On July 25, 2024, U.S. authorities arrested Ismael "El Mayo" Zambada Garcia in El Paso. Zambada had quietly held the Sinaloa Cartel together for decades. Within weeks, the consequences were catastrophic. Not for the cartels. For everyone else.

What followed was not a victory in the war on drugs. It was the detonation of a power structure that had maintained a negotiated order across northwestern Mexico for 30 years. The vacuum produced something I would have called impossible two years ago: a working alliance between the sons of "El Chapo" (Los Chapitos) and the Cartel Jalisco Nueva Generacion (CJNG). These two organizations spent years trying to destroy each other. Now they're sharing safe houses.

If you operate a business in Mexico, source from Mexican suppliers, or move goods across the border, this changes your risk calculus. And if you think your SEC filings and insurance policies have you covered, I'd encourage you to read the rest of this.

The decapitation problem, again

I've spent 25 years watching the same pattern repeat across Latin America. Remove a senior leader. Trigger fragmentation. Watch the violence escalate. It happened after every Guzman arrest. It happened in Colombia after Escobar. It is happening now, worse than any previous cycle.

Zambada was not just a drug trafficker. He was the internal mediator who brokered truces, managed feuds, and kept the violence at levels that avoided triggering massive state intervention. His removal did not weaken the organization. It shattered the restraint mechanisms that kept the whole thing from going kinetic.

The "Sinaloa War" has moved through four phases since September 2024. It started as localized clashes in Culiacan. It has become a multi-state, tech-driven conflict involving foreign mercenaries, offensive drone programs, and AI-powered surveillance that has surpassed what the Mexican state can deploy in some corridors.

The numbers: over 1,190 homicides, more than 1,120 disappearances, at least 1,763 families displaced. That is Sinaloa alone.

Why the CJNG-Chapitos alliance changes everything

What makes this different from previous cartel wars is the alliance itself.

Los Chapitos needed firepower and manpower to survive. CJNG wanted the Sinaloa Cartel's fentanyl production expertise and its established trafficking routes. Both sides found something more valuable than continued rivalry: complementary capabilities.

Intelligence reporting puts the formalization at high-level meetings in Zapopan, Jalisco in late 2024. CJNG special operations units are now integrated into the Chapitos operational structure. They share routes, safe houses, and intelligence.

The implications play out across three windows.

In the near term, extreme violence. The combined force is using modified drones for tactical strikes, military-grade signal inhibitors, and encrypted logistics networks that block state interception.

Over the next 12 to 36 months, institutional capture. The alliance is going after logistics infrastructure, particularly the ports of Mazatlan and Manzanillo, to build an integrated corridor from South America through Mexico to the United States. That means deeper infiltration of customs agencies, shipping companies, and local government.

Looking at 2026 through 2030, you get either a criminal hegemon with presence across all 32 Mexican states, or hyper-fragmentation into dozens of autonomous cells competing through indiscriminate violence. Neither is good for anyone trying to run a business.

SEC disclosure: boilerplate that gets people killed

Most publicly traded companies operating in Mexico are lying to their shareholders. Not intentionally. But effectively.

Pull any 10-K from a company with Mexican operations. You will find roughly the same language in the risk factors: "our operations in certain regions may be subject to risks associated with political instability, crime, and civil unrest." It is vague. It is interchangeable. It has been copy-pasted from filing to filing for years.

That boilerplate worked when Mexico's criminal landscape was relatively stable, when the "pax mafiosa" under Zambada kept violence predictable and geographically contained. That world is gone. The threat environment has changed completely, and the disclosures have not.

In January 2026, 10 employees of the Canadian mining company Vizsla Silver were murdered in Concordia, Sinaloa. How many mining and manufacturing companies operating in northwestern Mexico had disclosed anything beyond generic "security conditions" language? How many had disclosed the factional realignment, or the fact that criminal organizations in their operating areas recruit mercenaries with combat experience from Ukraine and deploy armed drones?

The gap between what companies disclose and what they actually face is a litigation target waiting to happen. Shareholders and employees are making decisions based on sanitized language that bears no resemblance to ground truth. When something goes wrong, and in this environment it will, that boilerplate will not protect anyone. It will be exhibit A in the lawsuit.

If your people get hurt, will your risk disclosure hold up under scrutiny? Or did you just check a compliance box?

The insurance fulcrum: who is actually making your security decisions?

Nobody in corporate security wants to talk about this openly, but insurance companies are the ones dictating security posture for most businesses in high-threat environments.

Here is how it actually works. A company decides to operate in Mexico. They need kidnap and ransom coverage, political risk insurance, cargo insurance, general liability. The underwriter assesses the risk, tells the company what security measures are required for coverage, and sets the premium. The company implements exactly what the insurer requires. Nothing more.

The problem is that insurance companies are managing their own financial exposure, not keeping your people alive. The measures they mandate satisfy actuarial models. They do not address the actual threat environment on the ground. There is a big difference between "insurable security posture" and "effective security posture," and most companies never look at that gap because the policy gives them a false sense of protection.

I have seen this play out over and over across Latin America. A company gets a K&R policy, hires the response firm the insurer recommends, puts the minimum travel protocols in place, and calls it done. Nobody on the security team knows which faction controls the territory they are operating in. Nobody has relationships with local stakeholders who can provide early warning. Nobody has contingency plans for the specific dynamics of the current conflict. But the insurance box is checked, so leadership sleeps at night.

The question is not "are we insured?" It is "will the insurer actually pay when we need them to?"

The payout problem: they are not paying

This is where the entire model falls apart.

Insurers have gotten very good at writing policies that look comprehensive on the coverage page but are full of exclusion clauses, compliance conditions, and definitional gotchas that give them room to deny claims exactly when they matter most.

Start with the FTO designation. The Sinaloa Cartel and CJNG were both designated as Foreign Terrorist Organizations in February 2025. Many corporate policies contain terrorism exclusions, or they require specific terrorism coverage with different conditions than standard political risk policies. The line between "criminal activity" and "terrorism" just shifted under the feet of every company operating in cartel-affected territory. Your insurer's legal team noticed. I would bet money yours did not.

Then there is the compliance fine print. Policies require companies to maintain specific security protocols, reporting timelines, and incident response procedures as conditions of coverage. Miss a reporting window by 48 hours. Fail to document that you followed the prescribed evacuation protocol exactly as written. Use a security provider not on the insurer's approved list. Any of these becomes the basis for a denial.

Extortion is another minefield. Companies facing cartel extortion, and in contested territories this is a matter of when, not if, end up in an impossible position. Pay and potentially violate sanctions law or trigger a policy exclusion. Do not pay and face operational shutdown or violence against your people. The policy that was supposed to protect you in this scenario becomes a document the insurer's lawyers use against you.

The pattern is consistent. Premiums are rising. Coverage conditions are tightening. And when companies actually file claims, they are hitting denial rates and legal pushback that would have been unthinkable five years ago. Insurers are repricing Mexican operational risk in real time, but they are doing it on the claims side, not just the premium side. They will take your money. They will not pay it back when your people are in danger.

The "security-shoring" trap

The U.S. is using Mexico's security crisis as leverage. Fentanyl has become the basis for emergency tariff orders, forcing Mexico into trade alignment that limits its own decision-making. Trade policy is being driven by criminal violence, not economic logic.

Mexico spends 0.7% of GDP on security and justice, less than half the OECD average. The OECD revised Mexico's 2026 growth forecast down to 0.6%. The institutional vacuum from chronic underinvestment is being filled by organizations that operate like multinational corporations, with AI analytics, cryptocurrency operations, and mercenaries recruited from conflicts in Ukraine.

The FTO designation has consequences beyond insurance. Any entity that inadvertently facilitates operations of a designated terrorist organization faces criminal and civil liability. If you operate in territory controlled by these organizations, you are paying local taxes that get skimmed, using logistics providers that pay transit fees, employing workers who face extortion. The compliance exposure is real and almost nobody is addressing it.

What to do about it

If you are operating in or sourcing from Mexico, here is what I would tell you based on 25 years of managing security operations in Latin America.

Audit your risk disclosures against ground truth. If your SEC filings still carry the same Mexico language from 2023, you have a disclosure gap that creates legal exposure. The risk factors should describe the actual threat environment, not political instability boilerplate.

Separate your security posture from your insurance requirements. Use the insurance minimums as a floor, not a ceiling. Build your security program around what will actually protect your people based on real threat assessment. Then figure out the insurance. Not the other way around.

Stress-test your insurance coverage. Bring in outside counsel, not your broker, to war-game a major incident against your actual policy language. Look specifically at terrorism exclusions given the FTO designations, compliance conditions you might fail under duress, extortion scenarios, and reporting timelines. Find the gotchas before your insurer does.

Build independent intelligence capacity. You need real-time awareness of territorial control, factional dynamics, and emerging threats in your specific operating areas. Generic country risk reports and your insurer's assessment will not cut it. The threat environment moves faster than quarterly reports.

Plan for escalation with your own resources. The alliance is still consolidating. The most dangerous phase may still be ahead. Have contingency plans for suspending operations, evacuating personnel, and rerouting supply chains that do not depend on your insurer's response firm showing up on time.

El Mayo's arrest did not solve a problem. It created a bigger one. The organizations filling the vacuum are more capable, more aggressive, and more ambitious than anything in Mexican criminal history.

The corporate infrastructure that is supposed to protect businesses in this environment, the SEC disclosures, the insurance policies, the compliance frameworks, is built for a world that no longer exists. Companies are filing boilerplate risk language for a threat that is anything but boilerplate. They are outsourcing security decisions to insurance companies whose first priority is their own balance sheet. And when the worst happens, they are finding out that the safety net they have been paying premiums on was never designed to catch them.

The question for business leaders is not whether this affects your operations. It is whether you are going to keep trusting a system designed to protect everyone except the people on the ground.

Chris Dover has spent 25 years in security operations across Latin America.. He advises companies on threat assessment, operational security, and risk mitigation in high-threat environments.

Connect with me to discuss how this affects your specific operations.