The Risk You Can’t Insure: How Public Outrage, Social Media, and One Bad Day Can Sink a Company.

What Boards Are Missing After United Healthcare

I got the call after two major assassinations in under a year. The second call revealed risks no one's preparing for.

I was brought in to protect executives at United Healthcare after their CEO was assassinated, along with another 80 other Executive Protection agents.

That made sense. Protecting senior leadership after a high-profile incident. It was straightforward.

Then I got a different call.

A large company was facing all sorts of threats (such as active shooter threats), after a low-level hourly worker posted on Instagram celebrating Charlie Kirk's assassination. She had maybe 200 followers. Large influencers found it and amplified it.

Within hours:

• Credible active shooter threats against the company

• Physical security deployment needed at office locations

• Organized pressure to fire her publicly

• Customer boycott threats

• A full security crisis from one employee's personal post

This wasn't about protecting executives. This was about protecting entire office locations and customers from threats triggered by a low-level employee's social media.

That second call told me what boards are actually missing.

THE 4 RISKS NO ONE'S PREPARED FOR

1. ANY EMPLOYEE CAN TRIGGER A SECURITY CRISIS

The reality:

A low-level hourly worker with 200 followers posted something controversial. Influencers amplified it. Within hours, the company faced credible active shooter threats requiring immediate security deployment.

This wasn't theoretical. I was deploying teams to protect office locations from physical threats created by one employee's personal Instagram post.

The gap:

You have social media policies about trade secrets and confidential information. You don't have frameworks for: "Employee's personal post triggers active shooter threats. Do we fire them, defend them, or something else? Who decides? On what timeline?"

The question: "What's our decision framework when any employee creates a physical security crisis through social media? Who decides? What criteria? How fast can we execute?"

2. IT'S NOT ABOUT TITLES ANYMORE

The reality:

At United Healthcare, we protected over 20 executives, not just the CEO. Brian Thompson led the insurance division, not the parent company UnitedHealth Group Fear in the C-Suite after UnitedHealthcare CEO gunned down | CNN Business. He was the target because of the business he ran, not his title.

Executive security spending jumped 118.9% from 2021 to 2024 Health insurers remove executive bios, images from websites after UnitedHealthcare CEO killing | Healthcare Dive, but most companies still protect by title, not risk.

The gap:

Who's actually at risk in your organization? The CEO who's relatively low-profile? Or the division head running your most controversial business? Around 73% of companies have security arrangements for executives Fear in the C-Suite after UnitedHealthcare CEO gunned down | CNN Business, but most define this by org chart, not by actual threat exposure.

The question: "Who should be covered by our security program based on risk profile, not organizational chart? Have we reassessed post-United Healthcare?

3. PUBLIC ANGER IS A THREAT INDICATOR

The reality:

The United Healthcare killing unleashed public rage over insurance claim denials, pent-up anger at the health insurance industry Guest Post: Managing D&O Compliance, Coverage, and Claims Beyond U.S. Borders | The D&O Diary. The threat wasn't a specific adversary. It was diffuse public sentiment that could materialize into action.

If you operate in insurance, pharma, debt collection, foreclosures, controversial tech, your people face elevated risk from public anger at what your company does.

The gap:

There's no framework for monitoring "people hate our business model" as threat intelligence. No metrics for public sentiment. No thresholds for when diffuse anger becomes actionable risk.

The question: "Do we operate in an industry where public sentiment creates security risk? How do we monitor it? At what threshold does it trigger protective actions?"

4. YOU CAN'T PROVE YOU DID YOUR JOB

The reality:

The companies that called me had security programs. Vendors. Systems. Budgets.

What they didn't have: Documentation proving the board assessed risks and made informed decisions about protective measures.

When the crisis hit, they realized: "We can't prove we fulfilled our oversight duty."

The gap:

After the shooting, boards asked their security chiefs "What do we have in place?" CNN CNBC, and many didn't actually know what they'd already approved or how decisions were made.

"We spent money on security" is not the same as "We assessed risks, made informed decisions, and documented our oversight."

The question: "Can we prove this board assessed security risks and made informed decisions? What documentation would we produce if questioned?"

WHY THIS MATTERS NOW

Both calls revealed the same pattern:

Companies react to obvious risks (protect senior executives after an incident) while missing the emerging ones:

• Any employee can trigger enterprise-wide security crises

• Risk is determined by business exposure, not titles

• Public sentiment creates real, physical threats

• No documentation of board-level oversight

And these risks have:

• No established frameworks

• No industry benchmarks

• No insurance products

• Binary outcomes (nothing happens or something catastrophic)

You're making critical decisions in real-time with no playbook.

Your Next Move

For Board Members:

Ask at your next meeting:

1. "What's our framework when an employee's social media triggers physical security threats?"

2. "Who should be covered by security based on actual risk exposure, not org chart position?"

3. "If we operate in an unpopular industry, how do we assess and monitor threat risk from public sentiment?"

4. "Can we document that we've assessed these risks and made informed decisions?"

If you can't answer these confidently, add them to the audit committee agenda this week.

For CEOs:

Ask your CHRO, GC, and Chief Security Officer:

"Walk me through our decision framework for each of these scenarios. If one happens tomorrow, what's our response protocol and who makes the call?"

If they hesitate or can't give you clear answers, that’s where you start.

For General Counsels:

These are governance and legal risk issues, not just security operations.

Build decision trees now. Document board discussions and decisions. Create response frameworks before you're making judgment calls during an active crisis.

Don't figure out your legal and ethical position while threats are incoming.

THE BOTTOM LINE

I protected executives after United Healthcare. Expected.

I deployed security to protect offices from active shooter threats triggered by an hourly worker's Instagram post. That revealed what's actually missing.

Security spending isn’t the problem, that's jumped 118.9% Health insurers remove executive bios, images from websites after UnitedHealthcare CEO killing | Healthcare Dive. But is that security spending being used correctly?

Frameworks. For risks you can't benchmark. Can't insure. Can't wait to figure out during a crisis.

The boards addressing these now will handle the next incident from a position of strength.

The ones waiting will be making critical decisions under pressure with no framework.

Which one is yours?

I help build frameworks for emerging security and governance risks. If you can't answer these 4 questions, we should talk before the next incident.