4 min read

Are you prepared for the new protect duty?

Read more

By Helen Faulkner & Duncan Strachan


Published 04 April 2022


Many questions remain outstanding in the wake of the recent Home Office consultation on the creation of a new duty to protect the public from terrorist attacks at publicly accessible locations.

As the consultation moves into the legislative phase, the implications for businesses and the insurance industry are significant. Fundamentally, underwriters will need to understand the new exposures to businesses, particularly those in the retail and entertainment sectors. This is likely to require more expansive proposal forms asking about the carrying out of risk assessments, what they highlighted and whether those recommendations have been carried out.

Terrorism risks have, until now, been the preserve of first party property programmes for property damage and business interruption. The insurance industry is supported in its ability to offer terrorism cover through Pool Re. This protection has evolved since its introduction in 1992 to broaden the cover including offering non-damage business interruption and also cyber- terrorism. However, there are no signs that the scheme is intended to be expanded further to cover liability exposures that would be introduced by the duty to protect.

Brokers will need to be more aware of terrorism risk generally and reinsurers will be interested in the accumulation of risk. Responses may include increased premiums, policy drafting that restricts or excludes cover and a review of indemnity limits. Improvements made to security are however likely to have wider benefits, potentially reducing other crime and antisocial behaviour, thereby reducing insurers’ exposure. Even for those outside the scope of any legislation, it is perhaps the case that all organisations should now be reviewing the safety and security of their staff and the public who use their facilities.


Scope of the consultation

In light of the Westminster and London Bridge attacks and the Manchester arena bombing, the consultation considered how to improve public security from terrorist attacks through the creation of a legislative duty to protect the public, which will also establish a framework for establishing the liability of both the public and private sector. The proposed “Protect Duty” aims to create a culture of security, with a consistency of application and a greater certainty of effect.

The proposals target venues, organisations, businesses, local authorities, public authorities and individuals who own or operate at publicly accessible locations. This includes sports stadiums and music venues, hotels and pubs, shopping centres and markets, schools and universities, hospitals and places of worship, transport hubs and open spaces.

The first proposal is that the duty should apply to owners and/or operators of publicly accessible venues with a capacity of 100 persons or more. This threshold is said to have been set mindful of the impact that COVID-19 has had, and continues to have, on many organisations. At a future date, there is a suggestion that there may be a further consultation on lowering the threshold.

In addition, it is proposed that the duty should apply to organisations employing 250 or more staff that operate at publicly accessible locations. This could include organisations with a number of smaller outlets across a wide geographical footprint, such as high street retailers and petrol stations. It may also mean that a chain of coffee shops might be caught but not a single independent café of the same size in the same location.

The duty would require organisational preparedness by considering public security and implementing reasonable security measures. In practice, this will require a combination of physical and people measures that might include security plans and procedures to react and respond to different threats; training and refresher courses for staff; and employing appropriate security measures.

It is suggested that an inspection regime would be required to provide the necessary assurance that those within scope of the duty are meeting their requirements. Inspections are said to offer an opportunity to provide specific support and advice to venues and organisations to help them improve their protection and preparedness before any further action is considered. Where the requirements are not met, inspectors could request improvements and, ultimately, enforcement action. A new offence is proposed for persistent non-compliance and the penalties would be primarily based on fines for organisations in breach. The difficulty encountered in making the Health and Safety Executive responsible for both advice and enforcement appears likely to be revisited given this structure.


Summary of consultation responses

The government response document was published in January this year, together with a summary of responses. There was some pushback suggesting a higher capacity threshold and that the duty should be based on guidance, training and awareness rather than being legislative with enforcement action and penalties. However, the ministerial foreword from Damian Hinds MP confirmed that the government is now progressing a legislative approach.



The proposals raise a number of issues, including how the duty will apply where there are multiple interested parties at a location. In practice, will the duty lead to less willingness to open up venues and spaces for public usage?

The definition of terrorism will be an key part of the legislation, including the question whether it will extend to cyber scenarios. With much of the duty being based on good quality information sharing, what are the data protection risks? There is likely to be an increased demand for security firms and specialist consultants on compliance with the new requirements. This will come at an added cost to the retail and entertainment sector, which has been hit hard by the economic impact of the pandemic, as well as to the public sector. There is also the question of how these businesses deal with the increased potential for liability in the event of a terrorist attack. The insurance industry can assist with both of these issues, by offering value-added services at the time products are being sold, and by tailoring cover to fit in with these new exposures.

Above all, there is a need for collaboration both as the legislation is developed and once it has been enacted. This will focus on local authorities, businesses and specialist counter terrorism sections of the police who traditionally have held primacy for the protection of the public against any terrorist threat and have had the capability, knowledge and resource to assist in this process. There will also be a need for open and effective communication between the insurance industry and government.


Where next?

There is some anticipation that legislation will be mentioned in the Queen’s Speech in May and that the deadline to reach minimum compliance could be May to November 2023. As both a social and governance issue, this Protect Duty requires focused cross-sector attention.