Preparing the retail sector for the new UK terrorism liability legislation

The UK is set to introduce new terrorism legislation that will change businesses’ responsibility for terrorism acts, requiring a new strategic approach for how shopping centres and retail chains manage and mitigate this risk.

As outlined in the consultation (opens a new window), the Protect Duty legislation, also known as Martyn’s Law, will require owners and/or operators of publicly accessible locations (PALs) to take “appropriate and proportionate measures to protect the public from terrorist attacks.”

The legislation comes on the back of the suicide bombing attack that took place at the Manchester Arena during the Ariana Grande concert on 22 May 2017. It is named after Martyn Hett, one of the 22 victims (opens a new window) that lost their lives at the event. The inquiry into the Manchester Arena bombing (opens a new window) highlighted some security failings in relation to hostile reconnaissance, venue security practices and risk assessments. The new legislation aims to address these failures.

Applicability of Protect Duty:

The Home Office estimates that 650,000 UK businesses could be affected by the new legislation, including public venues shopping centres with a capacity of 100 persons or more as well as large organisations such as retailers employing 250 staff or more.

Requirements are expected to include:

Considering and implementing ‘reasonably practicable’ protective security and organisational preparedness measures

Developing a robust plan on how to deal with or act as a result of a terrorist attack

Using available information and guidance provided by the government and the police to consider terrorist threats to the public and staff at locations owned or operated by the business

Assessing the potential impact of these risks across your functions and estate, and through a business’ systems and processes

Source: Pool Re (opens a new window)

Organisations affected will need to (re-)assess the risk of terror attacks, implement measures to reduce the risk, and put together robust terrorism plans. Particularly smaller organisations that may not be regarded as obvious targets may need to take action as many of them will have never formally assessed terrorism.

Consequences for businesses

In order to prepare for the new Protect Duty legislation, businesses should review the risk mitigation measures they are deploying and potentially adjust them accordingly. The process may include:

Physical risk security assessment to reduce the freedom of movement of an attacker, identify vulnerabilities and implement protective measures that can include technology solutions to identify a potential threat, limit the opportunity for an attack and coordinate a response in the event of an attack

Security policies and procedures may need to be updated and include shelter in place and evacuation plans

Employee training and empowerment should clarify the roles for securing a location and enable staff to recognise and respond to a potential threat

Regularly review the security strategy, training, and processes

If a security breach is considered serious enough, companies may need to conduct a vulnerability assessment, prepare a counter-terrorism plan, and, importantly, ensure that representatives engage with the police and government agencies for training and best practice.

Expected effect on insurance programmes

The legislation is set to significantly change how companies manage terrorism risks. Businesses that fail to carry out the requirements under the duty could face prosecution under legislation such as the Corporate Manslaughter Act.

The duty will lead to greater liability exposure for businesses in scope. While the new rules are expected to become effective in 2023, businesses should start reviewing their insurance programmes with Protect Duty in mind, with a particular focus on general liability (GL) and employers’ liability (EL) limits. UK companies may need to purchase additional terrorism EL and GL cover if they don’t already do so.

A specific terrorism liability policy is designed to cover any claims expenses and damages that the insured becomes legally liable to pay following claims for bodily injury and property damage. If the business already purchases terrorism insurance, it might want to consider increasing the limits as the limits that many publicly accessible locations currently buy are likely to be insufficient to cover the costs following a deadly attack.

Following an attack, retail companies may not only face increased costs from implementing added security measures, counselling, and public relations but also reduced revenues due to a drop in footfall. Businesses in the retail sector therefore need to identify not just the risks to physical assets of the business, but also the potential impact on earnings, cash flow, and reputation.

It is advisable that businesses consult with their directors’ and officers’ (D&O) liability insurance advisers on how the new duty is likely to affect their cover. Whilst terrorism exclusions are not common on D&O programmes, some insurers will apply them as standard (e.g. a War & Terrorism exclusion) and the unintended consequence may be no cover for claims brought against directors alleging a governance oversight failure in relation to terrorism matters.

Consultants and specialist companies carrying out ‘protect’ risk assessments and designing mitigation programmes will need to review their professional negligence covers.

For further information, please contact:

Michael Kay, Head of Retail Practice Group

T: +44 (0)161 828 3304

E: michael.kay@lockton.com