Menu
• July 17, 2026

Martyn's Law and the changing expectations of business security

Martyn's Law reflects a broader change in how terrorism risk is understood. For many years, it was viewed as a relatively remote threat, managed primarily by governments, law enforcement and national security agencies. While that remains true, the nature of the threat has evolved.

ML Blog

For many organisations, security has historically been viewed as a specialised concern, separate from the day-to-day decisions that shape how a business operates. Martyn's Law reflects an evolution in that thinking. While the legislation introduces new responsibilities for certain venues and public spaces, its significance extends beyond compliance. It forms part of a broader change in how organisations, regulators and insurers approach risk, resilience and preparedness.

Businesses are now expected not only to respond effectively when incidents occur, but also to demonstrate that appropriate steps have been taken beforehand.

The changing nature of terrorism risk

Martyn's Law reflects a broader change in how terrorism risk is understood. For many years, it was viewed as a relatively remote threat, managed primarily by governments, law enforcement and national security agencies. While that remains true, the nature of the threat has evolved.

Risk assessments now place greater emphasis on the fact that attacks can be less predictable, more decentralised and, in some cases, carried out using readily available everyday items. As a result, traditional assumptions about threat likelihood and warning indicators have become less dependable.  

In this environment, the conversation is focused not only on whether an incident might occur, but also on how exposed an organisation could be if it does. Preparedness, response capability and operational resilience are gaining prominence alongside more traditional measures of risk, with insurers and regulators paying closer attention to an organisation's ability to demonstrate them. 

How duty of care is expanding for UK businesses

As attitudes towards risk continue to evolve, so too does the concept of duty of care.

It is no longer enough to keep buildings safe in a purely physical sense. There is a growing expectation that organisations have considered how they would respond to a serious incident, even one that seems unlikely. This might involve training staff, establishing clear procedures, or simply thinking through how key decisions would be made in a moment of crisis.

Industry commentary suggests that terrorism risk is no longer solely an insurance concern that sits unobtrusively in the background of a policy document. Instead, it is becoming part of governance, operational planning and organisational responsibility. This represents a notable development, with security now discussed alongside operational resilience and leadership accountability rather than being treated as a separate or specialist issue.  

Why insurers are paying closer attention to preparedness

This change is already becoming visible within the insurance market, although it continues to evolve. Preparedness is becoming an important factor in how risk is assessed. Organisations that can demonstrate clear planning, defined responsibilities and proportionate security measures may be viewed more favourably by insurers. In some cases, this can support discussions around cover, pricing and overall risk appetite.  

Conversely, gaps in preparedness are attracting greater scrutiny. Insurers are paying closer attention to how organisations identify and assess risk, who owns responsibility for managing it, and whether there is tangible evidence that planning has taken place. This marks a gradual departure from the traditional model, where insurance primarily responded after an incident had occurred. Today, greater attention is given to what a business can demonstrate before an incident occurs.

In effect, the trend in physical security risk is similar to the evolution of cyber insurance. While cover is still widely accessible, insurers increasingly require organisations to demonstrate appropriate controls, documented processes and a baseline level of resilience. This reflects a growing expectation for businesses to actively manage their security risks. 

The gap between expectations and preparedness

Despite these adaptations, a preparedness gap remains. Many organisations, particularly smaller businesses, are still not well equipped to address terrorism risk in a structured way. In some cases, there is an assumption that existing insurance arrangements automatically provide terrorism cover, when the position may be more nuanced. In others, the issue has simply not been considered as part of a broader approach to risk management. 

At the same time, organisational responsibilities are becoming more clearly defined. Even where the likelihood of an incident appears remote, the potential consequences can be significant. As a result, a gap remains between what is expected of organisations and what many are currently prepared to deliver. The direction of travel is becoming clearer, but for many businesses, the practicalities of implementation have yet to catch up. 

Shared responsibility is reshaping security and resilience

Perhaps the most significant aspect of this shift is how responsibility for security and resilience is being redistributed.

Traditionally, security was seen primarily as a matter for the state, supported by policing, intelligence, and national security agencies. That remains true, but it is no longer the complete picture. Businesses are increasingly being recognised as active participants in managing and mitigating risk.  

The model is moving towards a more shared form of responsibility. Government provides the framework and guidance, organisations are expected to take proportionate steps to protect their people and operations, and insurers reinforce those expectations through underwriting decisions and pricing. 

This trend is not unique to terrorism. Similar changes, as previously noted, have emerged in cyber security, as well as data protection, and climate resilience, where organisations are increasingly expected to demonstrate preparedness rather than simply respond after an incident occurs. 

As a result, the boundary between public responsibility and private accountability is becoming less distinct. Security is no longer viewed solely as something provided from the outside; it is increasingly seen as a shared obligation, with businesses playing a more visible and measurable role in the overall resilience landscape. 

What shared responsibility means in practice

For most organisations, the implications are relatively practical in outline.

A retailer might think more carefully about how staff would respond to an unusual or hostile situation. A venue may revisit how people enter and leave a space, not just for convenience but also for control and flow during an emergency. Property owners may begin to view security planning as part of the way they assess and manage an asset, rather than treating it as an afterthought. 

For the public, these changes are likely to be subtle. Over time, however, certain differences may become more noticeable: staff who appear better prepared, clearer guidance in public spaces, and small adjustments to the way environments are managed.

None of this is intended to be dramatic. That is partly the point. The aim is not to create a visible sense of restriction, but to build confidence that risks have been considered and planned for appropriately. 


The next chapter in organisational resilience

Martyn's Law will take time to become fully embedded. Although the legislation is now in place, many organisations are still working through what it means for them operationally and how best to meet their responsibilities. 

Even so, the direction of travel is clear. Security is becoming a planned and embedded part of organisational resilience, rather than a reactive measure considered only after an incident occurs. 

Organisations that approach it simply as another compliance requirement may meet the minimum standard. Those that treat it as an integral part of their systems and procedures are likely to gain broader benefits, not only in terms of resilience and risk management, but also in how they are perceived by customers, employees and stakeholders.

Ultimately, that may be the most significant shift. Not just improved protection, but a different baseline altogether: one in which safety is not merely assumed, but demonstrably considered, quietly and thoroughly, long before it is ever needed. 

Share this post