Insuring Against Terror: Some Common Coverage Blind Spots

by K&L Gates LLP

K&L Gates LLP

In her speech at Mansion House in July earlier this year, Metropolitan Police Commissioner Cressida Dick said that the occurrence of terror attacks in the United Kingdom is a case of "when not if". She was speaking in response to a series of high-profile acts of terrorism which had taken place in the first half of 2017, which, combined, resulted in the deaths of 36 people.

It is therefore timely that Pool Re, the UK Government-backed terrorism reinsurer, has published its third Terrorism Threat and Mitigation Report. The Report analyses trends in global terrorism and identifies prevailing difficulties in the terrorism-related insurance market.

The Pool Re Report notes that current levels of terrorism in the UK are unprecedented with four attacks in a 17 week window earlier in 2017. The methods deployed by terror groups continue to evolve and respond to counter-terrorism efforts but the "fundamental principles" remain the same: to kill and cause damage for publicity so as to cause terror. In this regard, the effects of terrorism are widely felt. As well as causing significant causalities, recent terror incidents have had a notable impact on businesses and the wider economy.

Terror-related losses are risks which businesses can protect themselves against with appropriate insurance. Often companies do not have sufficient insurance in place, if they have any at all. According to the Pool Re report, take up of terrorism insurance is relatively low, particularly among SMEs, of which as few as ten per cent have purchased coverage.

Where insurance is obtained, it is not always comprehensive or protective against modern threats. A common assumption among policyholders is that their commercial property insurance will provide coverage for terror-related risks. Generally, commercial property insurance can exclude or restrict recovery for terror-related losses, and cover for such risks is frequently sold as a discrete, specialised product.

Another potential obstacle to recovery is that some policies require physical property damage as a trigger to the insurer's liability. As demonstrated by this year's attacks at London Bridge in June, and at La Rambla in Barcelona this August, losses flowing from actual property damage are often minimal. Instead, financial losses are often sustained as a result of "considerable business interruption and denial of access caused by extensive cordons, with the possibility of further loss to the economy and business from a reduction in future visitor numbers". In response to this, "denial of access" cover is more frequently included in business interruption and property policies but Pool Re notes that there remains a coverage gap. Policyholders should be alert to what kind of triggers or onerous conditions their terrorism cover may have and, with that in mind, they should consider whether they are sufficiently protected.

The risks which a business should consider seeking coverage for will depend on a number of factors. Policyholders should consider undertaking a thorough risk assessment to determine what their vulnerabilities are likely to be. Some sectors face greater risks than others, and the types of risks and loss to which they are vulnerable will be highly sector and location specific.

By way of example, the aviation sector continues to be a prime target for terror groups, as the Pool Re report points out. Airlines are already bound by regulations regarding the type and scope of coverage they must have to operate. Besides carriers, other businesses which depend on the aviation sector are potentially vulnerable. Organisations which operate in or around airports (or whose business depends on the sector running smoothly) will want to ensure they are prepared for every eventuality.

Regardless of industry or sector, a terrorism risk assessment is likely to highlight any particular vulnerabilities. In conjunction with an insurance policy wording review, coverage gaps can be addressed and potential economic risks minimised.

In terms of location-specific risks, it remains the case that cities are more likely to be targeted by terrorists than remote or rural areas because of the density of potential targets, and the publicity they garner. Businesses should be conscious of any nearby symbolic or high-profile landmarks which attract crowds as well as major infrastructure and governmental buildings, all of which are more likely to be targeted. It is critical to consider how businesses could be affected if, for example, a police cordon is set up or travel restrictions imposed in the area surrounding their place of operations.

In more recent developments, Pool Re notes that cyber threats are becoming more common, and increasingly high profile. Such tactics are being used both by terror groups and state actors to disrupt business and infrastructure, and to enable and encourage terror globally. The market for cyber risk insurance coverage is still developing. Nevertheless it is becoming an essential aspect of many commercial insurance programmes. The Pool Re report states that "cyber attacks were estimated to cost businesses as much as $450 billion a year globally", and there are few, if any, sectors which are not vulnerable in some way.

The types of larger-scale cyber attacks which attract the most media attention are - for now - more likely to be caused by state actors than terror groups. One such example was the WannaCry attack on the NHS in May 2017, which Pool Re report explains was "likely to have been state sponsored and not terrorism". Terror groups, by contrast, currently prefer "enabling" tactics (disseminating information for the purposes of recruiting members and instructing them in committing acts of terrorism) to "disruptive" tactics (the stealing of money or data; dissemination of malware; or disruption of services and networks).

Whether cyber tactics are deployed by lone activists, established terror groups or hostile states, the consequences for affected businesses can be disastrous. Ultimately, cyber attacks can lead to: loss of confidential data or valuable intellectual property; interruption of business functions; reputational harm and reduced customer confidence; and regulatory sanctions and fines. Indeed, with the entry into force of the General Data Protection Regulation in May 2018, the potential costs to businesses with inadequate protections are even more significant (breaches can lead to fines being imposed of as much as the higher of 4 per cent of global annual turnover, or €20 million).

Looking to the longer term, the Pool Re report highlights the fact that terror groups do not currently deploy "destructive" cyber tactics with any sophistication or regularity. Destructive cyber attacks are intended to cause physical damage or disable physical infrastructure, for example by hijacking control of power grids. The evolving nature of cyber terrorism means organisations should be prepared for this risk to grow. Reflecting this, from 1 April 2018, Pool Re will be able, for the first time, to grant cover "for physical damage caused by terrorists using a cyber-trigger to cause a fire or explosion".

For many businesses, the risks presented by terrorism may never materialise but, if they do, the consequences can be far-reaching. For peace of mind, it is important for each business to ensure that it has assessed its vulnerabilities and obtained the right insurance cover, tailored to meet the specific risks and vulnerabilities of the particular organisation.

You can view the full Pool Re Terrorism Threat and Mitigation Report here:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© K&L Gates LLP | Attorney Advertising

Written by:

K&L Gates LLP

K&L Gates LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.