Year In Risk 2021

Adam Jacobson , Morgan O'Rourke , Hilary Tuttle


December 1, 2021

An illustration of a figure scaling a red wall over the words

For more on the most important risk events related to the pandemic in 2021, read the  COVID-19 Pandemic Timeline.

While COVID-19 once again dominated the headlines in 2021, issues like climate change, cybersecurity, supply chain resilience and the economy also had a tremendous impact on organizations around the world. Here is a review of some of the year’s most notable risk events, underscoring the dynamic landscape risk professionals have had to navigate in 2021, and highlighting some of the challenges they will continue to face going forward.

UK Prime Minister Boris Johnson sits at a table in front of four UK flags. He holds a pen and in front of him is an open folder.

Brexit Takes Effect 
January 1
Following a year-long transition period and a last-minute deal finalized on December 25, 2020, the United Kingdom officially left the European Union. On top of COVID-19, the new UK immigration and economic rules have created disruptions such as a labor shortage, supply chain issues and a record trade upset, with UK exports to the EU dropping 41% and imports from the EU dropping 29% in January. By October, the UK Office for National Statistics said that the country faced nearly 1.2 million job vacancies, fueled by European workers going back to their home countries and highly restrictive visa rules. Prime Minister Boris Johnson called these issues “the present stresses and strains—which are mainly a function of growth and economic revival.”

Hacker Attempts to Poison Florida City’s Water Supply
February 5
A hacker gained access to the water treatment system for the city of Oldsmar, Florida, and attempted to change chemical levels in the local water supply. The attacker reportedly tried to increase the concentration of sodium hydroxide (commonly known as lye) to 100 times the normal level, which would have risked poisoning thousands of residents. Thankfully, the system’s operator was able to reset the levels before the water was actually affected. The case is one example of a growing number of cyberattacks that threaten critical infrastructure and physical safety, such as attacks targeting medical devices, hospitals or power grids. Referencing such attacks in October, Department of Homeland Security Secretary Alejandro Mayorkas warned that “killware,” malware designed to do real-world harm or cause death, was his greatest concern and may be the next big attack trend in cybersecurity.

Winter Storm Causes Texas Power Crisis
February 13
A massive winter storm slammed into Texas and surrounding states and left millions of people stranded without power or running water. Facing an unusually high demand for electricity and heating during the storm, power grids failed, and the Electric Reliability Council of Texas (ERCOT) ordered rolling blackouts with little advance notice or information about when power would be restored. The power outages disrupted water treatment operations, while freezing temperatures caused pipes to burst, leaving many businesses and homes flooded or without potable water. The storm also crippled transportation across Texas, interrupting supply chains for many industries as airports were forced to shut down and rail shipping and trucking were seriously delayed due to the outages as well as traffic jams and weather-related accidents.

Virginia and Colorado Pass Consumer Data Privacy Laws
March 2
Virginia became the second U.S. state to sign comprehensive consumer data protection legislation into law, followed shortly by Colorado in July. Both laws will go into effect in 2023 and expand the rights of consumers to control the personal information businesses collect, including the right to access, correct or delete data and the right to opt out of data processing altogether. They also establish strict requirements for businesses to protect such data and penalties for those that fail to do so, though enforcement mechanisms are more limited than with California’s CCPA.

The Ever Given shipping boat blocks the Suez Canal.

Ever Given Runs Aground in Suez Canal
March 23
Egypt’s Suez Canal was blocked for six days after the Ever Given, one of the world’s largest container ships, became jammed across the waterway in high winds. The grounding stopped canal traffic, stranding more than 300 vessels and container ships and significantly disrupting global trade. Shipping industry publication Lloyd’s List estimated that the blockage held up more than $9.6 billion worth of traded goods every day it was stuck in place. The repercussions lasted for months as the resulting backlog for shipping companies and container ports led to product shortages for retailers and supply chain delays for manufacturers. The Egyptian government has since announced plans to widen the narrower parts of the canal.

An Exxon gas pump that has a hand-written sign taped to the pump saying

Colonial Pipeline Ransomware Attack Shuts Down Fuel Supply
May 7
A ransomware attack forced an 11-day shutdown of a major pipeline that supplies gasoline, diesel and jet fuel to the eastern half of the United States, leading to fuel shortages, long lines and panic-buying at gas stations. The pipeline’s operator, Colonial Pipeline, ultimately paid the attackers $4.4 million in bitcoin to restore service. The incident prompted the Biden Administration to mandate new cybersecurity regulations for pipeline companies, requiring them to report any cyber incident to the federal government and take preparations for future attacks, among other measures to strengthen the country’s energy sector. President Biden also issued a broad executive order to improve the cybersecurity of federal networks and develop standards to protect the software supply chain. Throughout 2021, a surge of high-profile ransomware cases made headlines, including a March attack on CNA Financial that resulted in the insurer paying a record $40 million ransom, and a July attack on Kaseya’s VSA remote monitoring and management software that paralyzed as many as 1,500 business and public agencies around the world. The costs of these attacks also fueled hardening in the overall cyber insurance market, with insurers increasing rates and pulling back on coverage throughout 2021.

A European street strewn with wreckage from a flood, including bricks and signs.

Flooding Causes $11 Billion in Damages in Western Europe
July 12
Widespread flooding impacted much of Western Europe in mid-July, causing especially severe damage in Germany, Belgium, the Netherlands and Luxembourg. In Germany, almost 200 people died as a result of the flooding and insured property damages totaled about €7 billion ($8 billion), making it the most damaging natural disaster in the country’s history. In Belgium, 42 people were killed and thousands were evacuated in flooding that a government official described as “one of the greatest natural disasters our country has ever known.” Some experts suggested that the unprecedented disaster may have been exacerbated by the impact of climate change. Overall, the floods led to 242 deaths and up to $11 billion in insured damages.

Amazon Hit with Record GDPR Fine
July 16
Luxembourg’s data protection authority fined Amazon €746 million ($862 million) for violating personal data processing rules. It was the largest fine to date under the EU’s GDPR, dwarfing the previous record €50 million fine imposed on Google in 2019. Overall, GDPR fines ramped up dramatically in 2021. For example, Ireland’s Data Protection Committee issued a €225 million ($260 million) fine to WhatsApp in September, alleging the Facebook subsidiary failed to tell EU citizens how their personal data was collected and used. In the third quarter alone, fines totaled more than €984 million ($1.14 billion)—three times higher than all of 2020.

Aon and Willis Towers Watson Terminate Merger Agreement
July 26
In July, Aon and Willis Towers Watson mutually terminated a $30 billion proposed merger agreement, citing an “impasse” with the U.S. Department of Justice. First announced in March 2020, the agreement would have created the world’s largest insurance broker, prompting concerns from regulators that the deal would lead to a monopoly in the industry. Shortly before the termination, regulators in the European Union had approved the deal on the condition that Willis sell certain key parts of its business to rival Arthur J. Gallagher. In the United States, however, the DOJ filed suit in June to stop the merger, arguing it would broadly reduce competition and lead to higher prices. Aon had to pay $1.3 billion in termination fees and other related costs, contributing to the firm posting a third-quarter loss of $801 million.

UN Climate Report: Humans Definitively Causing Climate Change
August 9
The United Nations Intergovernmental Panel on Climate Change (IPCC) reported that “climate change is widespread, rapid and intensifying, and some trends are now irreversible, at least during the present time frame.” Prepared by 234 scientists from 66 countries, the report stated that human ­activity had warmed the climate at an unprecedented rate, ­causing more extreme weather events. Researchers warned that warming of 1.5 degrees Celsius above pre-industrial levels would lead to more heat waves, longer warm seasons and shorter cold seasons in regions across the globe, while at 2 degrees of warming, “heat extremes are more likely to reach critical tolerance thresholds for agriculture and health.” These changes will also bring more intense storms and droughts, as well as sea-level rise and flooding. The report noted that reducing emissions of carbon dioxide and other greenhouse gases in significant and sustained ways could improve air quality and potentially stabilize global temperatures in 20 to 30 years.

Haiti Earthquake Kills Over 2,200 People
August 14
A magnitude 7.2 earthquake struck Haiti, killing at least 2,248 people, injuring 12,763 and damaging or destroying more than 137,000 buildings, according to government officials. It was the deadliest natural disaster of 2021 and the worst disaster to strike Haiti since the 2010 earthquake that killed more than 200,000. In the aftermath, an estimated 650,000 people needed emergency humanitarian aid but relief and recovery efforts were hampered by fuel shortages, transportation strikes, and a surge in violent gang activity and kidnappings throughout the country. Of more than $1 billion in estimated economic losses, only a fraction were insured. However, the Haitian government received a $40 million payout from a parametric insurance policy that was triggered by the quake.

Treasury Department Opens Inquiry into Insurance Industry Climate Risks
August 31
The U.S. Treasury Department announced that its Federal Insurance Office will investigate climate-related financial risks in the insurance industry. The assessment will consider climate-related issues or gaps in the regulation of insurers, including their potential impacts on U.S. financial stability, and the potential for major disruptions of private insurance coverage in U.S. markets that are particularly vulnerable to climate change impacts. Following President Biden’s executive order on climate-related financial risk, the U.S. Securities and Exchange Commission also announced in June that it may soon require companies to disclose their climate risks and how their operations impact the environment.

Hurricane Ida Pummels the United States
September 1
Hurricane Ida devastated Louisiana before sweeping up the East Coast and inundating the Northeast with record rainfall. Risk Management Solutions estimated Ida caused $31 to $44 billion in insured losses, while AccuWeather estimated that the total was closer to $95 billion, which would make it the seventh-costliest hurricane to hit the United States since 2000. The 2021 hurricane season produced 21 named storms, of which seven became hurricanes. This year, the National Hurricane Center started issuing its Tropical Weather Outlooks on May 15, two weeks earlier than usual, effectively lengthening hurricane season after storms have begun earlier in recent years.

#Striketober and the Great Resignation
October 5
Tens of thousands of U.S. workers went on strike, protesting conditions at organizations including John Deere, Kellogg, McDonalds, healthcare facilities and universities. Led by labor unions in some cases, many of the strikes and walkouts were prompted by failed contract negotiations, but others involved non-union employees protesting low pay and unsafe conditions, particularly during the pandemic. The strikes were strengthened by ongoing labor shortages across many industries, especially among low-wage hourly workers. The so-called Great Resignation has also swept the country in recent months. A record 4.4 million Americans (approximately 3% of the labor force) quit their jobs in September, topping the previous record of 4.3 million set only one month earlier. Many of these departures were concentrated in the leisure and hospitality industry, including jobs in hotels, bars, restaurants, theme parks and other entertainment venues.

Nearly 1 Million Acres Burned in California Wildfire
October 25
Firefighters were finally able to contain the Dixie fire, which raged throughout Northern California for three months and burned more than 963,000 acres and over 1,300 buildings, including almost all structures in the small towns of Greenville and Canyondam. It was the second-largest wildfire in state history after last year’s August Complex fire. According to officials, firefighting costs exceeded $610 million, making it the most expensive fire suppression campaign in state history. Exacerbated by extreme temperatures and drought, wildfires devastated many communities this year. In July, smoke from fires in Oregon and Washington was so intense that it reached all the way to the East Coast. Wildfires also forced evacuations in Greece, Italy and Turkey, and massive blazes in Siberia broke annual records for fire-related emissions of greenhouse gases.

China’s Data Privacy Law Goes Into Effect
November 1
Approved in August and implemented in November, China’s Personal Information Protection Law (PIPL) will now place more restrictions on how companies can use personal data. The law is similar to the European Union’s GDPR, except that the Chinese government will retain broad access to personal data rather than face the same limitations on surveillance as European governments. The new law requires companies to hire a data protection officer and extends the requirement to store personal data within China to all companies. Those that want to share data outside of the country must also undergo a national security review. Violations may result in steep fines, and the country may blacklist foreign companies that do not abide by the law’s strict rules, which would bar them from processing Chinese users’ data. These increasing business restrictions have prompted some companies to exit the Chinese market, including Yahoo in August and LinkedIn in October.

Investors Sue SolarWinds Directors Alleging Cyberrisk Governance Failures
November 5
A group of SolarWinds investors sued the company’s directors alleging that they knew about and failed to monitor cybersecurity risks that exposed the company to a massive data breach uncovered last year. As part of a cyber espionage campaign purportedly affiliated with the Russian government, hackers exploited SolarWinds’ network management software to gain access to government agencies and private-sector companies around the world. The lawsuit seeks unspecified damages and reforms of SolarWinds’ security oversight procedures. Other companies experienced fallout from the software supply chain attack throughout the year. In June, the SEC initiated a probe to determine whether any companies failed to disclose that they were victims of the SolarWinds attack, potentially signaling risk for other corporate boards and C-suites.

Crowds of concert attendees at the Astro World music festival. In the background, there is a giant sculpture of Travis Scott's head and a sign for the festival.

10 Dead After Astroworld Festival Crowd Surge
November 5
At least 10 people were killed and more than 300 injured in a massive crowd surge at rapper Travis Scott’s Astroworld Festival in Houston. Victims were crushed and trampled over a 40-minute period while Scott performed on stage with fellow artist Drake. In the wake of the incident, Scott came under fire for failing to immediately stop the show and was questioned about whether he was aware of or promoted unsafe conditions. Concert organizers were also criticized for their lack of preparation for a range of safety issues and their inadequate response. Victims and their families have already filed over 100 suits against Scott, Drake, concert organizer Live Nation, Apple Music, NRG Park venue management and the vendors used to produce, secure and staff the event. In response to the tragedy, Texas Governor Greg Abbott formed a task force to improve concert safety and protect concertgoers during future events.

Deadly U.S. Tornado Outbreak Causes Record Damages
December 10
A series of tornadoes ripped across the Midwest and Southern United States, killing dozens and crippling infrastructure in Arkansas, Illinois, Indiana, Kentucky, Mississippi, Missouri, Ohio and Tennessee. Dr. Joel N. Myers, AccuWeather founder and CEO, estimated that the tornadoes are expected to cost about $18 billion for damage and economic loss, making them the costliest tornadoes in the country’s history. The cyclones killed more than 80 people, including over 70 across Kentucky alone, the hardest-hit state, left thousands homeless, and knocked out power for more than 25,000. Additionally, 10,000 Kentucky homes and businesses reported being without water, and another 17,000 were under boil-water advisories, according to the Kentucky Division of Emergency Management. In Mayfield, KY, one of the tornadoes killed at least eight workers at a Mayfield Consumer Products scented candle factory. In Illinois, another tornado struck an Amazon warehouse, killing six people and injuring one more.


Adam Jacobson is associate editor of Risk Management.

Morgan O’Rourke is editor in chief of Risk Management and director of publications for the Risk & Insurance Management Society, Inc. (RIMS)

Hilary Tuttle is managing editor of Risk Management.

Related Articles

Year in Risk 2023

December 1, 2023

Year in Risk 2022

December 1, 2022

Year in Risk 2020

December 1, 2020