Year in Risk 2024

Morgan O'Rourke , Hilary Tuttle , Jennifer Post

|

December 23, 2024

Organizations around the world faced a wide range of risks in 2024, whether it was from natural disasters and extreme weather, geopolitics and supply chain risks, cybersecurity and artificial intel­ligence threats, or regulatory and compliance concerns. Here is a review of some of the year’s most notable risk events, highlighting top challenges risk professionals had to address in 2024 and some that will shape the risk landscape moving into 2025.

Japanese Earthquake Kills 400 People, Causes Billions in Damages

January 1

On New Year’s Day, a 7.5 magnitude earthquake struck the Noto Peninsula on the western coast of Japan. The quake caused signifi­cant damage to infrastruc­ture, roads, buildings and homes, particularly in Suzu and Wajima, as many houses in these cities were traditional wooden structures built before modern building codes were created. As a result of the quake, more than 400 people were killed, 1,300 injured and 30,000 displaced to temporary shelters, and government officials esti­mated total economic losses could be as much as $17.6 billion. The earthquake also disrupted power supplies and transportation networks, creating additional challenges for recovery efforts. Damages were further exacerbated by tsunami waves, which reached as high as five meters in some areas, prompting authori­ties to issue the country’s first “major tsunami warning” since the devastating earth­quake and tsunami of 2011.

Boeing 737 MAX Planes Grounded After In-Flight Emergency

January 5

After a door plug blew out mid-air on an Alaska Airlines flight, the Federal Aviation Administration (FAA) grounded all Boeing 737 MAX 9 aircrafts with a plug door for three weeks and halted production expan­sion of the plane model. Alaska Airlines and United Airlines canceled about 150 daily flights while the MAX 9 was grounded. The company was forced to pay its airline customers $443 million in compensation for the groundings. Boeing contin­ued to struggle throughout 2024. The FAA investigated other Boeing planes, its CEO departed, and its machin­ists went on strike for almost two months, halting most jet production. In the first nine months of 2024, Boeing lost $8 billion in net earnings amid continuing questions about the quality and safety of its aircraft.

Cummins to Pay Record Fines for Clean Air Act Violations

January 10

Engine manufacturer Cummins settled with the U.S. Environmental Protection Agency and the U.S. Department of Justice after violating the Clean Air Act by equipping over one million vehicles with illegal software that reduced the effectiveness of emis­sion control systems. The company also failed to disclose the control devices as part of the engine certi­fication process, which the Clean Air Act requires. Cummins will pay a $1.675 billion penalty, the largest civil penalty in the history of the Clean Air Act and the second-largest environmen­tal penalty. Due to Cummins’ actions, the impacted vehi­cles emitted much higher levels of nitrogen oxide, a pollutant that contributes to harmful ground-level ozone and fine particulate matter. Exposure to nitrogen oxides can cause asthma attacks and other respiratory or cardiovascular issues.

Change Healthcare Hit with Largest Health Data Breach in U.S. History

February 21

A ransomware attack hit Change Healthcare’s computer systems, compro­mising the protected health care information of approxi­mately 100 million Americans. It was the largest health care data breach in U.S. history. The ransomware targeted the company’s billing and payment operations, leaving many hospitals, pharmacies and medical practices unable to process electronic payments and medical claims. Change Healthcare paid $22 million in ransom, but the ransomware group did not delete the sensi­tive data. The company finally began notifying affected individuals in July. UnitedHealth Group, the parent company of Change Healthcare, anticipates the total cost of responding to the incident will be around $2.3 billion.

SEC Adopts, Then Pauses, Climate Disclosure Rules

March 6

The U.S. Securities and Exchange Commission (SEC) adopted rules mandating that public companies disclose the climate-related risks that could materially impact their strategy, operations and financial position, and outline their actions to mitigate these impacts. As part of the disclosure requirements, companies must report their greenhouse gas emissions, including direct emissions (Scope 1) and emissions associated with their purchase and use of electricity, steam, heat and cooling (Scope 2). The final rule omitted a proposed requirement to disclose Scope 3 “value chain” emissions produced by a company’s customers and supply chain participants. Implementation was paused in April amid a rush of legal challenges from 25 states and various other entities. While the SEC rules remain under judicial review, similar emis­sions reporting rules in other jurisdictions including California and the European Union are moving forward, with some compliance dead­lines scheduled for as early as next year.

SEC Issues First Fines for “AI Washing” False Claims

March 18

The SEC settled charges with two investment firms, Delphia and Global Predictions, fining the firms a total of $400,000 for making false and misleading claims about using AI in their services when they did not. Amid continuing and wide­spread hype about AI across business sectors, the flurry of services purportedly using AI to any and all ends has led to speculation and caution about “AI washing.” The SEC fines represent regula­tors’ first enforcement actions to curb the practice. “As today’s enforcement actions make clear to the investment industry—if you claim to use AI in your investment processes, you need to ensure that your representa­tions are not false or mislead­ing,” said Gurbir S. Grewal, director of the SEC’s Division of Enforcement. “And public issuers making claims about their AI adoption must also remain vigilant about similar misstatements that may be material to individuals’ investing decisions.”

Baltimore Bridge Collapses After Container Ship Crash

March 26

After being struck by a container ship, the Baltimore-area Francis Scott Key Bridge collapsed into the Patapsco River. The crew lost propul­sion control after the ship suffered an electrical black­out, resulting in it drifting off-course and crashing into one of the bridge’s piers. The colli­sion killed six maintenance workers on the bridge’s road­way and damaged the ship’s hull and shipping contain­ers onboard. The collapse blocked shipping to and from the Port of Baltimore—one of the East Coast’s busiest ports—for 11 weeks, result­ing in an estimated economic impact of as much as $15 million a day. Maryland officials plan to replace the bridge by 2028 at a cost of almost $2 billion. In October, the ship’s owner and operator agreed to pay more than $102 million to settle a lawsuit brought by the Justice Department. The settlement will cover what the U.S. government spent in response to the disaster, including clearing the ship and bridge debris from the Port of Baltimore.

Red Sea Attacks Spark Shipping Crisis

March 31

Typically, 30% of global cargo travels across the Red Sea and through the Suez Canal, but after conflict broke out between Israel and Gaza and other Middle East neighbors at the end of 2023, this criti­cal container shipping route was quickly upended. Yemen-aligned Houthi rebels began launching attacks on container ships on the Red Sea, intro­ducing an almost untenable risk into one of the world’s most essential shipping routes. As of the end of March, the World Bank reported Suez traffic had fallen to half its usual number of ships, and traffic around Africa’s Cape of Good Hope increased 100%. The primary alternate route requires circumnavigat­ing Africa, adding about 10 days and 4,000 miles to ship­ping routes. Measures taken to avoid the conflict zones decreased global shipping capacity by 9% and increased fuel expenses, labor and mate­rial costs, insurance rates and the environmental impact on the global shipping industry. Shipping rates for many routes rose to as much as five times their normal costs, adding to the price of imports around the world and pushing up global inflation, according to a report by J.P. Morgan. In addition, with so many cargo ships rerouted around the Horn of Africa, piracy saw a resurgence, with opportunistic attacks increasing significantly.

U.S. East Coast Experiences Rare Earthquake

April 5

A 4.8 magnitude earthquake originating in Tewksbury, New Jersey, was felt throughout the New York and Washington, D.C., metropolitan areas and many parts of the East Coast. It was the strongest earthquake to strike the region since 1884 and was followed by dozens of aftershocks throughout the week. While there were no reports of injuries, up to 150 buildings suffered damage in New York City and surround­ing areas. In response to the earthquake, the Federal Avia­tion Administration stopped all flights at Newark Liberty International Airport, Philadel­phia International Airport and John F. Kennedy International Airport and train travel was restricted through the North­east. According to research­ers from Columbia University and Seoul National Univer­sity, the surprisingly strong earthquake was attributed to a major fault line that had not been previously identified.

President Biden Signs TikTok Ban

April 24

Under a law passed in April and signed by Presi­dent Biden, if China-based company ByteDance does not sell TikTok within a year, the United States will ban app stores from offering and supporting the social media app. The U.S. government has closely monitored TikTok for years due to the tremen­dous amount of data it is collecting and fears that the Chinese government is using the app to influence its users, which is especially concern­ing since TikTok is where one-third of young adults get their news. However, ByteDance stands firm against selling the app. Shortly after the law was passed, the company sued the U.S. government, call­ing the law unconstitutional. An appeals court rejected the suit on December 6, ruling national security concerns were a valid constitutional basis for such a measure. Citing similar security concerns, several other coun­tries have taken action against TikTok. India, Iran, Nepal, Afghanistan and Somalia have also blocked TikTok, and the UK has banned government staff from having the app on any work devices.

Tornado Outbreak Ravages U.S. States

April 25

Over 160 tornadoes struck the Midwest, Southern and High Plains regions of the United States, killing six people, injuring over 170 and causing $1.2 billion in damage. The outbreak was notable not only for the number of tornadoes but also for its timing as peak tornado season is usually in June and July. Swiss Re reported that severe convec­tive storms, including torna­does, accounted for a record $64 billion globally in insured losses in 2023. Those same storms resulted in $42 billion in losses in the first half of 2024 alone. As recently seen with hurricanes, severe storms are adhering less to strict seasons, impacting wider regions and more people. A range of factors are contributing to the increase in damages, including climate change, more people living in vulnerable areas, and less undeveloped space.

Newspapers Sue ChatGPT, Microsoft for Copyright Infringemen

April 30

Eight U.S. newspapers, includ­ing the New York Daily News, Chicago Tribune, Orlando Sentinel and Denver Post, sued ChatGPT creator OpenAI and Microsoft for allegedly using copyrighted works without permission or compensation to train their generative AI products. The lawsuit joins a growing list of copyright lawsuits against AI compa­nies from media outlets like the New York Times and authors such as John Grisham, Jodi Picoult and George R.R. Martin. Similarly, in June, major record labels Univer­sal Music Group, Sony Music Entertainment and Warner Music Group sued AI-based music services Suno and Udio for unlawfully using copy­righted recordings to train their products. AI tech compa­nies contend that taking publicly available content amounts to “fair use,” a legal doctrine that permits repur­posing copyrighted work if it is substantially changed. Many of the content creators and publishers that have filed suit are seeking to stop the prac­tice and to be paid for the use of their intellectual property. Other publishers like the Associated Press, Wall Street Journal, Financial Times and the Atlantic have made licensing deals with OpenAI to be compensated for the use of their content.

More Than 1,300 People Die in Record Heat During Hajj Pilgrimage

June 14

Over 1,300 people died of heat stroke or dehydration on the Hajj pilgrimage due to extreme heat as temperatures reached a record high of 122 degrees Fahrenheit (50 degrees Celsius) at the Grand Mosque of Mecca. A little over a month later, July 22 became the hottest day ever recorded on Earth—beating out the previous day’s record high with a global temperature of 63 degrees Fahrenheit (17.6 degrees Celsius). July was also the hottest month in the 175 years that NOAA has kept records, following 13 consec­utive months of record-high monthly temperatures. By the end of the year, researchers from the NOAA and the EU’s Copernicus Climate Change Service said that 2024 was sure to be the hottest year on record.

CDK Ransomware Attack Directly Costs Car Dealerships $1 Billion

June 19

Car dealership software firm CDK Global was hit with a ransomware attack that ultimately forced the company to shut down most of its systems, impacting over 15,000 dealerships across North America. Dealers use the software to handle every­thing from generating orders and facilitating vehicle sales to recordkeeping and sched­uling. The outage lasted until July 5, leaving about half of the country’s car deal­erships struggling to main­tain operations. Blockchain analysts reported that CDK appears to have paid a ransom of approximately $25 million in bitcoin. According to Anderson Economic Group, car dealers’ total direct losses surpassed $1.02 billion from the three-week outage, and that was before adding any costs from damage to consumers, reputation damage for dealers and litigation costs. “This episode is a wake-up call for the auto industry and a warning to all others,” said Patrick Anderson, the group’s CEO. “Businesses that rely upon automated systems and centralized software—which means nearly all businesses—are vulnerable to hacking of systems managed by outside providers, and the losses caused by an outage can esca­late quickly.”

Flawed CrowdStrike Update Causes Global Tech Outages, Widespread Disruption

July 19

A flaw in the coding of a CrowdStrike software update caused thousands of Micro­soft Windows devices to crash, leading to massive outages around the world, particularly impacting airlines, banking, retail, hospitality and government entities. CrowdStrike’s endpoint detection and response tools are used by over 24,000 organizations around the world, including 60% of the Fortune 500. Guy Carpenter estimated global insured losses for the CrowdStrike incident would fall between $300 million to $1 billion, driven primarily by business interruption insurance claims. Verisk officially classified the outage as a cyber catastrophe event, meaning at least $250 million in insured losses, and experts at Aon said it was “likely to be the most impor­tant cyber accumulation loss event since NotPetya in 2017.” The CrowdStrike incident was one of the clearest examples to date of several key issues of concern about cyberrisk, including aggregation risk and third-party or software supply chain risks, either accidental or malicious. The incident’s impact could have been much worse—Guy Carpenter analysts noted that a malicious attack on a widely used operating system could have a total impact of $600 million to $2 billion in insurable losses.

Boar’s Head Issues Recall for 7 Million Pounds of Tainted Meat

July 26

Boar’s Head issued a recall of seven million pounds of liver­wurst and other deli meats produced at the company’s plant in Jarratt, Virginia, after they tested positive for listeria. The listeriosis outbreak caused 10 deaths and sick­ened 59 others. The company faces multiple lawsuits from victims of the contamination for wrongful death, personal injury, negligence, product liability and deceptive market­ing practices. In September, Boar’s Head announced that it was permanently closing the Jarratt plant and would no longer make liverwurst products. Among other major recalls this year, in October, after one person died and over 100 were sickened across 14 states, McDonald’s supplier Taylor Farms recalled thou­sands of cases of slivered yellow onion due possible E. coli contamination.

EU AI Act Goes into Force

August 1

The European Union’s Artificial Intelligence Act came into force, marking the first major set of rules to explicitly govern AI use. The act classifies AI systems based on their level of risk and requires providers, deployers, import­ers and manufacturers of these systems to take certain actions based on their classi­fication. For example, “high-risk” applications are subject to various obligations around risk management, data governance, technical documentation, transparency, human oversight, cyberse­curity and safety, while those designated “limited risk” may only have transparency requirements. Applications are prohibited if they are considered an “unacceptable risk,” such as “social scoring” or biometric identification systems that allow govern­ments or companies to classify individuals based on protected characteristics. The act applies to both EU-based organizations and those that do business in the EU. If organizations do not comply with specified prohibitions and require­ments, regulators can impose fines of up to €35 million (about $36.8 million) or 7% of global annual turnover, whichever is higher.

Court Rules Google Search Violates Antitrust Laws

August 5

A U.S. federal court ruled that Google violated the Sherman Antitrust Act when it took action to maintain a monopoly on internet search. The Justice Department sued the tech giant in 2020 for signing billion-dollar deals with Apple, Samsung and others to make Google the default search engine on mobile devices and web browsers, making it harder for consumers to use rival search engines. “Google is a monopolist, and it has acted as one to maintain its monopoly,” U.S. District Judge Amit Mehta wrote in the decision. In April 2025, a trial will begin to determine remedies, potentially includ­ing breaking up the company. The Justice Department has proposed forcing Google to sell its Chrome web browser and choose between selling its Android operating system or stop making its services mandatory on Android devices. A second antitrust suit over Google’s adver­tising practices is currently underway.

Hurricane Helene Devastates Southern U.S.

September 26

Hurricane Helene made land­fall in Florida as a Category 4 storm, causing extensive damage with 140-mile-per-hour winds and massive storm surge-driven flooding. As the storm moved up the East Coast of the United States, it carved a path of death and destruction through Georgia and South Carolina before striking North Carolina with catastrophic impact. The storm killed more than 100 people in the state and devastated entire communities as record amounts of rainfall, flooding and tornadoes destroyed buildings, homes and infrastructure and caused widespread power outages. Much of the estimated $53 billion in storm-related and economic damage in North Carolina was uninsured. The storm also brought signifi­cant rainfall and flooding to parts of Tennessee, Virginia and Kentucky. Ultimately, Hurricane Helene killed more than 230 people and likely caused over $80 billion in damages.

Dockworker Strike Snarls U.S. Shipping

October 1

After three days, 45,000 U.S. dockworkers reached a tentative deal to end a strike that shut down shipping on the East and Gulf Coasts. The strike halted the unload­ing of container ships at 36 ports across the country, which led to fears of wide­spread food and product shortages. According to JP Morgan, the strike cost the U.S. economy around $5 billion a day. The dockwork­ers, who are part of the Inter­national Longshoremen’s Association workers union, went on strike seeking a 77% raise over six years and a ban on automation at ports, which they consider a threat to their jobs. The tentative agreement between the dockworkers and their employer, the U.S. Maritime Alliance, lasts until January 15, when the two parties will return to negotiations.

Hurricane Milton Rapidly Intensifies into Category 5 Storm

October 7

Less than two weeks after Hurricane Helene tore through the East Coast, Hurricane Milton rapidly inten­sified within 24 hours from a tropical storm to a Category 5 hurricane with wind speeds of over 180miles per hour. Milton made landfall in Florida as a Category 3 storm a few days later, wreaking havoc throughout the state as flood­ing and tornadoes caused significant damage to homes, infrastructure and crops. Preliminary loss estimates exceeded $50 billion. By December, the 2024 Atlantic hurricane season had produced 18 named storms and 11 hurricanes, five of which were major hurricanes, including Hurricane Beryl, which formed in June and became the earliest Category 5 storm on record. Collectively, 2024 storms caused more than $220 billion in damages, making this the second-most costly season after 2017.

TD Bank Fined $3 Billion for Anti-Money Laundering Violations

October 10

TD Bank agreed to pay more than $3 billion in penalties for violations of the Bank Secrecy Act and anti-money laundering laws. The settle­ment includes a $1.8 billion fine imposed by the Justice Department and a $1.3 billion fine from the Treasury Depart­ment’s Financial Crimes Enforcement Network for failing to properly maintain, monitor and update its anti-money laundering program, which allowed criminal orga­nizations to process hundreds of millions of dollars’ worth of suspicious transactions through the bank. The penal­ties are the highest ever imposed on a U.S. bank for anti-money laundering viola­tions. In addition to the mone­tary penalties, the Office of the Comptroller of the Currency, which regulates banks in the United States, also imposed an asset cap on the bank, barring its retail business from grow­ing above its current U.S. asset level, and limited its ability to open new branches or issue dividend payments.

Catastrophic Flooding in Spain Kills Over 200

October 29

Torrential rain and flooding rapidly inundated areas around Valencia, Spain, killing at least 229 people and directly impacting over 500,000 in one of the deadli­est natural disasters in Spain’s history. Valencia’s Chamber of Commerce reported that approximately 1,800 busi­nesses were destroyed and another 4,500 suffered notable damage. According to Spain’s national weather service, the hard-hit munici­pality of Chiva experienced more rain in eight hours than in all of the preced­ing 20 months. Other areas south of Valencia suffered massive flooding before the rain even hit. Spain’s Associa­tion of Insurance Companies expects the biggest payout for a weather-related event in the nation’s history. Local and national authorities have drawn considerable condem­nation for their emergency management failures before and after the devastating floods, especially for their fail­ure to issue timely warnings before disaster struck.

Donald Trump Reelected U.S. President

November 5

Republican Donald Trump defeated Democratic chal­lenger and incumbent Vice President Kamala Harris to be elected the 47th president of the United States, becoming the second U.S. president to be elected to non-consecu­tive terms. With the Republi­can Party also winning a major­ity in both houses of Congress, the incoming administration quickly began setting out its agenda, which includes radical and controversial plans for addressing various economic, trade, immigration and regulatory policies, and overhauling the structure and operation of federal agencies.

Jennings Creek Wildfire Ignites in New York

November 8

On the border between New York and New Jersey, the Jennings Creek wildfire began and ultimately spread to over 5,000 acres, becom­ing New York State’s largest fire in decades. After months of particularly warm and dry conditions, wildfires broke out across the Northeast this fall, including notable fires in Maine, Connecticut, New Jersey and New York City. According to a Moody’s report on December 5, northeastern states had experienced 11,000 wildfires so far this year, repre­senting an expansion of tradi­tional natural disaster models in terms of both geography and timing. The West experi­enced even greater devasta­tion from wildfires in 2024, including over one million acres burned in California— up from 308,000 acres in 2023, but below the five-year average of 1.28 million acres. In a continuation of the brutal 2023 season, regions of Canada also suffered an unusually long wildfire season, and a total of over 13 million acres burned, making for one of the six worst years in the past 50. The Jasper wildfire in Alberta destroyed over a third of the town and was one of the most expensive natural disas­ters in Canadian history.

Walmart Rolls Back DEI Policies

November 25

After pressure from conserva­tive activists, Walmart said it would end several of its diver­sity, equity and inclusion initiatives. The retail giant is discontinuing programs designed to promote supplier diversity and winding down its Center for Racial Equity, a philanthropic fund established in 2020 following the killing of George Floyd. In addition, third parties will no longer be allowed to sell sexual and transgender items marketed to minors in its online marketplace and the company will no longer share data with the Human Rights Campaign, which tracks corporate LGBTQ policies. Walmart is also phasing out the use of the term “diver­sity, equity and inclusion” in official communications. The retailer is the latest in a grow­ing list of companies that have moved away from DEI in the wake of the 2023 U.S. Supreme Court decision to strike down affirmative action in college admissions, and amid increasing conservative backlash from social media activists, the incoming Trump administration and others. This year, companies such as Ford, Molson Coors, Harley-Davidson, John Deere and Lowe’s also announced plans to drop or scale back their DEI initiatives.

UnitedHealthcare CEO Killed in New York City

December 4

Brian Thompson, CEO of health insurer United­Healthcare, was shot and killed outside of a Midtown Manhattan hotel where he was scheduled to attend the company’s annual investor meeting. The masked gunman fled the scene, setting off a week-long manhunt that culminated with the arrest of suspect Luigi Mangione at a McDonald’s in Pennsylvania. Public reaction to the killing was decidedly unsympathetic in many circles, with wide­spread expressions of anger toward UnitedHealthcare, an outpouring of personal horror stories dealing with the insurer and its competitors, and criticisms of the U.S. health insurance industry, the health care system in general, and the country’s immense problems with medical debt and privatized care. This sentiment was further inflamed by the discovery of ammunition at the crime scene emblazoned with the words “deny,” “defend” and “depose”— similar to a phrase used by insurance industry critics. In the immediate aftermath of the attack, UnitedHealthcare, Blue Cross Blue Shield, CVS Health and other health insurers removed their executive leadership informa­tion pages from their websites and ramped up security precautions to protect high-level employees.

Morgan O’Rourke is editor in chief of Risk Management and senior director of content and publications for the Risk & Insurance Management Society, Inc. (RIMS)


Hilary Tuttle is managing editor of Risk Management.


Jennifer Post is an editor at Risk Management.

Related Articles

Year in Risk 2023

December 1, 2023

Year in Risk 2022

December 1, 2022

Year In Risk 2021

December 1, 2021

Year in Risk 2020

December 1, 2020