After the United Healthcare CEO's assassination, I spent months deploying security across the industry. What I learned wasn't about security.
It was about insurance.
And every board needs to understand this before their next renewal.
The pattern I saw repeated:
Companies would call—urgently—after a high-profile incident made them realize their exposure.
The conversation always started with: "We need executive protection immediately."
But within 24 hours, it shifted to: "Our insurance carrier is asking questions we can't answer."
That's the real story.
The security part is straightforward.
We know how to assess threats, build protective intelligence, deploy teams, and manage operations. That's what we do.
But what caught CFOs and General Counsels off-guard was discovering their insurance policies had language they'd never noticed:
"Failure to maintain reasonable security measures may constitute grounds for denial of coverage."
And they couldn't prove what "reasonable measures" they'd taken.
Here's what insurance underwriters started asking:
"When was your last third-party threat assessment, and did you present findings to the board?"
"Show us board minutes where security posture was reviewed and approved."
"What documented protocols did you have in place before this incident?"
"Can you produce maintenance records for security systems?"
"Where's the incident response plan that was tested in the past 12 months?"
Companies that called us for emergency protection were suddenly scrambling to answer these questions.
And discovering they had no answers.
The gap I kept seeing:
Technology without documentation.
These weren't companies ignoring security. Many had invested heavily in systems, cameras, access control, and monitoring.
But they didn't have:
Board oversight documented in minutes
Third-party assessments presented annually
Written policies approved and version-controlled
Maintenance records with sign-offs
Training logs for personnel
Tested incident response procedures
The insurance carriers didn't care about the technology.
They cared about proving the board fulfilled its fiduciary duty to assess and mitigate risks.
Why this matters for D&O policies:
Directors and Officers liability insurance covers board members against lawsuits alleging breach of fiduciary duty.
If something happens, say workplace violence, executive security incident, credible threats, and the board can't show they took reasonable precautions...
The insurance company can argue the board was negligent.
And deny coverage.
Which means directors face personal liability.
The timeline I'm seeing now:
Q4 2024: High-profile incidents create urgency, companies scramble for solutions
Q1 2025: Insurance renewals hit, new questions appear in underwriting
Q2-Q3 2025: Premium increases for companies that can't document security oversight (we are here)
Q4 2025: First wave of non-renewals for non-compliance
2026: This becomes baseline requirement across the industry
What "reasonable measures" means in practice:
After working with multiple organizations building or upgrading their security programs post-incident, here's what insurance underwriters want to see:
Board-level oversight: Quarterly reviews documented in minutes, showing security was discussed, assessed, and decisions were made
Third-party validation: Annual assessments by independent security firms, presented to board with findings and recommendations
Written policies: Board-approved security protocols with clear ownership, review dates, and version control
Maintenance documentation: Regular testing and maintenance of security systems with records and sign-offs
Training records: Documentation that employees and security personnel received appropriate training
Incident response plans: Documented procedures that are tested quarterly, not just sitting in a drawer
Vendor management: Contracts with clear SLAs, performance tracking, and documented oversight
The cost comparison:
Maintaining proper documentation:
Annual third-party assessment: $25-50K
Documentation systems and compliance: $15-30K
Quarterly board presentations: Internal cost
Total: $200-400K annually
Emergency response when something happens:
Rapid deployment of executive protection: $2-5K per person per day
Scale to multiple executives for months: $5-20M+
Premium increases at next renewal: 30-40% ongoing
Potential uninsured exposure if claim denied: $10-100M+
The math is clear.
What boards should be asking:
Not only "do we have security?"
But "can we prove we have security?"
Specifically:
"When did we last conduct a third-party security assessment?"
"Can we produce board minutes showing we reviewed and approved security measures?"
"If our insurance carrier audited us tomorrow, what documentation could we provide?"
"Do we have an incident response plan that's been tested in the past 12 months?"
"Can we show we identified threats and implemented appropriate countermeasures?"
If your security director or legal counsel hesitates on any of these, you have a gap.
Not a security gap.
An insurance coverage gap.
The shift in underwriting:
I've seen renewal questionnaires that now include:
"Describe your executive threat assessment process"
"Provide dates of last three board security reviews"
"List security vendors and contract terms"
"Describe your incident response testing schedule"
"Provide documentation of security spending over past 24 months"
Companies that can't answer are seeing:
Premium increases of 30-40%
Reduced coverage limits
New exclusions for "inadequate safeguards"
Requirements for security improvements as condition of renewal
In some cases, non-renewal
This is happening right now across industries.
The industries most affected:
Obviously healthcare has heightened focus after recent events.
But I'm seeing increased scrutiny across:
Financial services (executives as targets for extortion/kidnapping)
Pharmaceutical and biotech (controversial products, activist threats)
Energy and extractive industries (environmental activist targeting)
Technology companies with controversial products/platforms
Any company with high-profile, controversial leadership
The common thread: If your executives could be targets, your insurance carrier wants proof you've assessed and mitigated that risk.
What proactive organizations are doing:
The companies getting ahead of this are:
Conducting gap analysis: Comparing current documentation against insurance requirements
Board education: Briefing directors on their fiduciary duty regarding security oversight
Building documentation systems: Creating processes to capture and maintain required records
Engaging third-party assessors: Getting independent validation they can show underwriters
Testing response plans: Moving from theoretical plans to demonstrated capability
Updating policies: Getting board approval for written security protocols
Cost to implement: $150-400K over 6-12 months
Value: Defensible position when renewals come, protection against claim denial, board liability mitigation
The insurance broker gap:
Your insurance broker is incentivized to renew your policies, not to tell you you're non-compliant.
They make money when you stay insured. They lose you as a client if they push too hard on gaps.
So many boards aren't hearing about this until renewal time—when it's too late to build proper documentation.
You need someone whose job is risk mitigation, not risk transfer.
What I recommend:
Immediate (this week):
Pull your D&O, General Liability, and EPLI policies
Search for language about "security," "safeguards," "protection"
Read what they actually require
Compare to what you can document today
Short-term (30-60 days):
Conduct internal gap analysis
Brief board on fiduciary duty regarding security
Identify quick wins (policies you can approve, records you can start maintaining)
Medium-term (90-180 days):
Engage third-party security assessor
Present findings to board (document in minutes)
Approve written security policies
Implement documentation systems
Test incident response procedures
Ongoing:
Quarterly board reviews (documented)
Annual third-party assessments
Regular testing of response plans
Continuous documentation maintenance
The question that matters:
Not "are we secure?"
But "can we prove we're secure?"
Because when something happens—and probability says it eventually will—insurance adjusters won't care about your good intentions.
They'll care about your documentation.
Why I'm sharing this:
I've spent my career in executive protection and security operations.
Recent events have shown me that the security industry and the insurance industry aren't aligned.
We build security programs.
They underwrite risk based on documentation.
And most boards don't realize there's a gap until it's too late.
I'm seeing companies scramble to build documentation after incidents, after renewals, after premium increases.
It's cheaper and smarter to build it proactively.
The opportunity:
While your competitors wait for their renewals to get surprised, you can:
Build defensible documentation now
Present it confidently at renewal
Negotiate better terms
Protect your board from personal liability
Create a strategic advantage
Security shouldn't be reactive.
And it definitely shouldn't be a surprise at renewal time.
If you're a board member, C-Suite, or General Counsel:
Ask your team these questions at your next meeting:
"When was our last third-party security assessment?"
"Can we produce 12 months of documented security reviews?"
"What would we tell our insurance carrier if they asked us to prove we maintain reasonable security measures?"
If you don't get confident answers, we should talk.
I build security programs that protect executives AND satisfy insurance underwriters. Because both matter.