What Vizsla Silver means for every company operating in high-risk environments

A securities class action firm announced an investigation into Vizsla Silver one day after the company disclosed that ten employees had been kidnapped in Mexico.

One day.

The bodies hadn't been found yet. The stock had only dropped 15%. And the lawyers were already circling.

Two weeks later: five workers confirmed dead in mass graves, stock down 42%, roughly $800 million in shareholder value gone.

If you sit on a board, run a company, or advise one — this is the case you need to study. Not because of the tragedy, though that matters. Because of what comes next.

The UnitedHealthcare parallel

We saw this with UnitedHealthcare after the CEO assassination in December 2024. A security event that no risk committee had modeled. Stock volatility. Congressional scrutiny. A national conversation about executive protection.

The Vizsla case is different in the details but identical in the principle: when security fails, the board owns it.

Not the security team. Not the insurance company. Not the country manager. The board.

Shareholders and their lawyers won't ask "could this have been prevented?" They'll ask "did leadership know about the risk, and what did they do about it?"

That's a fiduciary duty question. And it gets answered in discovery.

What happened in Sinaloa

In September 2024, the Sinaloa Cartel split into two warring factions. Los Chapitos stayed loyal to El Chapo's sons. La Mayiza aligned with Ismael "El Mayo" Zambada's family after his arrest on U.S. soil.

The split triggered a civil war. Since September 2024, Sinaloa state has recorded over 1,500 disappearances. Armed clashes between the factions became routine. This was in the news. It wasn't hidden.

Vizsla Silver, a Canadian mining company, was building a major silver project in the middle of it. The Panuco project sits about 50 miles northeast of Mazatlán, in the mountains of Sinaloa. Over 30 million ounces in proven reserves.

In November 2025, Vizsla closed a $300 million convertible notes offering to fund construction. Over $450 million in cash. Production targeted for late 2027. In January 2026, the CEO called 2025 "an extraordinary year."

Eight days later, ten employees were kidnapped from company housing near the project site.

By February 9, families were identifying bodies in a morgue in Mazatlán. The suspects told investigators they confused the miners with members of a rival cartel.

That's the explanation. Ten men taken, at least five dead, because gunmen made an assumption in a war zone.

The disclosure question

In its securities filings, Vizsla acknowledged "risks associated with the conduct of the Company's mining activities in Mexico" and stated it may be "unable to obtain insurance to cover all risks, on a commercially reasonable basis or at all."

That's standard boilerplate. Every mining company operating in a sketchy jurisdiction has something like it.

But boilerplate is one thing. The question is whether the company's risk disclosures matched what was actually happening on the ground.

By September 2024, the cartel civil war had started. By November 2025, when Vizsla was raising $300 million, the violence in Sinaloa was well-documented. News reports. NGO tracking. State Department advisories. Anyone paying attention knew the region had become a conflict zone.

Was any of this in the updated risk disclosures? Did the board get briefings on the security situation? Were shareholders told the company was housing employees in a region with active armed conflict?

Those questions get answered in discovery.

The insurance gap

Mining companies in high-risk areas usually carry K&R insurance, political risk insurance, business interruption coverage, and D&O policies.

Every one of those has exclusions.

K&R policies often exclude situations where the company didn't implement security measures the insurer recommended. If Vizsla got recommendations and didn't follow them, coverage could be denied.

Political risk policies may exclude "foreseeable" events. If the underwriter decides cartel violence in Sinaloa was foreseeable — and it was all over the news — the claim gets contested.

D&O policies exclude fraud, willful misconduct, and sometimes failure to disclose known risks. Coverage limits run $10-50 million for a company Vizsla's size. That gets burned through fast in securities litigation.

The stock lost $800 million in value. Insurance won't make shareholders whole. And if claims get denied because of exclusions, directors are exposed personally.

What plaintiffs will probe

A plaintiff's attorney building a case against Vizsla's board will dig into four areas.

Risk assessment. Did the board get regular briefings on security in Sinaloa? Who delivered them? Were they qualified? Did they have ground-level intel? Were the briefings documented?

Mitigation. What security was in place at the housing facility? Armed guards? Secure transport? Evacuation protocols? Had anyone tested them?

Disclosure. Were shareholders told the company was operating in an active conflict zone? Did risk factors get updated as conditions got worse? If a plaintiff's attorney lines up the company's disclosures against news coverage from the same period, does the board look informed or clueless?

Warnings ignored. Did anyone — Mexican authorities, security consultants, insurers, employees — tell the company the Concordia site was high risk? If they did and nothing changed, the exposure gets worse.

None of this means Vizsla's board screwed up. The investigation is ongoing. But this is how these cases get litigated. Every board operating in similar environments should understand it.

The conversation you should be having

If you're on a board, in the C-suite, in the GC's office, or running security — the Vizsla case should trigger a review of your own exposure.

Risk assessment. When did your board last get a security briefing on your highest-risk locations? Who gave it? What were their qualifications? Was it documented? Are you relying on internal staff who don't have regional expertise, or outside specialists who actually understand the threat environment?

Disclosure. Do your SEC filings reflect actual conditions on the ground, or the same boilerplate you've used for years? If conditions have changed — and they have in a lot of places — have your disclosures kept up?

Insurance. Have you reviewed your K&R, political risk, BI, and D&O policies with outside counsel in the last year? Do you know the exclusions? Have you stress-tested coverage against a scenario like Vizsla?

Operations. Are your security measures matched to the actual threat level, or to what you're comfortable spending? If you had to shut down tomorrow, what's the plan? How long can you hold? Who makes the call to pull out entirely?

Most boards don't want to have this conversation. Security is a cost center. Risk disclosures get written by lawyers trying to minimize exposure. Insurance is something you buy and forget.

And then ten workers get kidnapped because cartel gunmen confused them with a rival faction, and everyone wants to know what the board knew and when.

Where this is heading

Five years ago, most boards treated cybersecurity as an IT problem. Technical. Operational. Three layers below the boardroom.

Then came SolarWinds. Colonial Pipeline. Ransomware shutting down hospitals. SEC enforcement actions against companies that didn't disclose breaches. Cyber became a board-level issue overnight. Dedicated committees. Quarterly briefings. Personal liability for directors who didn't pay attention.

Physical security in high-risk jurisdictions is on the same path.

The plaintiffs' bar has found a new category of corporate governance failure. The news cycle keeps delivering examples — executive assassinations, employee kidnappings — that boards can't call unforeseeable anymore.

Companies that build real security oversight before something happens will be able to defend themselves. Companies that wait will be explaining themselves in depositions.

A different threat model

The real lesson from Vizsla isn't about Mexico or cartels or mining. It's about how boards think about security.

Standard corporate security assumes you can identify threats and build controls against them. Figure out who might target your people, harden your defenses, maintain awareness.

That breaks down in a place like Sinaloa.

The Vizsla workers weren't targeted for who they were. They weren't grabbed for ransom. They weren't extorted for mine access. The suspects say they got taken because gunmen thought they were someone else.

Your company doesn't have to be a target to become a casualty.

That means asking a different question. Not just "what would make our people a target?" but "what would make our people look like someone else's target?"

Most corporate security programs don't answer that. Most boards have never thought about it.

After Vizsla, they will.

About Centinela Intel

I've spent 25 years running security operations across Latin America and other high-threat environments. Large-scale programs. Thousands of personnel. Places where the threat picture changes daily.

I built Centinela Intel to give boards, executives, and security teams the ground truth on what's happening in Latin America. Threat patterns. Criminal tactics. Operational context. The stuff that doesn't make it into sanitized corporate risk reports.

The Latin America Intelligence Brief goes out weekly. It's for people responsible for personnel and assets in the region who need to understand the security environment well enough to make real decisions.

If the Vizsla case made you uncomfortable, good. That means you're paying attention.

The newsletter is free. centinelaintel.com