Organizations around the world faced a wide range of risks in 2024, whether it was from natural disasters and extreme weather, geopolitics and supply chain risks, cybersecurity and artificial intelligence threats, or regulatory and compliance concerns. Here is a review of some of the year’s most notable risk events, highlighting top challenges risk professionals had to address in 2024 and some that will shape the risk landscape moving into 2025.
Japanese Earthquake Kills 400 People, Causes Billions in Damages
January 1
On New Year’s Day, a 7.5 magnitude earthquake struck the Noto Peninsula on the western coast of Japan. The quake caused significant damage to infrastructure, roads, buildings and homes, particularly in Suzu and Wajima, as many houses in these cities were traditional wooden structures built before modern building codes were created. As a result of the quake, more than 400 people were killed, 1,300 injured and 30,000 displaced to temporary shelters, and government officials estimated total economic losses could be as much as $17.6 billion. The earthquake also disrupted power supplies and transportation networks, creating additional challenges for recovery efforts. Damages were further exacerbated by tsunami waves, which reached as high as five meters in some areas, prompting authorities to issue the country’s first “major tsunami warning” since the devastating earthquake and tsunami of 2011.
Boeing 737 MAX Planes Grounded After In-Flight Emergency
January 5
After a door plug blew out mid-air on an Alaska Airlines flight, the Federal Aviation Administration (FAA) grounded all Boeing 737 MAX 9 aircrafts with a plug door for three weeks and halted production expansion of the plane model. Alaska Airlines and United Airlines canceled about 150 daily flights while the MAX 9 was grounded. The company was forced to pay its airline customers $443 million in compensation for the groundings. Boeing continued to struggle throughout 2024. The FAA investigated other Boeing planes, its CEO departed, and its machinists went on strike for almost two months, halting most jet production. In the first nine months of 2024, Boeing lost $8 billion in net earnings amid continuing questions about the quality and safety of its aircraft.
Cummins to Pay Record Fines for Clean Air Act Violations
January 10
Engine manufacturer Cummins settled with the U.S. Environmental Protection Agency and the U.S. Department of Justice after violating the Clean Air Act by equipping over one million vehicles with illegal software that reduced the effectiveness of emission control systems. The company also failed to disclose the control devices as part of the engine certification process, which the Clean Air Act requires. Cummins will pay a $1.675 billion penalty, the largest civil penalty in the history of the Clean Air Act and the second-largest environmental penalty. Due to Cummins’ actions, the impacted vehicles emitted much higher levels of nitrogen oxide, a pollutant that contributes to harmful ground-level ozone and fine particulate matter. Exposure to nitrogen oxides can cause asthma attacks and other respiratory or cardiovascular issues.
Change Healthcare Hit with Largest Health Data Breach in U.S. History
February 21
A ransomware attack hit Change Healthcare’s computer systems, compromising the protected health care information of approximately 100 million Americans. It was the largest health care data breach in U.S. history. The ransomware targeted the company’s billing and payment operations, leaving many hospitals, pharmacies and medical practices unable to process electronic payments and medical claims. Change Healthcare paid $22 million in ransom, but the ransomware group did not delete the sensitive data. The company finally began notifying affected individuals in July. UnitedHealth Group, the parent company of Change Healthcare, anticipates the total cost of responding to the incident will be around $2.3 billion.
SEC Adopts, Then Pauses, Climate Disclosure Rules
March 6
The U.S. Securities and Exchange Commission (SEC) adopted rules mandating that public companies disclose the climate-related risks that could materially impact their strategy, operations and financial position, and outline their actions to mitigate these impacts. As part of the disclosure requirements, companies must report their greenhouse gas emissions, including direct emissions (Scope 1) and emissions associated with their purchase and use of electricity, steam, heat and cooling (Scope 2). The final rule omitted a proposed requirement to disclose Scope 3 “value chain” emissions produced by a company’s customers and supply chain participants. Implementation was paused in April amid a rush of legal challenges from 25 states and various other entities. While the SEC rules remain under judicial review, similar emissions reporting rules in other jurisdictions including California and the European Union are moving forward, with some compliance deadlines scheduled for as early as next year.
SEC Issues First Fines for “AI Washing” False Claims
March 18
The SEC settled charges with two investment firms, Delphia and Global Predictions, fining the firms a total of $400,000 for making false and misleading claims about using AI in their services when they did not. Amid continuing and widespread hype about AI across business sectors, the flurry of services purportedly using AI to any and all ends has led to speculation and caution about “AI washing.” The SEC fines represent regulators’ first enforcement actions to curb the practice. “As today’s enforcement actions make clear to the investment industry—if you claim to use AI in your investment processes, you need to ensure that your representations are not false or misleading,” said Gurbir S. Grewal, director of the SEC’s Division of Enforcement. “And public issuers making claims about their AI adoption must also remain vigilant about similar misstatements that may be material to individuals’ investing decisions.”
Baltimore Bridge Collapses After Container Ship Crash
March 26
After being struck by a container ship, the Baltimore-area Francis Scott Key Bridge collapsed into the Patapsco River. The crew lost propulsion control after the ship suffered an electrical blackout, resulting in it drifting off-course and crashing into one of the bridge’s piers. The collision killed six maintenance workers on the bridge’s roadway and damaged the ship’s hull and shipping containers onboard. The collapse blocked shipping to and from the Port of Baltimore—one of the East Coast’s busiest ports—for 11 weeks, resulting in an estimated economic impact of as much as $15 million a day. Maryland officials plan to replace the bridge by 2028 at a cost of almost $2 billion. In October, the ship’s owner and operator agreed to pay more than $102 million to settle a lawsuit brought by the Justice Department. The settlement will cover what the U.S. government spent in response to the disaster, including clearing the ship and bridge debris from the Port of Baltimore.
Red Sea Attacks Spark Shipping Crisis
March 31
Typically, 30% of global cargo travels across the Red Sea and through the Suez Canal, but after conflict broke out between Israel and Gaza and other Middle East neighbors at the end of 2023, this critical container shipping route was quickly upended. Yemen-aligned Houthi rebels began launching attacks on container ships on the Red Sea, introducing an almost untenable risk into one of the world’s most essential shipping routes. As of the end of March, the World Bank reported Suez traffic had fallen to half its usual number of ships, and traffic around Africa’s Cape of Good Hope increased 100%. The primary alternate route requires circumnavigating Africa, adding about 10 days and 4,000 miles to shipping routes. Measures taken to avoid the conflict zones decreased global shipping capacity by 9% and increased fuel expenses, labor and material costs, insurance rates and the environmental impact on the global shipping industry. Shipping rates for many routes rose to as much as five times their normal costs, adding to the price of imports around the world and pushing up global inflation, according to a report by J.P. Morgan. In addition, with so many cargo ships rerouted around the Horn of Africa, piracy saw a resurgence, with opportunistic attacks increasing significantly.
U.S. East Coast Experiences Rare Earthquake
April 5
A 4.8 magnitude earthquake originating in Tewksbury, New Jersey, was felt throughout the New York and Washington, D.C., metropolitan areas and many parts of the East Coast. It was the strongest earthquake to strike the region since 1884 and was followed by dozens of aftershocks throughout the week. While there were no reports of injuries, up to 150 buildings suffered damage in New York City and surrounding areas. In response to the earthquake, the Federal Aviation Administration stopped all flights at Newark Liberty International Airport, Philadelphia International Airport and John F. Kennedy International Airport and train travel was restricted through the Northeast. According to researchers from Columbia University and Seoul National University, the surprisingly strong earthquake was attributed to a major fault line that had not been previously identified.
President Biden Signs TikTok Ban
April 24
Under a law passed in April and signed by President Biden, if China-based company ByteDance does not sell TikTok within a year, the United States will ban app stores from offering and supporting the social media app. The U.S. government has closely monitored TikTok for years due to the tremendous amount of data it is collecting and fears that the Chinese government is using the app to influence its users, which is especially concerning since TikTok is where one-third of young adults get their news. However, ByteDance stands firm against selling the app. Shortly after the law was passed, the company sued the U.S. government, calling the law unconstitutional. An appeals court rejected the suit on December 6, ruling national security concerns were a valid constitutional basis for such a measure. Citing similar security concerns, several other countries have taken action against TikTok. India, Iran, Nepal, Afghanistan and Somalia have also blocked TikTok, and the UK has banned government staff from having the app on any work devices.
Tornado Outbreak Ravages U.S. States
April 25
Over 160 tornadoes struck the Midwest, Southern and High Plains regions of the United States, killing six people, injuring over 170 and causing $1.2 billion in damage. The outbreak was notable not only for the number of tornadoes but also for its timing as peak tornado season is usually in June and July. Swiss Re reported that severe convective storms, including tornadoes, accounted for a record $64 billion globally in insured losses in 2023. Those same storms resulted in $42 billion in losses in the first half of 2024 alone. As recently seen with hurricanes, severe storms are adhering less to strict seasons, impacting wider regions and more people. A range of factors are contributing to the increase in damages, including climate change, more people living in vulnerable areas, and less undeveloped space.
Newspapers Sue ChatGPT, Microsoft for Copyright Infringemen
April 30
Eight U.S. newspapers, including the New York Daily News, Chicago Tribune, Orlando Sentinel and Denver Post, sued ChatGPT creator OpenAI and Microsoft for allegedly using copyrighted works without permission or compensation to train their generative AI products. The lawsuit joins a growing list of copyright lawsuits against AI companies from media outlets like the New York Times and authors such as John Grisham, Jodi Picoult and George R.R. Martin. Similarly, in June, major record labels Universal Music Group, Sony Music Entertainment and Warner Music Group sued AI-based music services Suno and Udio for unlawfully using copyrighted recordings to train their products. AI tech companies contend that taking publicly available content amounts to “fair use,” a legal doctrine that permits repurposing copyrighted work if it is substantially changed. Many of the content creators and publishers that have filed suit are seeking to stop the practice and to be paid for the use of their intellectual property. Other publishers like the Associated Press, Wall Street Journal, Financial Times and the Atlantic have made licensing deals with OpenAI to be compensated for the use of their content.
More Than 1,300 People Die in Record Heat During Hajj Pilgrimage
June 14
Over 1,300 people died of heat stroke or dehydration on the Hajj pilgrimage due to extreme heat as temperatures reached a record high of 122 degrees Fahrenheit (50 degrees Celsius) at the Grand Mosque of Mecca. A little over a month later, July 22 became the hottest day ever recorded on Earth—beating out the previous day’s record high with a global temperature of 63 degrees Fahrenheit (17.6 degrees Celsius). July was also the hottest month in the 175 years that NOAA has kept records, following 13 consecutive months of record-high monthly temperatures. By the end of the year, researchers from the NOAA and the EU’s Copernicus Climate Change Service said that 2024 was sure to be the hottest year on record.
CDK Ransomware Attack Directly Costs Car Dealerships $1 Billion
June 19
Car dealership software firm CDK Global was hit with a ransomware attack that ultimately forced the company to shut down most of its systems, impacting over 15,000 dealerships across North America. Dealers use the software to handle everything from generating orders and facilitating vehicle sales to recordkeeping and scheduling. The outage lasted until July 5, leaving about half of the country’s car dealerships struggling to maintain operations. Blockchain analysts reported that CDK appears to have paid a ransom of approximately $25 million in bitcoin. According to Anderson Economic Group, car dealers’ total direct losses surpassed $1.02 billion from the three-week outage, and that was before adding any costs from damage to consumers, reputation damage for dealers and litigation costs. “This episode is a wake-up call for the auto industry and a warning to all others,” said Patrick Anderson, the group’s CEO. “Businesses that rely upon automated systems and centralized software—which means nearly all businesses—are vulnerable to hacking of systems managed by outside providers, and the losses caused by an outage can escalate quickly.”
Flawed CrowdStrike Update Causes Global Tech Outages, Widespread Disruption
July 19
A flaw in the coding of a CrowdStrike software update caused thousands of Microsoft Windows devices to crash, leading to massive outages around the world, particularly impacting airlines, banking, retail, hospitality and government entities. CrowdStrike’s endpoint detection and response tools are used by over 24,000 organizations around the world, including 60% of the Fortune 500. Guy Carpenter estimated global insured losses for the CrowdStrike incident would fall between $300 million to $1 billion, driven primarily by business interruption insurance claims. Verisk officially classified the outage as a cyber catastrophe event, meaning at least $250 million in insured losses, and experts at Aon said it was “likely to be the most important cyber accumulation loss event since NotPetya in 2017.” The CrowdStrike incident was one of the clearest examples to date of several key issues of concern about cyberrisk, including aggregation risk and third-party or software supply chain risks, either accidental or malicious. The incident’s impact could have been much worse—Guy Carpenter analysts noted that a malicious attack on a widely used operating system could have a total impact of $600 million to $2 billion in insurable losses.
Boar’s Head Issues Recall for 7 Million Pounds of Tainted Meat
July 26
Boar’s Head issued a recall of seven million pounds of liverwurst and other deli meats produced at the company’s plant in Jarratt, Virginia, after they tested positive for listeria. The listeriosis outbreak caused 10 deaths and sickened 59 others. The company faces multiple lawsuits from victims of the contamination for wrongful death, personal injury, negligence, product liability and deceptive marketing practices. In September, Boar’s Head announced that it was permanently closing the Jarratt plant and would no longer make liverwurst products. Among other major recalls this year, in October, after one person died and over 100 were sickened across 14 states, McDonald’s supplier Taylor Farms recalled thousands of cases of slivered yellow onion due possible E. coli contamination.
EU AI Act Goes into Force
August 1
The European Union’s Artificial Intelligence Act came into force, marking the first major set of rules to explicitly govern AI use. The act classifies AI systems based on their level of risk and requires providers, deployers, importers and manufacturers of these systems to take certain actions based on their classification. For example, “high-risk” applications are subject to various obligations around risk management, data governance, technical documentation, transparency, human oversight, cybersecurity and safety, while those designated “limited risk” may only have transparency requirements. Applications are prohibited if they are considered an “unacceptable risk,” such as “social scoring” or biometric identification systems that allow governments or companies to classify individuals based on protected characteristics. The act applies to both EU-based organizations and those that do business in the EU. If organizations do not comply with specified prohibitions and requirements, regulators can impose fines of up to €35 million (about $36.8 million) or 7% of global annual turnover, whichever is higher.
Court Rules Google Search Violates Antitrust Laws
August 5
A U.S. federal court ruled that Google violated the Sherman Antitrust Act when it took action to maintain a monopoly on internet search. The Justice Department sued the tech giant in 2020 for signing billion-dollar deals with Apple, Samsung and others to make Google the default search engine on mobile devices and web browsers, making it harder for consumers to use rival search engines. “Google is a monopolist, and it has acted as one to maintain its monopoly,” U.S. District Judge Amit Mehta wrote in the decision. In April 2025, a trial will begin to determine remedies, potentially including breaking up the company. The Justice Department has proposed forcing Google to sell its Chrome web browser and choose between selling its Android operating system or stop making its services mandatory on Android devices. A second antitrust suit over Google’s advertising practices is currently underway.
Hurricane Helene Devastates Southern U.S.
September 26
Hurricane Helene made landfall in Florida as a Category 4 storm, causing extensive damage with 140-mile-per-hour winds and massive storm surge-driven flooding. As the storm moved up the East Coast of the United States, it carved a path of death and destruction through Georgia and South Carolina before striking North Carolina with catastrophic impact. The storm killed more than 100 people in the state and devastated entire communities as record amounts of rainfall, flooding and tornadoes destroyed buildings, homes and infrastructure and caused widespread power outages. Much of the estimated $53 billion in storm-related and economic damage in North Carolina was uninsured. The storm also brought significant rainfall and flooding to parts of Tennessee, Virginia and Kentucky. Ultimately, Hurricane Helene killed more than 230 people and likely caused over $80 billion in damages.
Dockworker Strike Snarls U.S. Shipping
October 1
After three days, 45,000 U.S. dockworkers reached a tentative deal to end a strike that shut down shipping on the East and Gulf Coasts. The strike halted the unloading of container ships at 36 ports across the country, which led to fears of widespread food and product shortages. According to JP Morgan, the strike cost the U.S. economy around $5 billion a day. The dockworkers, who are part of the International Longshoremen’s Association workers union, went on strike seeking a 77% raise over six years and a ban on automation at ports, which they consider a threat to their jobs. The tentative agreement between the dockworkers and their employer, the U.S. Maritime Alliance, lasts until January 15, when the two parties will return to negotiations.
Hurricane Milton Rapidly Intensifies into Category 5 Storm
October 7
Less than two weeks after Hurricane Helene tore through the East Coast, Hurricane Milton rapidly intensified within 24 hours from a tropical storm to a Category 5 hurricane with wind speeds of over 180miles per hour. Milton made landfall in Florida as a Category 3 storm a few days later, wreaking havoc throughout the state as flooding and tornadoes caused significant damage to homes, infrastructure and crops. Preliminary loss estimates exceeded $50 billion. By December, the 2024 Atlantic hurricane season had produced 18 named storms and 11 hurricanes, five of which were major hurricanes, including Hurricane Beryl, which formed in June and became the earliest Category 5 storm on record. Collectively, 2024 storms caused more than $220 billion in damages, making this the second-most costly season after 2017.
TD Bank Fined $3 Billion for Anti-Money Laundering Violations
October 10
TD Bank agreed to pay more than $3 billion in penalties for violations of the Bank Secrecy Act and anti-money laundering laws. The settlement includes a $1.8 billion fine imposed by the Justice Department and a $1.3 billion fine from the Treasury Department’s Financial Crimes Enforcement Network for failing to properly maintain, monitor and update its anti-money laundering program, which allowed criminal organizations to process hundreds of millions of dollars’ worth of suspicious transactions through the bank. The penalties are the highest ever imposed on a U.S. bank for anti-money laundering violations. In addition to the monetary penalties, the Office of the Comptroller of the Currency, which regulates banks in the United States, also imposed an asset cap on the bank, barring its retail business from growing above its current U.S. asset level, and limited its ability to open new branches or issue dividend payments.
Catastrophic Flooding in Spain Kills Over 200
October 29
Torrential rain and flooding rapidly inundated areas around Valencia, Spain, killing at least 229 people and directly impacting over 500,000 in one of the deadliest natural disasters in Spain’s history. Valencia’s Chamber of Commerce reported that approximately 1,800 businesses were destroyed and another 4,500 suffered notable damage. According to Spain’s national weather service, the hard-hit municipality of Chiva experienced more rain in eight hours than in all of the preceding 20 months. Other areas south of Valencia suffered massive flooding before the rain even hit. Spain’s Association of Insurance Companies expects the biggest payout for a weather-related event in the nation’s history. Local and national authorities have drawn considerable condemnation for their emergency management failures before and after the devastating floods, especially for their failure to issue timely warnings before disaster struck.
Donald Trump Reelected U.S. President
November 5
Republican Donald Trump defeated Democratic challenger and incumbent Vice President Kamala Harris to be elected the 47th president of the United States, becoming the second U.S. president to be elected to non-consecutive terms. With the Republican Party also winning a majority in both houses of Congress, the incoming administration quickly began setting out its agenda, which includes radical and controversial plans for addressing various economic, trade, immigration and regulatory policies, and overhauling the structure and operation of federal agencies.
Jennings Creek Wildfire Ignites in New York
November 8
On the border between New York and New Jersey, the Jennings Creek wildfire began and ultimately spread to over 5,000 acres, becoming New York State’s largest fire in decades. After months of particularly warm and dry conditions, wildfires broke out across the Northeast this fall, including notable fires in Maine, Connecticut, New Jersey and New York City. According to a Moody’s report on December 5, northeastern states had experienced 11,000 wildfires so far this year, representing an expansion of traditional natural disaster models in terms of both geography and timing. The West experienced even greater devastation from wildfires in 2024, including over one million acres burned in California— up from 308,000 acres in 2023, but below the five-year average of 1.28 million acres. In a continuation of the brutal 2023 season, regions of Canada also suffered an unusually long wildfire season, and a total of over 13 million acres burned, making for one of the six worst years in the past 50. The Jasper wildfire in Alberta destroyed over a third of the town and was one of the most expensive natural disasters in Canadian history.
Walmart Rolls Back DEI Policies
November 25
After pressure from conservative activists, Walmart said it would end several of its diversity, equity and inclusion initiatives. The retail giant is discontinuing programs designed to promote supplier diversity and winding down its Center for Racial Equity, a philanthropic fund established in 2020 following the killing of George Floyd. In addition, third parties will no longer be allowed to sell sexual and transgender items marketed to minors in its online marketplace and the company will no longer share data with the Human Rights Campaign, which tracks corporate LGBTQ policies. Walmart is also phasing out the use of the term “diversity, equity and inclusion” in official communications. The retailer is the latest in a growing list of companies that have moved away from DEI in the wake of the 2023 U.S. Supreme Court decision to strike down affirmative action in college admissions, and amid increasing conservative backlash from social media activists, the incoming Trump administration and others. This year, companies such as Ford, Molson Coors, Harley-Davidson, John Deere and Lowe’s also announced plans to drop or scale back their DEI initiatives.
UnitedHealthcare CEO Killed in New York City
December 4
Brian Thompson, CEO of health insurer UnitedHealthcare, was shot and killed outside of a Midtown Manhattan hotel where he was scheduled to attend the company’s annual investor meeting. The masked gunman fled the scene, setting off a week-long manhunt that culminated with the arrest of suspect Luigi Mangione at a McDonald’s in Pennsylvania. Public reaction to the killing was decidedly unsympathetic in many circles, with widespread expressions of anger toward UnitedHealthcare, an outpouring of personal horror stories dealing with the insurer and its competitors, and criticisms of the U.S. health insurance industry, the health care system in general, and the country’s immense problems with medical debt and privatized care. This sentiment was further inflamed by the discovery of ammunition at the crime scene emblazoned with the words “deny,” “defend” and “depose”— similar to a phrase used by insurance industry critics. In the immediate aftermath of the attack, UnitedHealthcare, Blue Cross Blue Shield, CVS Health and other health insurers removed their executive leadership information pages from their websites and ramped up security precautions to protect high-level employees.