On December 4th, 2024, a misguided and mentally unstable person, assassinated Brian Thompson, the CEO of United Health Care. To date, there is no evidence that Thompson was targeted for any reason other than his role as CEO of a major insurance company. Regardless of someone’s personal views about the insurance industry, reasonable law-abiding citizens agree killing a company’s employees is reprehensible. The reactions to this abhorrent crime are as equally shocking as the crime itself with certain elements of society lauding the suspect, Luigi Mangione, as a hero. This “reputational attack” has become a watershed moment in the EP industry.
In discussions with my industry peers since the attack, there is widespread agreement that companies are increasingly looking to augment or implement EP protection for their CEOs. At the risk of sounding callous, this heightened attention is welcomed only because the industry has been underutilized for many years. The reason for these changes is quite clear but…
…Is adding EP protection for the CEO the right approach?
I have had countless interactions with current and new prospective clients requesting this singularly focused service. When queried, all stated fear of their CEO becoming a target because of negative views towards their company’s products, services, or associations. One financial institution shared they had received death threats in corporate inboxes because of investments in Israeli companies. No one was specifically mentioned in these threats, but it was clear the writer attributed the conflict in Gaza as directly related to the investments and someone should pay with their life.
If we turn our attention towards the threat actor(s) for a moment, how can we ever stop such attacks? Mangione was outspoken about his dislike of the insurance industry but again there was no evidence he directly targeted Thompson. What if United Health Care had already had a robust EP program in place for Thompson prior to the attack?
Mangione went to great lengths to secure his getaway, so it does not appear he was ready to die for his cause. It is reasonable to assume this well-educated adversary would have found another target. Corporate websites are full of information about organizational structure, often with complete biographies. Would this impact have been any less if it had been another United Health Care executive or board member?
“The duty of care is a fiduciary duty requiring directors and/or officers of a corporation to make decisions that pursue the corporation’s interests with reasonable diligence and prudence. This fiduciary duty of care is owed by directors and officers to the corporation, not the corporation’s stakeholders or broader society.”1
The main driver for the implementation of any EP program must be the duty of care that is applied in a risk-managed approach.
The legal interpretation can be distilled to being reasonably prudent given the information that is available. If your company receives an e-mail stating dissatisfaction with a product or service, “You guys suck!” does not constitute a full EP detail for the entire C suite! That said, with the recent assassination and the troubling trend of online violent rhetoric becoming a societal norm, organisations are encouraged to focus on better understanding the threat towards their organisation in a more holistic fashion.
Specifically, an EP program to counter these reputational attacks should consider the following:
1) A collection strategy to gather negative sentiments towards the organisation and its employees.
The strategy should harness some of the latest technology that can ingest and filter sentiment from a variety of social media platforms. Valuable intelligence can also be gleaned from customer service departments that often deal one-on-one with client issues. Ideally, creating an awareness program with clear parameters for reporting ANY threatening behaviors. Unfortunately, we have become conditioned to certain online behavior making it easy to write off as benign.
The collected data should be examined regularly by personnel with appropriate training in threat recognition and online investigation. As the program matures, a trustworthy baseline will be established that quantifies the sentiments towards the organisation as well as identify outliers who make direct or indirect threats.
The EP team should be apprised daily of the current “temperature” of the sentiment towards the organisation, and any direct references to employees and/or the employee’s families. This intelligence should also be shared with the organisation’s site security team(s) so they can adjust the protective posture accordingly.
2) All risk assessments for employees in scope should appreciate the collected threat data.
Conducting a risk assessment for an individual employee or certain corporate events is not a new activity for an EP professional. The nuance here is the risk assessment should expand much further than the classic C suite or board. I am not suggesting every single employee should have a risk assessment for a variety of reasons. Treat actors planning an attack on the company’s reputation are looking to make a statement of some kind. Attacking the intern in the mail room may have tragic consequences but it’s not going to bring the issue the notoriety they desire.
That said, you may have employees that have little or no public profile yet they may have a temporary duty that raises their profile. As an example, you may have a mid-level employee who is an SME in a certain area and they are asked to present at a public event. EP teams may wish to consider this other segment of employees when assessing risk for an event or corporate travel.
3) EP service should be provided at a variety of flexible levels.
The level of service provided should be aligned with the risk assessments, ranging from full detail in a high-risk environment to very light detail or no EP protection required at all. Again, this is nothing new in this industry yet presently there is an unhealthy focus on CEO roles vice who would be considered a viable target to embarrass or harm the company.
And yes, there are very high-profile executives who work for companies that attract polarized views. These individuals may always require 24/7 EP protection but that is not the majority -not all CEOs run Tesla, Amazon, or Meta. Nor would that approach be sustainable for the business if applied to all executives.
There is a trust dividend for EP providers who can balance the provision of a tiered protection model for their employees in scope. The application of a specific level of protection is tied to the risk assessment that is informed daily with collected and analyzed intelligence. I wouldn’t recommend daily changes to a protection level for an employee but if it’s been months since there is any active threat intelligence, consideration may be given to moving an employee (or group of employees) to a lower level.
In summary, should changing the way your organisation manages the security of its employees due to the Thompson assassination, ensure you build the new or enhanced program with the right focus in mind.
You will highly likely end up adding or augmenting protection for your CEO and others who are publicly facing. Following the risk-based approach vice simply adding one individual based on role description will do far more to protect the organisation. It will also be much easier to articulate a duty of care approach should the organisation need to defend its EP program’s positioning.
To all EP operators – be safe in your duties!
1 Cornell Law School – https://www.law.cornell.edu/wex/duty_of_care
About the Author: Rob Currie has over 35 years of working in public and private sector security, anchored by extensive international experience in federal policing operations, domestic counter-terrorism response, intelligence management & operations, crisis management, cyber investigations, and tactical command. Rob currently designs and delivers corporate security & crisis management programs across a variety of industries in the private sector.
Rob is a retired Royal Canadian Mounted Police (RCMP) officer having served in a variety of roles (Incident Commander (ICS400), drug enforcement, technological crime, national security & tactical unit command). During his law enforcement career, he had the privilege of serving with the Canadian Special Operations Forces Command (CANSOFCOM) from 2006-2010, managing responses to domestic counter-terrorism events as well as support for the war in Afghanistan.
After policing, Rob leveraged his policing incident command and military experience in the following private sector roles: Manager of Physical Security at the Bank of Canada (2015), the Chief Security Officer at Scotiabank (2015-2018), and the VP of Security at Four Seasons Hotels & Resorts (2018-2019).
Rob’s career choices provided him with a wide array of “battle-tested” crisis management experiences such as barricaded persons with hostages, terrorist attacks (Ottawa 2014), high-risk executive protection (Somalia), major cyber attacks (Mafiaboy 2000), warzone digital forensics (Afghanistan), civil unrest, labour disputes, high-risk asset transport and multiple hurricane responses.
Rob is currently at the Institute of Strategic Risk Management (ISRM) Canadian Chapter Chairman and named Fellow in 2024. Originally from Canada, Rob holds a Bachelor of Science degree in Kinanthropology from the University of Ottawa and has also completed numerous courses in Computer Science at the University of Concordia and Université de Laval. He is fluent in English and French with intermediate Spanish. Rob is an avid Brazilian Jiu-Jitsu practitioner and the 2023 IBJJF middle-weight World Champion.
