Year in Risk 2022

Morgan O'Rourke , Hilary Tuttle


December 1, 2022

year in risk 2022

Businesses around the world faced a number of critical overarching issues in 2022, including rampant inflation, the continuing COVID-19 pandemic and severe weather further exacerbated by the climate crisis. Here is a review of some of the year’s most notable risk events, highlighting top challenges risk professionals had to address in 2022 and some that will shape the risk landscape moving forward into 2023.

“Freedom Convoy” Protests, Economic Disruption Spread Across Canada

January 28   

In 2021, the United States and Canada exempted truckers from COVID-19 vaccine requirements to cross the border. While an estimated 85% of licensed Canadian truck drivers were already vaccinated, the end of this exemption in January prompted a weeks-long series of protests and blockades in Canada. The so-called Freedom Convoy began arriving in Ottawa on ­January 28 and escalated to what Mayor Jim Watson called “the most serious emergency our city has ever faced.” Ottawa had to declare a state of emergency, and police arrested seven people, issued 100 tickets, and initiated over 60 investigations for incidents of “mischief, theft, hate crimes and property damage.”  The convoy also sparked protests against COVID-related mandates in Toronto, Winnipeg, Nova Scotia, Edmonton and other parts of the country. The protests caused particular difficulties for the auto industry, as the blockades at key border crossings considerably impacted the transportation of vehicles and parts, and Ford, General Motors and Toyota had to halt some production in February. The events took a notable economic toll in both Canada and the United States. According to some estimates, blockage of the Detroit Windsor Ambassador Bridge alone caused about $1 billion in economic losses on both sides of the border.

Russia Invades Ukraine

February 24

Russia Invades Ukraine

Russia’s invasion of Ukraine sparked an ongoing war that has resulted in tens of thousands of civilian deaths. An estimated 14 million Ukrainians have been displaced, marking the greatest refugee crisis in Europe since World War II. In addition to the human toll, the war has disrupted global supply chains, caused energy prices to spike, and led to shortages and rising costs for food and commodities. In response to the invasion, governments around the world imposed a range of sanctions and export control restrictions on Russia, forcing businesses to quickly reassess and reconfigure their trade practices and business arrangements, both with Russian entities and third parties that do business with Russia. To date, hundreds of companies have chosen to curtail operations in Russia or even leave the country altogether due to financial, compliance, reputational and humanitarian concerns. The conflict has caused massive damages, including to physical property and infrastructure in Ukraine and economic losses that trickle down to companies worldwide via business interruption and supply chain disruption.

SEC Proposes New Climate Disclosure Rules

March 21

The U.S. Securities and Exchange Commission issued a proposal that would require publicly listed companies to include more extensive disclosures on climate-related risks within their regulatory filings. Companies would need to disclose information on: any climate-related risks that are reasonably likely to have a material impact on their business; their greenhouse gas emissions, including emissions from upstream and downstream activities in their value chain; and the risk management processes they have in place to govern climate-related risks. The proposal would also require registrants to quantify the effects of certain climate-related events and transition activities in their audited financial statements. The rules are still being finalized

Costa Rica Crippled by Ransomware Attack

May 8

Costa Rica Crippled by Ransomware AttackCosta Rican President Rodrigo Chaves Robles declared a national emergency due a massive ransomware attack against several government agencies that began in April. The attack was initiated by the Conti ransomware group, which initially demanded a $10 million ransom in exchange for not releasing information stolen from the Ministry of Finance. When the government refused to pay, the group expanded the attack to other agencies and ministries. For weeks, essential services were compromised and taken offline, including utilities and tax and customs systems. Teachers and other government workers could not receive paychecks and healthcare workers were unable to access medical records and schedule appointments. The government was eventually able to restore certain services with technical assistance from other countries, including the United States and Spain. Costa Rica was not the only nation to be victimized by a major cyberattack this year. In August, Chile and Montenegro experienced unrelated ransomware attacks that also compromised government services.

U.S. Surpasses One Million COVID-19 Deaths

May 17

The United States marked a grim milestone that once seemed unimaginable: one million deaths due to COVID-19. And that is only the known cases directly attributable to the disease—the actual toll is likely far higher. Tens of thousands have also died in the months since. The United States experienced the biggest drop in life expectancy since World War II as COVID became the third-leading cause of death in the country, surpassed only by heart disease and cancer. By the beginning of November, COVID-19 had directly resulted in at least 6.6 million known deaths worldwide, and thousands continue to die every day. Rates have slowed, thanks to critical vaccines and better treatments now available, and these interventions will continue to be imperative in the months to come. In addition to the devastating death counts, heartbreaking personal losses, and massive social and economic toll, millions of people have been left with long COVID and other complications from COVID infections, as well as complications from deferred medical care amid the crisis.

Gary LaBranche Succeeds Mary Roth as RIMS CEO

June 1

After 37 years with RIMS, CEO Mary Roth retired from the risk management society, and veteran association executive and new CEO Gary LaBranche picked up the reins. “Risk management makes the world safer, more secure and more sustainable,” LaBranche said. “I am honored to be asked to help advance that important work and pave the way for this dynamic professional community’s continued success. I appreciate all that Mary Roth and the RIMS team have accomplished and look forward to partnering with RIMS leaders and this society’s powerful and engaged community to continue that legacy.”

Afghanistan Earthquake Kills Over 1,000 People

June 22

The deadliest earthquake of 2022 struck eastern Afghanistan and western Pakistan, with the magnitude 6.2 temblor primarily affecting the provinces of Paktika and Khost, and parts of Khyber Pakhtunkhwa, Pakistan. At least 1,163 people died, more than 6,000 others were injured, and over 10,000 homes were destroyed. This dramatically eclipsed other earthquakes of the year, with the second-most deadly killing 93 people on September 5 in Sichuan, China. The most severe earthquakes of the year by magnitude were a magnitude 7.6 that killed 21 people on September 10 in Papua New Guinea and a 7.6 that killed 2 people in Michoacán, Mexico, on September 19.

Supreme Court Overturns Roe v. Wade

June 2

year in risk 2022 roe v. wade overturnedThe U.S. Supreme Court’s decision to overturn Roe v. Wade, which provided constitutional protection for abortion rights, sparked protests both in the Unites States and abroad. After the ruling, some states quickly enacted abortion bans and companies scrambled to understand and address the legal and healthcare implications for their employees. Some employers adjusted their employee benefits packages and health policies to include reimbursement for expenses incurred while traveling for abortion services if these critical health care procedures might be denied in the employee’s home state. Other companies established funds for employees facing legal trouble for seeking abortion services. Navigating the patchwork of abortion laws in the United States has proven to be challenging for individuals, employers and healthcare providers alike as restrictions vary significantly depending on the state or jurisdiction. With more than 60% of Americans saying abortion should be legal and many concerned about the loss of women’s rights, abortion rights were a key issue in the midterm elections. More than half of registered voters said the ruling motivated them to go to the polls, potentially changing political calculus at state and federal levels moving forward.

Mass Shootings Prompt Gun Violence Legislation

June 25

memorial for the victims of a mass shooting at a supermarket in Buffalo, New York, in 2022President Biden signed into law the first major gun safety legislation to be passed in the United States in decades. The Bipartisan Safer Communities Act expands background checks for gun purchases, prohibits individuals convicted of domestic violence from owning firearms, and provides funding for states to implement both crisis intervention programs and red flag laws that allow authorities to temporarily remove firearms from people who show signs of being a threat to themselves or others. The law was prompted by a spate of mass shootings in 2022, including a May 24 shooting in which a gunman killed 19 students and two teachers and wounded 18 others at Robb Elementary School in Uvalde, Texas. Just 10 days earlier, a gunman killed 10 people and wounded three in a racially motivated attack at a supermarket in Buffalo, New York. According to a recent CDC report, U.S. firearm homicide and suicide rates increased by 8.3% from 2020 to 2021, reaching their highest levels in 30 years.

First CCPA Fine Issued Against Sephora for $1.2 Million

August 24

While the California Consumer Privacy Act was passed in 2018 and implemented in January 2020, the first CCPA fine was levied in 2022 against cosmetics retailer Sephora. The California Attorney General’s office found that the retailer failed to tell customers that it was selling their personal data, neglected to process requests from users who tried to opt out, and did not resolve these violations within the 30-day time period the law requires. Sephora will have to pay $1.2 million in penalties and implement a number of compliance measures, including clarifying its online privacy policy to indicate that it sells personal data, providing ways for consumers to opt out, and adapting its service provider agreements to conform to CCPA requirements. Businesses operating in the state should take note as Attorney General Rob Bonta indicated his office is increasing its focus on CCPA compliance and enforcement actions, and has sent official notices of violation to a number of other companies.

Meta Fined €405 million for GDPR Violations

September 5

Meta (formerly Facebook) was fined €405 million (about $418 million) by Ireland’s data protection authority for mishandling the data of teenage users on Instagram in violation of the EU’s General Data Protection Regulation (GDPR). It was the second-largest GDPR fine to date, exceeded only by a €746 million penalty imposed on Amazon last year. This was also the third time Ireland has cited Meta companies for data privacy violations under GDPR—WhatsApp was fined €225 million last year, while Facebook was fined €17 million in March. Meta said it would appeal the ruling as it was based on old settings that have since been updated with features designed protect underage users.

Hurricane Fiona Ravages Caribbean and Canada

September 18

The first major storm of the 2022 Atlantic hurricane season, Hurricane Fiona carved a destructive path through the Caribbean before causing historic damage in Canada. In Puerto Rico, the Category 4 storm’s heavy winds and torrential rain caused an island-wide blackout; destroyed homes, crops and infrastructure; and left a million people without drinking water. At least 21 people were killed and the island sustained more than $2 billion in total damages. After causing flooding and power outages throughout the Caribbean, Fiona traveled up to the eastern coast of Canada, making landfall as a post-tropical cyclone on September 24. The storm’s 100-mile per hour winds, heavy rains and storm surge killed three people; left more than 500,000 without power; and damaged buildings, homes and roadways throughout the four provinces of Atlantic Canada and Quebec. With an estimated $660 million in insured damages, the Insurance Bureau of Canada reported that Fiona was the costliest extreme weather event ever recorded in Atlantic Canada.

Hurricane Ian Causes Historic Devastation in Florida

September 27

Hurricane Ian brought catastrophic damage to Florida and parts of the CaribbeanHurricane Ian made landfall in Cuba as a Category 3 storm, causing significant damage including a nationwide power outage. As a Category 4 storm, it also pummeled Puerto Rico, which was still struggling to recover in the wake of Hurricane Fiona and the widespread power outages it caused. On September 28, Ian made landfall in western Florida as a Category 4, with 150 mile-per-hour winds, tying it for fifth-strongest storm to make landfall in the contiguous United States. Those powerful winds brought massive storm surges and catastrophic flooding, resulting in one of the most devastating hurricanes to ever strike Florida. Ian left 146 people dead and inflicted over $50 billion in damages, making it the deadliest hurricane to hit Florida since 1935 and potentially the costliest in its history. Some coastal communities such as Sanibel Island were rendered uninhabitable, with officials saying every house in town sustained at least some damage, and full recovery will likely take years. Before dissipating, the storm also impacted regions of South Carolina, North Carolina and Virginia. By November, the 2022 Atlantic hurricane season had produced eight hurricanes, including Nicole, a rare November storm that caused major damage in Florida.

Wall Street Firms Fined $1.8 Billion for “Off-Channel” Communications

September 27

The Securities and Exchange Commission fined 16 Wall Street firms a total of $1.8 billion for widespread record-keeping failures related to the use of personal phones, texting, WhatsApp and other private messaging platforms for work communications. These “off-channel” communications have become an increasing concern in regulated industries given the move to remote and hybrid work. The largest banks in the settlement—Bank of America, Barclays, Citigroup, Credit Suisse, Deutche Bank, Goldman Sachs, Morgan Stanley and UBS—will each pay $125 million. The firms also committed to bring in compliance consultants to review policies and procedures regarding “retention of electronic communications found on personal devices.” JPMorgan Chase also settled similar charges for $200 million over the summer.

Biden Administration Issues Marijuana Pardons

October 6

Biden Administration Issues Marijuana PardonsPresident Biden issued pardons for individuals convicted of simple possession of marijuana under federal law and urged governors to follow suit regarding state offenses. The pardons were expected to affect thousands of people who were convicted of simple possession since it became illegal in the 1970s. The president also said that he was directing the Department of Health and Human Services and Attorney General Merrick Garland to review how marijuana is scheduled under federal law. Currently, marijuana is classified as a Schedule I substance under the Controlled Substances Act, which is reserved for dangerous drugs like heroin. The policy is part of a growing movement toward decriminalization of marijuana in the United States. When the pardons were issued, 37 U.S. states had legalized medical marijuana and 19 allowed recreational use. In November, voters in Maryland and Missouri approved measures to legalize recreational marijuana use in their states as well. (For insight on what the pardons mean for employers, see "Employment Implications of Marijuana Pardons" from the November/December 2022 issue of Risk Management.)

Over 150 People Killed in Seoul Halloween Crowd Surge

October 30

Over 150 People Killed in Seoul Crowd Surge on Halloween

On Halloween weekend, over 100,000 people flocked to the nightlife district of Itaewon in Seoul, South Korea. Partygoers were out in full force for the first holiday celebration since COVID-related restrictions on crowd size and mask mandates were lifted. While it is not clear exactly what set off the tragic stampede, it appears the narrow streets grew increasingly packed as the night went on, with individuals ultimately having difficulty moving or even breathing. As panic set in, hundreds of people were trampled or crushed in the chaos. At least 154 people were killed in the crowd surge and well over 100 more were injured. South Korea frequently draws praise for crowd control, yet security forces were reportedly scarce in the neighborhood during the celebrations, and officials face many questions about the safety and emergency response failures that could have led to such a disaster. President Yoon Suk Yeol has vowed to implement new policies and conduct “emergency inspections” ahead of future events to ensure public safety.

NYC Pay Transparency Law Goes into Effect

November 1

In New York City, employers with more than four employees must now list the salary range for all job postings, including “good faith” minimum and maximum annual salary or hourly wages. Such measures are intended to help close the pay gap, particularly among groups where salary inequity persists, including individuals who identify as women and people of color. There is no charge for the first violation, but not adhering to the law can be considered an “unlawful discriminatory practice” and fines could range up to $250,000 for failure to comply after a notice. New York City is just one of the jurisdictions to recently pass pay transparency requirements. The states of Colorado, Washington, Connecticut and Maryland have also implemented some requirements around salary disclosures during the hiring process, and California has passed a similar law that will go into force on January 1, 2023 (see “New California Law Mandates Pay Transparency” from the November/December 2022 issue of Risk Management).

EU Enacts Rules to Regulate Big Tech Firms

November 1

The European Union enacted the Digital Markets Act (DMA), new legislation that places stricter requirements on large online platforms like Google, Apple, Amazon, Meta and Microsoft. The rules would prohibit practices like blocking installation of third-party apps on devices; preventing users from removing pre-installed software; requiring app developers to use a company’s payment services in order to appear in its app store; ranking its own products or services higher in search results than those of competitors; and tracking users for the purpose of targeted advertising without consent. Companies that violate the DMA could be fined up to 10% of their global annual turnover, or up to 20% if they are repeat offenders. Along with the DMA, the EU also enacted the Digital Services Act, which requires companies to take steps to remove illegal content on their platforms or risk a fine of up to 6% of their global annual turnover.

Morgan O’Rourke is editor in chief of Risk Management and director of publications for the Risk & Insurance Management Society, Inc. (RIMS)

Hilary Tuttle is managing editor of Risk Management.