Crowded places did not just ask for security anymore; boards, insurers, and brokers now judge terrorism readiness by evidence of governance, not merely by a line on an insurance schedule, and that shift changes who decides, who pays, and who is accountable. Martyn’s Law—the U.K.’s forthcoming Protect Duty—plus the Home Office’s statutory guidance are rewiring expectations, moving attention from post-incident relief to pre-incident planning, proportionality, and demonstrable control.
Why This Shift Matters and What This Guide Covers
The new regime elevates terrorism risk from a purchase to a governance obligation. It frames preparedness as a board-level responsibility, with accountability for assigning a competent “responsible person,” conducting proportionate assessments, and building repeatable processes that can be tested, evidenced, and improved. Anticipated enforcement, including oversight by the Security Industry Authority, makes documentation a practical necessity rather than an optional extra.
Implementation is expected in spring 2027, giving organizations a finite runway to adapt. This guide explains the implications for operators, boards, insurers, and brokers, and it translates regulatory intent into workable practices. It focuses on governance structures, compliance processes, underwriting engagement, broker duties, liability considerations, and near-term steps to build credible preparedness.
The Case for Best Practices and the Benefits of Getting Them Right
Good governance, proportionality, and clear records now form the baseline for compliance and market credibility. Insurers and regulators are converging on the same question: can the organization show how it understands its threat profile, what it has implemented in response, and how it knows those measures work? The ability to answer with evidence, not assertion, separates compliant operators from exposed ones.
Moreover, well-run programs deliver compound benefits. Stronger security outcomes reduce incident likelihood and severity; smoother interactions with regulators limit disruption; transparent data and improvement plans support broader coverage and sharper pricing; and disciplined documentation curbs investigation and litigation exposure. Over time, demonstrable compliance influences insurability, the breadth of terms available, and access to capacity.
Best Practices for Governance-Led Terrorism Risk Management
Establish Clear Accountability and Appoint a Responsible Person
Board oversight should be explicit: set risk appetite, allocate budget, and record decisions in charters and minutes. A competent responsible person needs authority across security, facilities, HR, legal, risk, and communications, with clear escalation paths and deputization to cover absences.
A national venue group might elevate preparedness to an executive risk committee, appoint a group head of protective security, and publish a RACI so site teams know who decides, who approves, and who executes. That clarity accelerates decisions and provides a defensible audit trail.
Conduct Proportionate Risk Assessments and Implement Layered Protective Measures
Start with threat, vulnerability, and consequence assessments aligned to site type, footfall, and event profile. Then implement layered, feasible measures—access management, surveillance, queue security, hostile vehicle mitigation, and robust emergency procedures—calibrated to the environment.
A city museum could deploy tiered screening on peak days and justify alternative measures where listed building features limit physical changes. By documenting what is practicable and why, and by refreshing assessments on a set cadence, it builds a durable rationale regulators and insurers can follow.
Build Demonstrable Compliance Processes and Evidence Trails
Policies, site plans, and standard operating procedures should reflect the guidance and real-world constraints. Training, drills, and competency checks need to be routine, with attendance and outcomes captured consistently. Incidents, near misses, and lessons learned belong in an audit-ready repository.
Consider a sports arena that runs quarterly tabletop exercises, logs remedial actions in a GRC platform, and tracks closure with timestamps and owners. The result is a living record that proves continuous improvement rather than one-off compliance.
Align Insurance Strategy With Regulatory Posture and Executive Exposure
Terrorism coverage should reflect governance maturity; disclose assessments, controls, and exercise results to underwriters to earn terms that recognize reduced uncertainty. Revisit D&O, public liability, and crisis/response policies to address investigation costs and regulatory scrutiny even when no physical incident occurs.
A hospitality chain that adds inquiry expenses, dawn-raid support, and PR counsel to D&O, and shares its preparedness program with terrorism markets, often sees improved breadth of coverage and more stable capacity.
Elevate Broker Advisory Standards and Documentation
Brokers should update engagement letters to define scope on Martyn’s Law, outline limits of service, and clarify what falls to legal counsel. Provide written briefings on applicability, proportionality, and insurance implications, then record recommendations, decisions, and any declinations.
A broker that issues client-specific Protect Duty memos, logs meeting notes and sign-offs, and ties coverage proposals to observed governance gaps reduces professional indemnity exposure while improving client outcomes.
Integrate Underwriting Engagement and Data Sharing
Pre-bind packs—risk assessments, site schematics, training records, incident logs, and improvement plans—enable underwriters to verify posture. Joint site walks help align on proportionate enhancements and avoid gold-plating that adds cost without material risk reduction.
A retail operator using a quarterly dashboard of security KPIs can demonstrate progress, agree on performance-linked deductibles, and secure multi-year terms that reward measurable improvement.
Test, Train, and Iterate Through Exercises and After-Action Reviews
Blend tabletop, functional, and full-scale exercises with external responders to validate assumptions. Capture lessons, assign owners, set deadlines, and retest to confirm closure. Use intelligence updates and near misses to recalibrate controls ahead of formal review cycles.
A convention center that co-runs exercises with local police, refines crowd management and communications protocols, and measures evacuation time reductions shows a feedback loop that regulators and insurers trust.
Conclusion and Adoption Guidance
Martyn’s Law had reframed terrorism preparedness as a governance mandate with tangible regulatory and market consequences. Operators that confirmed duty applicability and tiering, budgeted for proportionate controls, set accountable owners, and timed programs toward 2027 built credibility with both regulators and underwriters.
The most effective next steps centered on mapping governance to sites, codifying risk assessment cadences, and embedding documentation that could withstand enforcement and claims scrutiny. Organizations also aligned D&O and liability programs to inquiry and investigation risks, broadened insurer engagement through transparent data, and scheduled progressive exercises to validate change. Those moves positioned portfolios for better insurability, steadier pricing, and faster recovery when tested by real-world events.
