Year in Risk 2019

Morgan O'Rourke , Hilary Tuttle , Adam Jacobson


December 2, 2019

Feature Year in Risk

As the risks businesses face become increasingly interconnected and far-reaching, risk professionals must broaden their perspective on both the traditional and emerging threats that can affect their organization. Whether it is a natural disaster exacerbated by climate change, the latest cyberattack scheme or a new regulatory requirement, risks come from all angles. The following review of some of the most notable risk events of 2019 can help risk professionals be better prepared to meet the challenges ahead.

Copyrights Expire After 20-Year Reprieve
January 1
On January 1, the copyrights expired for tens of thousands of works released in 1923, including classic films, plays, songs and books from the likes of Charlie Chaplin, Cecil B. DeMille, George Gershwin, Louis Armstrong and Agatha Christie. These works are now in the public domain, which means that anyone can broadcast, republish, distribute or remix them without first having to seek permission or pay any royalties to the original rights holder. This was the first set of creative works to enter the public domain since the Copyright Term Extension Act of 1998, which extended the length of a copyright from 75 years to 95 years, or from 50 years after the author’s death to 70 years.

Fiat Chrysler Reaches Settlement Over Diesel Emissions Violations
January 10
The U.S. Department of Justice announced that Fiat Chrysler agreed to pay $305 million to settle allegations that it used illegal software on 104,000 diesel-powered Dodge Rams and Jeep Grand Cherokees to cheat on emissions tests in violation of the Clean Air Act, as well as another $6 million for the illegal import of 1,700 noncompliant vehicles. The company also agreed to implement a recall and repair program to fix the affected vehicles, offer extended warranties on the repaired vehicles, and take steps to mitigate excess pollution from them, which could add another $185 million in costs. In addition, Fiat Chrysler will pay $19 million to California to settle similar state regulatory violations. In a separate announcement, the automaker also agreed to pay $280 million to settle a lawsuit brought by vehicle owners.

France Fines Google €50 Million Under GDPR
January 21
France issued the largest GDPR-related fine at the time, levying a €50 million penalty (about $55 million) against Google. According to France’s data protection regulator, CNIL, Google was not transparent enough about how user information was collected, stored and disseminated, and failed to obtain proper consent to process user data for ad personalization across its entire range of services. Google appealed the fine, in part citing concern about the impact on “publishers, original content creators and tech companies in Europe and beyond.”

Wynn Resorts Fined $55 Million in Sexual Misconduct Scandal
February 26
The Nevada Gaming Commission fined Wynn Resorts a state record $20 million for failing to report and investigate sexual harassment and assault allegations made by a number of female employees against former CEO Steve Wynn. Similarly, Massachusetts gaming regulators levied a $35 million fine against the company in April for concealing information about sexual harassment allegations during a suitability investigation the state conducted prior to granting a license to build a casino. Current CEO Matthew Maddox was also fined $500,000 for not investigating a misconduct complaint. Wynn Resorts was allowed to retain its casino license in both states.

SEC Names Its First Chief Risk Officer
February 28
The U.S. Securities and Exchange Commission announced that it was appointing Gabriel Benincasa as its first chief risk officer. SEC Chairman Jay Clayton created the position to strengthen the agency’s risk management and cybersecurity efforts after the discovery of a 2016 breach in which hackers broke into the agency’s EDGAR database and gained access to information about publicly traded companies to use for illegal trading. Benincasa will coordinate the SEC’s efforts to identify, monitor and mitigate key risks facing the agency and advise on other matters related to enterprise risks and controls.

Alabama Tornado Kills 23
March 3
A rare EF4 tornado with wind speeds reaching 170 miles per hour touched down in Lee County, Alabama, cutting a mile-wide swath of destruction. By the time it dissipated after traveling some 70 miles, at least 23 people had been killed. It was the deadliest tornado in the United States since 2013, when an EF5 tornado killed 24 in Moore, Oklahoma, and the strongest since 2017, when another EF4 struck Canton, Texas. The tornado was part of a larger outbreak of more than 30 twisters that tore through Alabama, Florida, Georgia and South Carolina during the same weekend, destroying more than 1,000 homes and businesses.

All Boeing 737 MAX Aircraft Grounded After CrashesFeature Year in Risk Boeing
March 13
After two crashes killed a total of 346 people in five months, airlines and federal governments around the world grounded all Boeing 737 MAX aircraft. On October 29, 2018, Lion Air flight 610 crashed after takeoff in Jakarta, Indonesia, followed by the March 10, 2019, crash of Ethiopian Airlines Flight 302 just minutes after departure from Addis Ababa, Ethiopia. Investigators believe problems with a newly introduced safety feature called the Maneuvering Characteristics Augmentation System (MCAS) may have caused the accidents. In October, Boeing reported that costs of the continued grounding of the 737 MAX had reached $9.2 billion from lost revenue, compensation to victims’ families, and compensation to airlines that have lost business due to cancelled flights and unfilled aircraft orders. Boeing also faces lawsuits from pilots over lost wages.

Southern African Nations Endure Catastrophic Cyclone
March 14
Madagascar, Mozambique, Zimbabwe and Malawi were hit hard by Cyclone Idai, which brought strong winds, heavy rains and flash flooding that affected three million people in the region, causing more than 1,300 deaths and an estimated $2 billion in damage to infrastructure, homes and crops. The storm is the deadliest and costliest ever recorded in the South-West Indian Ocean basin. The lack of clean water in the storm’s aftermath also led to a cholera outbreak in Mozambique, with more than 6,000 confirmed cases before it was contained in May. Six weeks after Idai made landfall, Mozambique was hit again by Cyclone Kenneth, which caused 52 deaths and another $100 million in damages.

Mosque Shooting Prompts New Zealand Gun Ban
March 15
A terrorist gunman killed 51 people and injured 49 others in two mosque shootings in Christchurch, New Zealand. The shooter reportedly expressed white supremacist, anti-immigrant and anti-Muslim views that authorities believe motivated the attack. Less than a month after the massacre, the New Zealand government passed a law banning most semi-automatic weapons and assault rifles, as well as magazines and any parts that can be used to assemble prohibited weapons. The government also initiated a six-month buy-back program that had collected more than 19,000 guns by mid-September. A royal commission that was convened to investigate how the attack could have been prevented is expected to release its findings next year.

Fisher-Price Recalls Sleepers After Infant Deaths
April 12
Fisher-Price recalled 4.7 million Rock ‘n Play Sleepers after a Consumer Reports investigation revealed that the product was tied to at least 32 infant deaths since 2009. According to researchers, the design of inclined sleepers like the Rock ‘n Play increases the risk of accidental suffocation and strangulation. Manufacturers Kids II and Dorel Juvenile subsequently issued recalls of similar infant sleeper products as well. In November, the U.S. Consumer Product Safety Commission warned consumers to stop using all infant sleepers—even models that have not been recalled—after connecting as many as 73 infant deaths and 1,100 incidents to the products between January 2005 and June 2019. Fisher-Price and parent company Mattel face multiple lawsuits from victim’s families alleging defective design and negligence.

Fire Damages Notre Dame Cathedral
April 15
A fire in the Notre Dame cathedral in Paris caused massive damage to the 700-year old landmark’s spire, roof and walls that experts believe could take decades and billions of dollars to repair. While the cause of the fire remains unknown, authorities said there was no evidence that it was set deliberately, instead suspecting it was due to an electrical short, perhaps related to an ongoing renovation project. Months after the fire melted the lead-covered roof, lead concentrations in the surrounding plaza and adjacent roadways remained extremely high, raising concerns about the impact on nearby residents.

550 Workers Die After Indonesian Election
April 17
Following Indonesia’s general election, more than 550 election workers and security officers died from fatigue and overwork-related illnesses, including heart attacks, strokes and respiratory failure, while another 4,300 workers fell ill. Considered the most complex single-day election in the world, more than 240,000 candidates vied for 20,000 seats in simultaneous national and regional votes at both the presidential and legislative levels. Seven million workers staffed more than 800,000 polling stations to serve the country’s 193 million eligible voters. Indonesian officials are reportedly considering a variety of measures to ease the burden on election workers before the next general elections in 2024, including deploying more medical personnel, separating national and local elections, and adopting electronic voting machines.

Deadly Cyclone Strikes IndiaFeature Year in Risk Fani
May 3
The Category 4 storm Cyclone Fani made landfall near Puri in the Indian state of Odisha, destroying buildings, homes and crops, killing at least 89 people and causing an estimated $8.1 billion in damages throughout eastern India. While it was the deadliest cyclone to strike Odisha in decades, the death toll paled in comparison to a Category 5 cyclone that killed more than 10,000 people there in 1999. Experts attributed the lower casualty numbers to improved disaster preparedness and storm tracking measures, and a concerted effort by government authorities to inform the public about the impending threat by deploying 1,000 emergency workers and 43,000 volunteers, sending some 2.6 million text messages, and broadcasting alerts on television and public address systems. In addition, more than one million people were evacuated in less than 48 hours from the high-risk areas in the storm’s path.

Ransomware Wave Crashes U.S. CitiesFeature Year in Risk Ransomware
May 7
The city of Baltimore was the victim of a ransomware attack that forced the shutdown of many online services, resulting in an estimated $18.2 million in lost revenue and system restoration costs after officials refused to pay the 13 bitcoin ransom (then about $76,000). U.S. cities have increasingly been the target of ransomware attacks (see page 30). Cybercriminals also targeted several Florida town governments in May and June, with Lake City paying nearly $460,000 and Riviera Beach paying almost $600,000 to recover their computer and phone systems, while 22 municipalities in Texas fell victim to a coordinated ransomware attack in August.

Indian City Runs Out of Water
June 19
Officials in Chennai, India’s sixth-largest city, announced that the city had reached “Day Zero” and was almost entirely out of water after its four main reservoirs dried up. The water crisis forced the city’s 10 million residents to rely on dwindling wells, wait in long lines to fill containers from emergency water tankers provided by the government, or purchase water from private companies. While some of Chennai’s water woes can be blamed on drier than normal monsoon seasons in 2017 and 2018, poor resource management has also been a factor as the local government struggles to keep pace with the needs of a rapidly developing economy and booming population. According to the World Resources Institute, 44 countries—home to one-third of the world’s population—face high levels of water stress, where irrigated agriculture, industries and municipalities withdraw more than 40% of their available supply on average every year.

Insurers Phase Out Coal Investment
July 1
Citing climate change concerns, Chubb became the first major U.S. insurer to announce that it will stop underwriting and investing in businesses that derive more than 30% of their revenue from coal mining or generate more than 30% of their energy production from coal. The company also said it will not underwrite risks related to constructing and operating coal-fired plants (with limited exceptions until 2022). The move followed a similar announcement made by Zurich in June. According to the International Energy Agency, while global coal demand has been decreasing since 2010, it increased in 2017 and 2018. This is largely due to economic growth spurring a higher demand for electricity in India and Southeast Asian countries like Indonesia, Vietnam, the Philippines and Malaysia, where coal is more readily available than other power sources.

Midwestern United States Inundated by Flooding
July 1
Beginning in mid-March and continuing throughout the spring, widespread flooding plagued the Midwestern United States, particularly along the Mississippi, Missouri and Arkansas River basins. By July, at least three people had died as a result of the flooding and states of emergency were declared in more than a dozen states. AccuWeather estimated that damage costs and economic losses could be as high as $12.5 billion, a figure that included “damage to homes, their contents, and cars, business and farm losses—including crops and livestock, contamination of drinking water wells, infrastructure damage, auxiliary business losses and the long-term impact from the flooding, which will likely contribute to, and exacerbate, health issues.”

Marriott, British Airways Fined Under GDPR
July 9
U.K. data regulator the Information Commissioner’s Office (ICO) announced that it would fine both British Airways and Marriott International for violating the GDPR. British Airways was fined a record-setting £183 million ($237 million) for a breach that exposed almost 500,000 customers’ personal data, including names, login information, credit card numbers, travel details and addresses. Meanwhile, Marriott faced a fine of £99 million ($127 million) for a breach that exposed 339 million customer records worldwide, including 30 million in Europe. The fines dwarf previous ICO decisions, including a £500,000 ($644,000) penalty levied last year against Facebook for failing to protect user information in the Cambridge Analytica scandal. That fine, however, was the maximum allowed under the U.K.’s 1998 Data Protection Act, which has since been replaced by the stricter GDPR.

Ebola Epidemic Ravages DRC
July 17
The World Health Organization (WHO) declared the ongoing Ebola outbreak in the Democratic Republic of the Congo to be a Public Health Emergency of International Concern after cases were diagnosed in the border city of Goma. The declaration designates “an extraordinary event which is determined to constitute a public health risk to other states through the international spread of disease and to potentially require a coordinated international response.” As of November 13, Ebola has infected almost 3,300 people and killed nearly 2,200 in DRC, according to the WHO. In addition to the human cost, epidemics have serious economic consequences. The World Bank estimated that the 2014-2015 Ebola epidemic cost the first three countries affected—Guinea, Liberia and Sierra Leone—around $2.8 billion in GDP.

FTC Fines Facebook $5 Billion for Privacy Violations
July 24
The U.S. Federal Trade Commission fined Facebook $5 billion for a series of data privacy violations, punctuated by last year’s Cambridge Analytica scandal that exposed the personal data of 87 million users, as well as for its failure to comply with a 2011 FTC consent decree in which the company agreed to shore up its privacy practices following previous privacy violations. As part of the settlement, the FTC also required Facebook to revamp its privacy practices by establishing an independent privacy committee, designating compliance officers responsible for privacy issues, conducting privacy reviews of all new products before implementation, and submitting to regular third-party reviews of its privacy program.

Capital One Hack Affects 100 Million
July 30
Capital One revealed that a hacker had gained access to the records of more than 100 million customers in the United States and Canada. The hacker entered the system through a misconfigured firewall and obtained customer information including names, addresses, phone numbers, email addresses, dates of birth and self-reported income from credit card applications, as well as credit scores, credit limits, balances, payment history, transaction data and, in some cases, Social Security and linked bank account numbers. After posting about the theft on a public message board, Paige Thompson, a software engineer formerly employed by Amazon Web Services, was arrested in connection with the breach. Capital One said it expected the incident to cost up to $150 million, mainly for customer notification, credit monitoring, technology costs and legal support.

European Countries Lose Measles Eradication Status
August 29
Albania, the Czech Republic, Greece and the United Kingdom officially lost their measles eradication status, according to the World Health Organization. Worldwide, the first half of the year saw more measles cases than any year since 2006, with 364,808 cases reported to the WHO, compared to 129,239 cases over the same period last year. Measles cases have increased 10-fold in Africa, twofold in Europe, and threefold in the Western Pacific region. While most countries with active outbreaks have low vaccination rates, the WHO noted a troubling rise in countries with high coverage as well, including the United States, which has had the highest number of measles cases in 25 years. Indeed, the United States would have lost its eradication status in October if an outbreak in New York had not been resolved.

Hurricane Dorian Devastates the Bahamas
September 1
Hurricane Dorian became the strongest Atlantic storm on record to make landfall in the Bahamas when it touched down with wind speeds of 185 miles per hour. It killed more than 65 people and caused widespread destruction throughout the Caribbean and United States. RMS estimated insured losses from the Category 5 storm to be between $4 billion and $8.5 billion in the Caribbean and up to $1.5 billion in the United States, although economic damages could be much higher as many affected areas were not insured. The Bahamas received the brunt of the storm and the northern islands of Abaco and Grand Bahama, in particular, face “generational devastation,” according to Bahamian Prime Minister Hubert Minnis. More than 13,000 houses (almost 45% of the homes on Grand Bahama and Abaco) were severely damaged or destroyed.

Purdue Settles Opioid Lawsuits
September 11
Purdue Pharma, manufacturer of the opioid-based painkiller OxyContin, reached a tentative settlement in the lawsuit brought by 23 states and more than 2,000 cities and counties over the company’s role in the opioid crisis. Under the deal’s conditions, the Sackler family, which owns Purdue, would give up control of the company but admit no wrongdoing, while Purdue would file for bankruptcy and become a trust that solely manufactures drugs to help combat the opioid epidemic. Additionally, the company would pay $10 billion to $12 billion, including $3 billion specifically from the Sacklers. Some of the parties suing may not agree to the settlement and could continue with individual lawsuits, arguing that the settlement would not be enough to make up for the scope of the company’s role in the opioid crisis. In March, Purdue settled an opioid lawsuit with the state of Oklahoma for $270 million, while the Sacklers agreed to pay $75 million to fund a national addiction treatment and research center at Oklahoma State University.

Executives Urge Passage of U.S. Gun Control LawsFeature Year in Risk Gun Control
September 12
Chief executives of 145 companies signed a letter calling gun violence a public health crisis in the United States and asking the Senate to pass “common-sense, bipartisan gun laws.” The companies represented span the retail, technology and financial sectors, including Dick’s Sporting Goods, Royal Caribbean Cruises, Levi Strauss, Airbnb, Uber, Yelp and Bain Capital. Specifically, the group called for the passage of stronger background check laws and advocated for “red flag laws,” which allow family or law enforcement to report warning signs of individuals who may pose risk of harm to themselves or others and temporarily prohibit their access to firearms. In addition, a number of retailers, including Walmart, Walgreens and CVS, began asking customers not to openly carry firearms in their stores, even in states where open carry is permitted. Walmart also announced plans to reduce weapons sales, including ceasing sales of some forms of ammunition and all sales of handguns in Alaska, the last remaining state where it offered them. According to the Gun Violence Archive, there have been 365 mass shootings in the United States (as of November 13), including an August 3 shooting in which 22 people were killed at a Walmart in El Paso, Texas.

PG&E Reaches $11 Billion Wildfire Settlement
September 13
Power utility PG&E, which declared bankruptcy in January because of growing wildfire liability, agreed to pay an $11 billion settlement to insurers for claims paid to businesses and homeowners for damages incurred by wildfires caused by its equipment. In June, the company also paid $1 billion to local governments and state agencies in California for fire damages. More than half of those funds were earmarked for damages from the 2018 Camp Fire, which killed 85 people and destroyed 18,000 homes and businesses, while the rest covered costs from 2015 and 2017 fires. PG&E still faces claims from wildfire victims. In November, the utility said it had incurred an additional $6.3 billion in bankruptcy and wildfire-related costs during the year. That figure could rise, however—while the actual cause has yet to be determined, a PG&E transmission line is suspected to have sparked the Kincade Fire, which burned 78,000 acres in Sonoma County this October.

Thailand, Indonesia Explore Moving Capital Cities
September 30
In an effort to reduce congestion and overcrowding, Prime Minister Prayut Chan-o-cha said he was considering moving Thailand’s capital city from Bangkok to a currently undetermined location. The Bangkok metropolitan region is home to more than 14 million people. One month earlier, Indonesia announced similar plans to move its capital from Jakarta to an as-yet-unnamed city that will be built in the province of Kalimantan on the island of Borneo. The Jakarta metropolitan area has a population of more than 30 million and its residents face not only overcrowding and congestion, but also some of the worst air pollution in the world. Of additional concern is that Jakarta is sinking by as much as seven inches per year due to the ongoing depletion of underground aquifers. Coupled with rising sea levels exacerbated by climate change, this has made the city more vulnerable to flooding and other natural disasters. The Indonesian relocation project is expected to cost $33 billion and construction is scheduled to begin in 2021.

MGM Resorts Settles With Las Vegas Shooting Victims
October 3
Lawyers for victims of the 2017 Las Vegas shooting—which left 58 people dead and hundreds wounded—have reached a settlement with MGM Resorts International for at least $735 million. Depending on the number of people who opt in, the total could reach $800 million. Victims claimed that MGM did nothing to prevent shooter Stephen Paddock from bringing 23 rifles and one handgun into a hotel room at the Mandalay Bay Resort and Casino, from which he opened fire on a country music festival below. MGM reportedly has about $751 million in insurance coverage that will cover all or most of the settlement cost.

California Bans Police Use of Facial Recognition TechnologyFeature Year in Risk Bodycam
October 10
California passed a law that bans state and local police from using facial recognition software in body cameras through 2023. Proponents of the ban cited a number of factors, including the prospect of creating a surveillance society and numerous studies that have demonstrated the frequent inaccuracy of facial recognition, especially when identifying women, younger people and people of color. Axon, a supplier of body cameras to law enforcement agencies, has even said that it will not use facial recognition in its products until the accuracy of the technology improves. The law makes California the third U.S. state after Oregon and New Hampshire to ban facial recognition use in police body cameras. Various cities, including San Francisco, have also prohibited city departments from using facial recognition, citing similar concerns about accuracy
and surveillance.

Massive Typhoon Strikes Japan
October 12
Typhoon Hagibis became one of the most destructive storms to strike Japan in 60 years, killing at least 95 people and destroying more than 90,000 structures, leading to an estimated $7 billion to $11 billion in insured losses. Many areas experienced record rainfall with some receiving 40% of their annual rainfall in two days. The heavy rains caused more than 140 landslides as levees breached and rivers overflowed. Hagibis came on the heels of Typhoon Faxai, which struck eastern Japan one month earlier. RMS estimated insured losses from property damage and business interruption from Faxai to be in the $5 billion to $9 billion range.

Monsoon Rains, Floods Cause 2,100 Deaths in India
October 25
According to Indian Home Ministry officials, at least 2,155 people were killed and 45 reported missing since June in the heaviest monsoon season in the country in decades. The death toll was highest in the western state of Maharashtra, where 430 people died. Heavy rains, flooding and landslides have affected more than 2.6 million people in 22 states, destroying more than 200,000 houses and thousands of acres of crops. Monsoon season in India officially ended on September 30, but was still active in parts of the country weeks later.

Brexit Deadline Extended to 2020
October 28
European Union leaders agreed to extend the deadline for the United Kingdom’s exit from the EU to January 31, 2020. European Council President Donald Tusk described the new date as a “flextension,” meaning the U.K. can leave earlier if a deal on the terms of withdrawal is approved by Parliament. Thus far, this has proved to be easier said than done. Despite months of assurances from Prime Minister Boris Johnson that the U.K. would leave the European Union on October 31, whether a deal was in place or not, opposition in Parliament continues to create an impasse. Brexit’s fate now rests on the results of the next general election, which will be held on December 12.

Australia Faces Wildfire Threat
November 10
Wildfires raged throughout the Australian states of Queensland and New South Wales, prompting officials to declare states of emergency and call for evacuations as potentially “catastrophic” conditions worsened. To date, three people have been killed during this year’s wildfire season as hundreds of fires burned more than 2.5 million acres of farmland and brush. Although fires occur regularly during the summer in Australia, many experts believe that the early arrival and intensity of this year’s fires is due to the effects of climate change.

Morgan O’Rourke is editor in chief of Risk Management and director of publications for the Risk & Insurance Management Society, Inc. (RIMS)

Hilary Tuttle is managing editor of Risk Management.

Adam Jacobson is associate editor of Risk Management.

Related Articles

Year in Risk 2023

December 1, 2023

Year in Risk 2022

December 1, 2022

Year In Risk 2021

December 1, 2021

Year in Risk 2020

December 1, 2020