Last week I posted about boards sending executives into Venezuela without a plan.
The DMs told me this hit a nerve.
But here's what surprised me: the people reaching out weren't security directors. They were CEOs, general counsel, and board members asking the same question:
"If something happens, what's our exposure?"
That's the right question. Most companies don't have a good answer.
The gap nobody's documenting
After the United Healthcare CEO was killed in December 2024, I spent months deploying executive protection across the industry. The conversations I had with boards weren't about security tactics. They were about liability.
Directors wanted to know: If we're sued, if shareholders come after us, if regulators ask questions, can we prove we took reasonable steps?
Most couldn't.
Here's the problem: D&O insurance protects board members from lawsuits alleging mismanagement. But when an executive is harmed in a high-risk environment, plaintiffs don't need to prove the board was negligent. They just need to show the board should have known the risk existed and failed to act.
Venezuela right now is a textbook example. The State Department warnings are public. The cartel and colectivo activity is documented. The U.S. government has said it won't provide security for companies operating there.
If your board approves operations in Venezuela without a documented security framework, you're not making a business decision. You're creating plaintiff's exhibit A.
Your K&R policy is a scorecard, not a safety net
Most boards treat Kidnap & Ransom insurance like a checkbox. Pay the premium, file it away, hope you never need it.
That's a mistake.
Your K&R insurer, whether it's a Lloyd's syndicate, Hiscox, AIG, or someone else, isn't just underwriting risk. They're grading whether your security program actually reduces it.
Their assessment hits three things:
Your premiums. A documented protective operation with vetted local assets costs less to insure than "we'll figure it out."
Your response capabilities. Most policies include crisis response consultants. But those consultants are pre-approved by the insurer, not chosen by you. If your in-house team has never coordinated with them, your first introduction will be during an active crisis. I've seen this go badly.
Your coverage. Policies have exclusions. If your security posture doesn't meet the insurer's baseline, you may be paying for coverage that won't pay out.
The smart move is to talk to your K&R insurer before you build your security architecture. Understand their approved response network. Know what documentation they expect. Align your program with their underwriting criteria.
When the board asks "are we covered?", you want a real yes.
What actually holds up
I've spent 20+ years running protective operations in Colombia and Mexico (Iraq and Haiti as well). Over 5,000 personnel in environments where the U.S. government wasn't coming to help. Here's what separates programs that hold up from ones that don't:
Threat assessments are documented, not assumed. "Everyone knows Venezuela is dangerous" isn't a threat assessment. A defensible program has written analysis of specific risks: kidnapping trends by region, political instability indicators, local law enforcement reliability, corruption vectors, route vulnerabilities. Updated quarterly minimum.
Security decisions are tied to business decisions. When the board approves a new site, a new travel route, or a new executive assignment, there should be a security annex attached. What's the threat level? What measures are in place? Who signed off? This paper trail protects directors when things go wrong.
Local assets are vetted, not rented. In Latin America, your driver, your advance team, and your local intelligence network are your first line of defense. If you're hiring through a vendor who's hiring through another vendor, you have no idea who's actually protecting your people. I've seen operations compromised by drivers with cartel connections. Your vetting process matters more than your armored vehicle.
Extraction plans are pressure-tested. Most crisis plans assume 24-48 hours of warning. In Venezuela, you might have 2-4 hours. Your routes, safe houses, and communications need to survive chaos, not just inconvenience. If your plan has never been stress-tested with a realistic timeline, it's not a plan. It's a document.
There's a clear chain of command. When something goes wrong at 2 AM Caracas time, who makes decisions? Who talks to the family? Who coordinates with the K&R response team? Who briefs the board? If the answer is "we'll figure it out," you've already failed.
Three questions to ask right now
If you're a CEO or board member looking at Latin America exposure, Venezuela, Mexico, Colombia, anywhere with elevated risk...start here:
Do we have a written security framework that's been reviewed in the last 12 months? Not a policy buried in an HR manual. A framework that covers executive protection, travel security, crisis response, and documentation. If it doesn't exist or hasn't been updated since before the UHC assassination, you're behind.
What does our K&R insurer actually expect from us? Call your broker. Get the underwriting criteria in writing. Understand what documentation they require, what response resources they provide, and what exclusions apply. Then test your current program against that list.
If something happens tomorrow, can we show we took reasonable steps? Not perfect steps. Reasonable steps. Documented threat assessments. Board-approved protocols. Vetted local partners. Clear chains of command. If you can't produce that paper trail in 48 hours, you're exposed.
The bottom line
The companies that will operate successfully in Latin America won't have the biggest security budgets.
They'll be the ones who understand that executive protection is a board-level responsibility, not a line item to delegate and forget.
The U.S. government has said it won't protect your people in Venezuela. Your K&R insurer is evaluating whether you're worth covering. Plaintiffs' attorneys are watching which companies take documented precautions and which ones don't.
The question isn't "how much will security cost?"
It's "can we defend this decision to shareholders, insurers, and lawyers if we're wrong?"
I've spent a decade building programs that answer that question.
If you're evaluating your exposure right now, reach out.