Businesses around the world faced no shortage of risks in 2023, whether it was from natural disasters and climate impacts, cybersecurity and artificial intelligence threats, or regulatory and compliance concerns. Here is a review of some of the year’s most notable risk events, highlighting top challenges risk professionals had to address in 2023 and some that will shape the risk landscape moving forward into 2024.
Polar Vortex Brings Record Cold to Northeastern U.S.
February 2
A polar vortex accompanied by strong winds powered through portions of the Northeastern United States, resulting in extremely cold temperatures across the region. During the cold snap, the peak of Mount Washington in New Hampshire saw temperatures drop to -47°F accompanied by 97 mile-per-hour winds, creating a wind chill of -108°F, the coldest ever recorded in the United States. In Portland, Maine, the wind chill hit a record low -45°F, while other areas of the state reported “frostquakes”—earthquake-like tremors caused by soil cracking suddenly in the cold. As cities and towns from Vermont to New Jersey endured record or near-record cold, thousands of people experienced power outages and airlines canceled more than 1,800 flights over a three-day period. Overall, NOAA’s National Centers for Environmental Information estimated that the cold caused $1.8 billion in damages.
Earthquakes in Turkey and Syria Kill 60,000 People
February 6
A series of massive earthquakes, the largest of which registered a magnitude 7.8, struck the Turkey-Syria border, killing nearly 60,000 people, injuring more than 120,000 and destroying hundreds of thousands of buildings. The widespread devastation in the region displaced millions of people in both countries, forcing them to move to temporary shelters and camps. The World Bank estimated the cost of physical damages and indirect losses in Syria at about $5.2 billion. In Turkey, where the impact was more severe, government officials put the cost of direct physical damage from the earthquakes at $55.8 billion and indirect economic costs at $12.2 billion. In terms of insured losses, it was the costliest catastrophe event in Turkey’s history, with catastrophe insurance data provider PERILS estimating that insurance losses from the disaster could be as much as $3.2 billion.
White Castle Found Liable for More Than $17 Billion in Biometric Privacy Case
February 17
The Illinois Supreme Court found that fast-food chain White Castle’s practice of scanning employees’ fingerprints without their consent constituted multiple violations of the Illinois Biometric Information Privacy Act (BIPA), rather than a single violation. White Castle had implemented a system in which employee fingerprints were scanned during onboarding and then scanned again for authorization each time the employee wanted to access computer systems and pay stubs. While White Castle argued that only the initial scan was a potential violation of BIPA, the court disagreed. Since BIPA imposes penalties of $1,000 per violation and $5,000 for violations deemed reckless or intentional, the company faced massive potential liability across its 9,500 employees. As a result of the court’s 4-3 decision, White Castle could have to pay more than $17 billion in damages, an amount that could potentially bankrupt the company.
Silicon Valley Bank Collapse Sparks Banking Crisis
March 10
U.S. banking regulators seized control of Silicon Valley Bank (SVB) after fears about the financial institution’s solvency sparked a record bank run in which customers withdrew $42 billion in a single day. Examining the causes of the collapse, many experts pointed toward SVB’s poor risk management practices, including insufficient risk oversight and a lack of asset diversification that made it especially vulnerable to interest rate and liquidity risk. Before being shut down, the company had been without a chief risk officer for eight months. Days later, Signature Bank and Silvergate Bank also failed due to liquidity issues as well as their exposure to the declining cryptocurrency market. Although the Federal Reserve initiated an emergency lending program to help shore up bank balance sheets and stop the crisis from spreading, it was not enough to prevent another collapse. On May 1, First Republic Bank was shut down after experiencing its own run on deposits. In terms of assets at the time of their demise, First Republic, SVB and Signature represent the second-, third- and fourth-largest bank failures in U.S. history, surpassed only by the collapse of Washington Mutual in 2008.
Canada Endures Unprecedented Wildfire Season
May 1
According to the Canadian Interagency Forest Fire Centre, 2023 was Canada’s worst wildfire season on record by a staggering margin. Over 6,500 fires burned more than 45 million acres—more than twice the area burned in the previous record season and nine times greater than the historical average. The fires impacted every Canadian province, forcing more than 155,000 people to evacuate their homes, inflating health costs across the country, and disrupting businesses, particularly in the oil and gas industry. The blazes killed six people, including firefighters. According to experts, the fires were exacerbated by climate change, which created warmer temperatures and drier-than-normal ground conditions. This allowed for more intense and longer-burning fires that spread to areas not typically affected or adequately prepared for such conditions. In June, smoke from the fires spread across a wide swath of North America, creating toxic levels of air pollution for communities from Canada to the Southeastern United States. At various points during the month, the air quality in cities like Toronto, New York and Chicago was the worst in the world.
Meta Fined €1.2 Billion for GDPR Violation
May 22
In May, Ireland’s Data Privacy Commission handed down the largest fine to date since GDPR went into force five years ago. EU regulators fined Facebook parent company Meta €1.2 billion following an inquiry by the Irish Data Protection Authority that found Facebook was improperly transferring personal data of EU residents to the United States for years, violating GDPR data transfer requirements. Meta was also ordered to cease the unlawful processing and storage of European user data in the United States and bring processing operations into compliance with GDPR within six months. European Data Protection Board Chair Andrea Jelinek noted the board found Meta’s violations especially serious because the transfers at issue were “systematic, repetitive and continuous” and, given the number of Facebook users in Europe, the volume of data at issue was massive. Regulators have fined Meta a total of more than €2.5 billion since the implementation of GDPR in 2018, including five of the top 10 largest GDPR fines to date, according to data aggregated by software firm Data Privacy Manager. Overall, businesses have been fined a total of more than €4 billion under the EU’s data protection regulation.
3M Settles PFAS Lawsuits for Up to $12.5 Billion
June 22
3M agreed to pay between $10.5 billion and $12.5 billion to settle hundreds of lawsuits brought by U.S. municipalities. These communities claimed the company contaminated public drinking water supplies with toxic per- and polyfluoroalkyl substances (PFAS). Three other companies—Chemours, DuPont and Corteva—reached a similar $1.2 billion settlement earlier in the month. PFAS have been used for decades in a wide range of products including textiles, furniture, cookware, food packaging, cosmetics, medical devices and firefighting foam, but have also been linked to various cancers, liver disease, immune system deficiencies and other health problems. Often referred to as “forever chemicals,” PFAS resist breakdown in both the environment and the human body. The settlements are intended to help cities and towns test and treat PFAS contamination. More than 15,000 PFAS claims are still pending against chemical companies.
Banks Fined Over WhatsApp, Other Communication Apps
August 8
The Securities and Exchange Commission levied a total of $289 million in fines against 11 financial services firms, including Wells Fargo, BNP Paribas, Société Générale and Bank of Montreal. The banks were charged with failing to properly maintain and preserve electronic communications, specifically those exchanged through private messaging platforms like iMessage, WhatsApp and Signal on employees’ personal devices. In a related civil action, the Commodity Futures Trading Commission fined four banks a total of $260 million for the use of the unapproved communication methods. As part of the SEC order, the firms also agreed to work with compliance consultants to review policies and procedures for the retention of electronic communications found on personal devices and for addressing employee noncompliance. The action is part of a continuing effort by the SEC to crack down on “off-channel” communications. In 2022, the agency issued $1.8 billion in fines to another group of banks for similar record-keeping violations.
100 People Killed in Hawaiian Wildfires
August 8
A series of major wildfires raged through the town of Lahaina on the Hawaiian island of Maui, burning more than 17,000 acres of land, destroying 2,200 homes and businesses, and killing 100 people. The death toll is the highest for a U.S. wildfire since 1918. The severity of the wildfires can be attributed to various causes including the spread of non-native vegetation that is more susceptible to fire; hot, dry conditions on the island related to climate change; and high winds generated by Hurricane Dora, a Category 4 storm that had formed over a nearby region of the Pacific Ocean. According to NOAA, physical damages totaled an estimated $5.5 billion, not including current and future disruption to tourism or government catastrophe response spending.
Hurricane Hilary Prompts Southern California’s First Tropical Storm Warning
August 20
After undergoing massive intensification, Hilary peaked as a Category 4 hurricane over the Pacific Ocean, ultimately reaching sustained winds of 145 miles per hour. It made landfall as a tropical storm in the Baja California region of Mexico on August 20, then moved into California as a tropical storm before transitioning into a post-tropical cyclone and bringing torrential rains across the Southwest. Hilary was the first tropical storm to hit California since Nora in 1997, and the “catastrophic and life-threatening flooding” anticipated from the storm prompted the first-ever tropical storm warning for Southern California. The storm dropped approximately a year’s worth of rain on Death Valley National Park, shattered record rainfall totals in parts of California, and set new records as the wettest tropical or post-tropical storm to ever hit Idaho, Montana, Nevada and Oregon. According to Karen Clark & Company, insured losses totaled over $600 million across the Western United States.
Hurricane Idalia Strikes Florida
August 30
After peaking offshore as a Category 4 storm, Hurricane Idalia made landfall in northern Florida’s Big Bend region as a Category 3, causing flooding and damage to homes, businesses, farmland, vehicles and infrastructure. While relatively low population density in the region helped reduce the overall physical exposure and damage costs, Verisk estimated insured damages still totaled $2.5 billion to $4 billion. By mid-November, the relatively mild 2023 Atlantic hurricane season had produced seven hurricanes, three of which were major hurricanes, with only Idalia causing more than a billion dollars in damages. The season’s second-most costly storm was Tropical Storm Ophelia, which caused widespread flooding and power outages throughout the East Coast of the United States, resulting in about $450 million in damages.
2023 Breaks Heat Records
September 6
With persistent heatwaves scorching much of North America, Europe and Asia, average global temperatures shattered records with alarming regularity in 2023. June to August marked the Earth’s hottest three-month span on record, according to data from the European Union’s Copernicus Climate Change Service. The global average temperature during this timeframe was 62.19°F (16.77°C), which was 1.19°F (0.66°C) above average—a significant margin in terms of seasonal temperature variations. Each month in this period also set a new mark for the hottest since record-keeping began. The historic warmth continued into the fall, with global average temperatures reaching new highs every month. September was not only the warmest on record, it was warmer than the average July from 2001 to 2010, said NOAA Chief Scientist Dr. Sarah Kapnick. By November, researchers determined that the Earth had just experienced its hottest 12-month period on record and that 2023 was virtually certain to surpass 2016 as the hottest calendar year ever.
Cyberattack Costs MGM Resorts $100 Million
September 10
Casino and hotel company MGM Resorts was the victim of a cyberattack that caused a 10-day disruption in operations across its properties, shutting down slot machines, ATMs and digital hotel room keys and disabling its website and online booking systems. After the company voluntarily shut down certain computer systems to protect its data, workers could only accept cash payments, issue paper vouchers for casino winnings and provide manual check-in and physical keys for hotel guests. MGM confirmed that the hackers were still able to gain access to the personal information of some customers who had transacted with the company before March 2019. According to an SEC filing, the attack cost the company more than $100 million in third-quarter earnings. In a separate filing, fellow casino operator Caesars Entertainment disclosed that it paid a $15 million ransom several weeks earlier to the same group behind the MGM attack after its customer data was exposed in a telephone-based social engineering attack.
Chinese Tutoring Company Settles First AI Bias Lawsuit
September 11
In the first-ever employment discrimination settlement involving AI bias in the hiring process, China-based tutoring company iTutorGroup agreed to pay $365,000 to resolve a lawsuit brought by the U.S. Equal Employment Opportunity Commission (EEOC). The EEOC alleged that iTutorGroup programmed AI software to automatically weed out female job applicants over 55 years old and male applicants over 60 years old. As a result, iTutorGroup unlawfully rejected more than 200 qualified job-seekers in the United States because of their age. Although iTutorGroup denied any wrongdoing in the case and no longer hires workers in the United States, the settlement stipulates that, should it resume U.S. operations, it will need to provide training for those involved in hiring tutors and develop a robust anti-discrimination policy. The settlement follows a 2021 EEOC initiative designed to ensure U.S. employers using AI software comply with anti-discrimination and equal employment opportunity laws.
Authors Sue ChatGPT for Copyright Infringement
September 19
A group of prominent authors, including John Grisham, Jonathan Franzen, Jodi Picoult and George R.R. Martin, sued ChatGPT creator OpenAI for allegedly using their copyrighted works without permission or compensation to form the datasets that train its popular generative AI chatbot. The complaint seeks monetary damages for lost licensing opportunities and copyright infringement. The plaintiffs also expressed concerns over the use of ChatGPT to generate low-quality ebooks, impersonate authors and displace human-authored books, thereby usurping their market and livelihoods. Similar lawsuits have also been filed by authors like Michael Chabon and comedian Sarah Silverman against OpenAI and Meta. The suits are an example of the host of risk issues that emerged around generative AI tools in 2023, including questions of cybersecurity, data privacy, information accuracy and intellectual property ownership. In April, for example, Samsung had to scramble to regain control of sensitive internal information after it was accidentally uploaded to ChatGPT and essentially made publicly available. As a result of these kinds of issues, many organizations have created internal policies regulating the use of generative AI tools in the workplace to mitigate potential risks (see “Generating Risk: New Exposures from ChatGPT and Other AI Tools”).
Gunman Kills 19 People in Maine Shooting
October 25
Nineteen people were killed and thirteen injured during a shooting at a bowling alley and a bar in Lewiston, Maine. It was the year’s deadliest mass shooting in the United States and the 10th deadliest in U.S. history. According to the nonprofit Gun Violence Archive, as of November 15, 2023 saw 603 mass shootings in the United States—defined as incidents with four or more people shot or killed. These incidents include a January shooting at a dance studio in Monterey Park, California, in which 12 people were killed, a mall shooting in Allen, Texas, in May where nine people were killed, and a May shooting in Atlanta that sparked a citywide manhunt for the perpetrator and forced the early closure of RIMS’ annual RISKWORLD conference.
Hurricane Otis Hits Mexico as a Category 5 Storm
October 25
In the span of only 24 hours, Hurricane Otis went from a tropical storm to a Category 5 hurricane before making landfall near Acapulco. With sustained wind speeds of 165 miles per hour, Otis was the strongest hurricane to ever hit Mexico’s Pacific coast and the first recorded Category 5 hurricane to make landfall from the Eastern North Pacific. As storms become increasingly destructive, exacerbated by changing climate patterns, Otis underscored the challenges of accurately modeling storms and forecasting dynamic risks like rapid intensification. Indeed, according to catastrophe modeler Moody’s RMS, “no hurricane or global deterministic forecast model available early on October 24 had indicated that Otis was on the brink of rapid intensification.” Otis left behind catastrophic damage, most notably due to wind, and the modeler projects insured losses will fall between $2.5 billion and $4.5 billion. Much of the damage was either uninsured or underinsured, particularly outside of coastal commercial property, and the firm anticipates Otis will go down in history as one of Mexico’s costliest storms in terms of both economic and insured losses.
Biden Administration Issues Executive Order on AI
October 30
President Joe Biden issued a sweeping executive order intended to promote the “safe, secure and trustworthy” development of artificial intelligence. The order calls for the creation of new AI safety and security standards that include requirements for AI system developers to disclose safety test results; guidance for detecting AI-generated content and authenticating official content to avoid fraud and deception; and the establishment of a cybersecurity program to develop AI tools to fix vulnerabilities in critical software. Additionally, the order outlines steps for protecting consumer privacy; preventing AI algorithms from being used to further discrimination; promoting the responsible use of AI in healthcare and education; addressing the impact of AI on the labor market; expanding opportunities for AI research and development; and developing standards for responsible AI use both internationally and within the federal government.
Striking Actors Secure AI Protections
November 9
Members of the Screen Actors Guild American Federation of Television and Radio Artists (SAG-AFTRA) reached a deal with the Alliance of Motion Picture and Television Producers, ending their 118-day strike, the longest labor stoppage in the union’s history. Combined with a strike by the Writers Guild of America that ended in September, labor disputes with Hollywood studios led to a halt in movie and television throughout the summer, costing the Southern California economy $6.5 billion. The agreement between Hollywood studios and SAG-AFTRA includes the largest increase in minimum wage in the last 40 years, as well as a new residual payment structure and bonuses for popular streaming content. The agreement also addresses concerns around generative AI, stipulating that studios must obtain an actor’s consent to create and use digital replicas and alter performances. Actors are also entitled to compensation at their usual day rate for production work they would have otherwise been paid for if they had not been replaced with a digital replica.
U.S. Climate Assessment Reports Extreme Weather Risks Are Increasing
November 14
The U.S. government released the Fifth National Climate Assessment, a congressionally mandated interagency report on climate change risks and impacts across the country. According to the report, extreme weather events are incontrovertibly increasing—in the 1980s, the United States experienced, on average, one billion-dollar disaster every four months. The country now averages one every three weeks. In fact, 2023 set a new record for such events with 25 (as of November 8), according to NOAA. Each year, these disasters cost the United States close to $150 billion—a conservative estimate that does not account for loss of life, health care costs or ecosystem damages. Experts expect climate impacts to intensify over the next decade and affect every region of the country as extreme weather and sea level rise threaten property, infrastructure, ecosystems, water supply, public health, food security, livelihoods and the economy. The report suggested, however, that while some of these impacts are unavoidable at this stage, it may still be possible to reduce climate risks and impacts for future generations. This effort will require the widespread implementation of currently available options for reducing emissions alongside rapid expansion of technologies and methods to remove carbon from the atmosphere, as well as broader mitigation and adaptation actions involving large-scale technological, infrastructure, land-use, governance and behavioral changes.
SEC Cyber Reporting Requirements Go into Force
December 15
After a lengthy rule-making process and comment period, the SEC’s long-awaited cyberrisk reporting requirements (see “SEC Cyber Rules Signal New Enforcement Plans”) officially go into force in December 2023. The rules require publicly listed companies to file disclosure reports for any cyber incident—accidental or malicious—that will have a material impact on the organization’s financial or operational status, and to do so within four days of determining materiality. Perhaps more significantly, the SEC amended 10-K forms (20-F for foreign issuers) to add required disclosures about cybersecurity risk management, strategy and governance, which organizations must report annually for all fiscal years ending on or after December 15, 2023. SEC Chair Gary Gensler noted the goal of these requirements is to make cybersecurity reporting more “consistent, comparable and decision-useful” as cyberrisk management proves an increasingly core factor in companies’ financial performance, operational viability and desirability for investors.