diff --git a/docs/checks.md b/docs/checks.md
index 9e569b9ec6a..339e26e8d88 100644
--- a/docs/checks.md
+++ b/docs/checks.md
@@ -73,11 +73,16 @@ result to meet most user needs.
 
 Different types of branch protection protect against different risks:
 
-  - Require code review: requires at least one reviewer, which greatly
+  - Require code review: 
+    - requires at least one reviewer, which greatly
     reduces the risk that a compromised contributor can inject malicious code.
     Review also increases the likelihood that an unintentional vulnerability in
     a contribution will be detected and fixed before the change is accepted.
 
+    - requiring two or more reviewers protects even more from the insider risk 
+    whereby a compromised contributor can be used by an attacker to LGTM 
+    the attacker PR and inject a malicious code as if it was legitm.
+
   - Prevent force push: prevents use of the `--force` command on public
     branches, which overwrites code irrevocably. This protection prevents the
     rewriting of public history without external notice.
@@ -182,8 +187,8 @@ However, note that in those overlapping cases, Scorecard can only report what it
 Risk: `High` (unintentional vulnerabilities or possible injection of malicious
 code)
 
-This check determines whether the project requires human code review before pull
-requests (merge requests) are merged.
+This check determines whether the project requires human code review
+before pull requests (merge requests) are merged.
 
 Reviews detect various unintentional problems, including vulnerabilities that
 can be fixed immediately before they are merged, which improves the quality of
diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml
index 65fdac3de74..e5db1e2dc10 100644
--- a/docs/checks/internal/checks.yaml
+++ b/docs/checks/internal/checks.yaml
@@ -162,11 +162,16 @@ checks:
 
       Different types of branch protection protect against different risks:
 
-        - Require code review: requires at least one reviewer, which greatly
+        - Require code review: 
+          - requires at least one reviewer, which greatly
           reduces the risk that a compromised contributor can inject malicious code.
           Review also increases the likelihood that an unintentional vulnerability in
           a contribution will be detected and fixed before the change is accepted.
 
+          - requiring two or more reviewers protects even more from the insider risk 
+          whereby a compromised contributor can be used by an attacker to LGTM 
+          the attacker PR and inject a malicious code as if it was legitm.
+
         - Prevent force push: prevents use of the `--force` command on public
           branches, which overwrites code irrevocably. This protection prevents the
           rewriting of public history without external notice.