the organisation any claim could find its way to the board if they are found to be culpable in terms of the firm’s preparedness. Be in no doubt, The Protect Duty is a board level issue.


What Next?

There are various steps businesses and organisations need to be taking now

  1. Risk Assessment – The new requirements should be incorporated within risk assessments now. A useful resource for this is the free, online Vulnerability Self-Assessment Tool (VSAT) provided by the government backed Terrorism Reinsurer, Pool Re. It benchmarks risks against current police and security agency best practice.
  2. Planning – Align plans with the 5 requirements of The Protect Duty to prepare for and mitigate risks. Preparedness needs to be proportionate for the type of organisation. This will include adapting existing Risk Management plans, assessing vulnerabilities, training staff, implementing processes, and having mitigation and evacuation procedures in place.
  3. Monitoring – The situation is fluid in terms of who will be affected. There is also a responsibility to understand the latest terrorism advice, alerts from the government and respond accordingly. Businesses should explore third party resources, including the police and specialist counter terrorism advisers and consultants. Again, Pool Re has a useful resource in the form of a Protect Duty hub with regular updates.

If you would like to discuss your risk management or ERM plans, please get in touch with the team here.