Ten employees of Vizsla Silver went to work in Concordia, Sinaloa on January 23, 2026. They were kidnapped from company housing that night. At least five are now confirmed dead. The stock dropped 42%. Approximately $800 million in market value evaporated. A securities class action firm announced an investigation within 24 hours of the public disclosure.

Here's what makes this legally significant: The Sinaloa Cartel civil war had been raging since September 9, 2024—four months before the kidnapping. More than 2,400 people killed. Nearly 3,000 disappeared. The municipality of Concordia—where Vizsla housed its workers—recorded the highest number of displaced families in the state. The town of El Palmito, also in Concordia, was evacuated entirely in September 2024 after armed clashes left it a ghost town.

This was knowable. The question plaintiffs' attorneys will ask: Did the board know? And if they did, what did their disclosures say?

The Boilerplate Problem

Courts are increasingly rejecting generic risk warnings when companies knew the risks had already materialized.

The Ninth Circuit held in Forescout Technologies (2023) that a company "cannot rely on boilerplate language describing hypothetical risks to avoid liability." In In re Alphabet (2021), the court found that risk disclosures framed in the hypothetical—warning that events "could" or "may" occur—can mislead investors when management knew those risks had already come to fruition.

The SEC reinforced this in October 2024, charging Unisys, Avaya, Check Point, and Mimecast for framing cybersecurity risks as hypothetical when they knew breaches had already occurred. The SEC's statement: "The relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized."

This doctrine isn't limited to cyber. It applies to any material risk where the gap exists between what boards knew and what they disclosed.

What Mining Company Disclosures Actually Say

Pull up any mining company's 10-K with Mexican operations. You'll find language like:

"Certain areas of Mexico have experienced outbreaks of localized violence, threats, thefts, kidnappings and extortion associated with drug cartels and other criminal organizations."

That's from Vizsla Silver's own SEC filing—filed after they paused field work in April 2025 due to "security conditions in the area."

The problem: This language describes a category of risk. It doesn't tell investors that the specific region where personnel are deployed is experiencing the deadliest cartel conflict in fifteen years. It doesn't disclose that the municipality hosting company housing has the highest displacement rate in the state. It doesn't explain that the conflict began in September 2024 and escalated continuously.

Generic language that could apply to any company operating anywhere in Mexico doesn't satisfy the disclosure obligation when management possesses specific intelligence about conditions in their specific operating areas.

The Latin America K&R Reality

The kidnap and ransom services market in Latin America reached $200 million in 2024. Mexico alone recorded 85 criminal kidnappings per month that year. Control Risks data shows Latin America and West Africa account for approximately 87% of global kidnap cases.

But here's what boards need to understand: The threat landscape has changed.

In June 2024, two Chinese executives were kidnapped and murdered in the Philippines after arriving for a business meeting. They lacked kidnap and ransom insurance and professional negotiation support. The families' direct involvement in negotiations—driven by understandable emotional distress—compromised the process. Both executives died.

In Ecuador, extortion cases surged 127% in the first half of 2024 compared to 2023. Kidnappings increased 30%. In Guayaquil, one person is kidnapped every ten hours.

The Sinaloa situation is particularly acute. Since the cartel split in September 2024, the conflict has killed more than 1,800 people. Forced disappearances have become the primary form of lethal violence. Fifty rural communities have been largely abandoned. The people who remained in Concordia municipality—including those working at mining sites—were operating in what security professionals would classify as an active conflict zone.

The D&O Insurance Gap

Directors and officers assume their D&O policy covers them. It probably doesn't cover this.

Standard D&O exclusions include:

Bodily injury and property damage. These claims go to General Liability policies, not D&O. The physical harm to kidnapped employees isn't covered.

Catastrophic events. Wars, terrorism, and political violence are typically excluded. A cartel civil war likely triggers this exclusion.

Criminal acts and fraud. If directors are found to have knowingly misrepresented material risks, coverage may be excluded.

Pollution and environmental claims. Separate policies apply.

What D&O might cover: Defense costs for securities litigation. Settlements for disclosure-based claims. Legal fees for regulatory investigations.

But here's the catch: D&O policies exclude coverage for dishonest, criminal, malicious, or injurious conduct. If a board is found to have knowingly minimized or concealed material security risks, the insurer may deny coverage entirely.

Kidnap and ransom insurance is a separate product. It provides crisis management support, negotiation expertise, ransom reimbursement, and access to security professionals. Companies operating in high-risk jurisdictions without K&R coverage are leaving their employees—and their boards—exposed.

Civil vs. Criminal Liability

Can directors face criminal charges for security failures that result in employee deaths?

To be clear I'm not an attorney and this isn't legal advice. I am a security expert, focused on high risk environments. If your board needs to get briefings on this, reach out.

The bar is high, but not impossible.

Under the duty of care, directors must make informed decisions based on all material information reasonably available. Breach requires "gross negligence"—conduct so extreme it can be considered criminal, falling far below what's reasonably expected.

In the UK case R v Lion Steel Equipment Ltd (2012), an employee died after falling through a factory roof. The company pleaded guilty to corporate manslaughter. Three directors were individually prosecuted for gross negligence manslaughter—though none were ultimately convicted after the company's guilty plea.

In the US, criminal liability typically requires proof of willful misconduct or knowing violation of law. Securities fraud charges under Rule 10b-5 require scienter—intent to deceive, manipulate, or defraud.

For most security failures, civil liability is the primary exposure:

The Delaware Chancery Court's 2019 decision in Marchand v. Barnhill established that oversight liability—the duty to monitor mission-critical risks—can survive a motion to dismiss. Plaintiffs have since aggressively pursued "Caremark claims" arguing that boards failed to implement reporting systems for critical compliance risks.

Physical security in conflict zones may become the next category of "mission critical" risk that boards are expected to actively oversee.

What Plaintiffs Will Probe

In securities litigation following a security incident, discovery will focus on:

What intelligence did the board receive? Risk assessments, security briefings, consultant reports, travel advisories. The gap between what was known internally and what was disclosed publicly.

When did they receive it? Timeline matters. If the board had detailed security intelligence before the incident but didn't update disclosures, that's material.

What did insurance applications say? K&R and political risk insurance applications often require detailed disclosure of threat conditions. If the company represented one thing to insurers and another to investors, that's a problem.

What did local management report? Emails, memos, and communications from personnel on the ground about deteriorating conditions.

Were there prior incidents? Vizsla Silver paused field work in April 2025 due to security conditions. What triggered that pause? What changed between then and January 2026?

What security measures were in place? Housing arrangements, personnel vetting, evacuation procedures, communication protocols. Were they adequate for the known threat environment?

The Questions Boards Should Be Asking Now

For any company with personnel in high-risk jurisdictions:

Where are our people right now? Not just country-level data. Municipality-level. Neighborhood-level. Know the specific threat conditions in specific operating locations.

What do our disclosures actually say? Compare your risk factor language to what your security team knows about ground conditions. If there's a gap, close it.

When did leadership last receive a real security briefing? Not a quarterly report that sits in a board book. An actual threat assessment from people who understand the operating environment.

What's our insurance coverage? D&O, K&R, political risk, business interruption. Where are the exclusions? What scenarios aren't covered?

What's our escalation protocol? If conditions deteriorate, who decides to suspend operations? At what threshold?

What would we have to disclose? If an incident occurred tomorrow, what internal communications would be subpoenaed? Would they show adequate oversight or willful blindness?

The Trajectory

Physical security is following the same arc as cybersecurity.

Ten years ago, cyber risk was an IT problem. Today, it's a board-level governance issue with mandatory SEC disclosure requirements, dedicated oversight committees, and executive accountability.

Physical security in high-risk jurisdictions—where organized crime, political instability, or armed conflict threaten personnel—is moving in the same direction. The Vizsla Silver incident will accelerate that shift.

Companies that prepare look paranoid—until something happens. Then they look prudent.

Companies that don't prepare never look paranoid. They just look negligent.

The Core Problem

The UnitedHealthcare CEO assassination in December 2024 shocked executive suites. Brian Thompson was gunned down outside a Manhattan hotel. The suspect's manifesto cited healthcare industry grievances.

The Vizsla Silver kidnappings should have the same effect on boards of companies operating in conflict zones.

In both cases, the threat existed before the incident. In both cases, the question afterward was whether adequate precautions were taken.

The difference: Thompson was personally targeted for who he was. The Vizsla Silver workers were apparently mistaken for rivals in a cartel conflict—a case of being in the wrong place during the wrong war.

Your company doesn't have to be a target to become a casualty.

The threat isn't being targeted for who you are. It's being mistaken for someone else in an environment where violence is the default mode of conflict resolution.

That's a different threat model. It requires different disclosures. It requires different oversight. And when boards fail to adapt, they create liability that no insurance policy will cover.

The Sinaloa Cartel civil war began September 9, 2024. Since then: 2,400+ killed, 3,000+ disappeared, 50+ communities abandoned, 1,763 families displaced. Concordia municipality—where Vizsla Silver housed its workers—had the highest displacement rate in the state. This information was publicly available. The question for boards: What did you know, when did you know it, and what did your disclosures say?