This post first appeared on Risk Management Magazine. Read the original article.
Whether it was natural disasters, cyberattacks, corporate crises, political uncertainty or terrorist activity, risk events made high-profile and often sobering headlines in 2017. Although by no means exhaustive, the following review of the year in risk can help risk professionals learn from the past so that they can better prepare for future threats.
Volkswagen to Pay $4.3 Billion in Additional Penalties for Emissions Fraud
January 11
As a result of Volkswagen’s long-running practice of cheating on mandatory emissions tests in order to sell diesel vehicles in the United States, the U.S. Department of Justice announced that the automaker will plead guilty to three criminal felony charges, including conspiracy to commit fraud, obstruction of justice, and making false compliance statements. The automaker will pay a $2.8 billion criminal penalty and $1.5 billion in civil penalties to settle various environmental and financial charges. Last year, the company paid almost $15 billion to settle civil actions with consumers and regulators.
Takata Agrees to $1 Billion Airbag Settlement
January 12
Japanese auto parts company Takata pled guilty to U.S. fraud charges and agreed to pay a $1 billion settlement to compensate automakers and victims affected by defective airbags it manufactured. At least 16 deaths and 180 injuries have been attributed to exploding Takata airbags, resulting in recalls of some 42 million vehicles across dozens of brands— one of the largest recalls in U.S. history. Three company executives were also charged with falsifying crash data and, in June, Takata filed for Chapter 11 bankruptcy. Later in the year, Toyota, Subaru, Mazda and BMW also agreed to pay a combined $553 million to compensate car owners affected by the airbag recall, while Nissan settled a class action lawsuit of its own for $97.7 million and Honda agreed to a $605 million settlement.
Trump Signs Travel Ban
January 27
Citing concerns about terrorism and national security, newly-inagurated President Donald Trump signed an Executive Order temporarily suspending the U.S. Refugee Admissions Program, prohibiting travelers from seven Muslim-majority nations—Iran, Iraq, Libya, Somalia, Sudan, Syria and Yemen—from entering the United States for at least 90 days, and suspending the admission of refugees from Syria indefinitely. In response to the order, Google recalled many of its overseas employees. Many other organizations warned staff against international travel and sought to determine what effect the policy would have on tourism and global business. The measure was ultimately blocked by federal judges in various jurisdictions. Later revisions to the order removed Sudan from the restricted list and added Chad, North Korea and Venezuela, and were also challenged in federal courts.
Australia Mandates Data Breach Notification
February 13
The Australian Parliament passed an amendment to the nation’s Privacy Act 1988 that imposes mandatory data breach notification across a range of government and private-sector enterprises. When the law takes effect in February 2018, companies that suspect or become aware of a data breach will be required to provide detailed notification to the Australian Privacy Commissioner and all individuals affected. Serious or repeated failure to comply can result in penalties of AUS $1.8 million ($1.38 million) for companies and AUS $360,000 ($275,000) for individuals.
New York Implements Financial Services Cybersecurity Law
March 1
New York’s new cybersecurity regulations went into effect, requiring banks, insurance companies and other institutions regulated by the Department of Financial Services to establish and maintain a cybersecurity program to protect consumer data. Specifically, companies must create and maintain written cybersecurity policies and designate a chief information security officer, either in-house or third-party, who will be required to report annually to the company’s board. The rules also establish standards for data protection and incident response and require companies to conduct periodic penetration testing and vulnerability assessments as part of a regular cybersecurity risk assessment process. Additionally, companies will need to develop security policies and procedures for third-party service providers.
U.K. Triggers Article 50 to Initiate Brexit
March 29
Prime Minister Theresa May officially began the U.K.’s process of withdrawing from the European Union by triggering Article 50 of the Lisbon Treaty. The U.K. now has two years to negotiate the terms of its exit, including questions regarding trade, immigration, security, law enforcement and health care. Shortly after the move, a number of businesses announced plans to establish new EU headquarters in anticipation of the changes, including insurers Lloyd’s of London, AIG, Hiscox, Chubb and XL Group.
Show Leaked After Netflix Refuses Ransom Demand
April 29
A hacker released the upcoming season of the Netflix series Orange Is the New Black after the streaming service refused to pay a ransom demand for the unaired content. The attack, which resulted from a security breach at a production vendor, was another example of the rapid rise of financially motivated attacks in which hackers hold systems or content for ransom. In May, hackers threatened to leak Pirates of the Caribbean 5 before its official release if Disney did not pay a ransom. In July, hackers also stole and held for ransom 1.5 terabytes of proprietary HBO data, including scripts for unaired episodes of Game of Thrones and internal documents and emails containing contract and budget information, operational details, and personal phone numbers and email addresses of popular actors.
WannaCry Ransomware Affects Thousands Worldwide
May 12
A strain of ransomware known as WannaCry paralyzed more than 200,000 computers in 150 countries. The program took advantage of computers running outdated versions of Microsoft Windows and demanded $300 in bitcoin from users to restore access to data and systems. Primarily striking Europe and Asia, the attack crippled operations for a wide range of organizations, from the U.K.’s National Health Service to German state railways to thousands of private businesses. The ransomware infection also forced auto manufacturers Nissan and Renault to shut down production at plants in England and France, while Honda had to do the same at one of its Japanese plants after finding the ransomware in its network a month later.
Terrorist Bombs Manchester Concert
May 22
A suicide bomber with ties to the terrorist group ISIS detonated a homemade explosive device outside the U.K.’s Manchester Arena following an Ariana Grande concert, killing 22 people and injuring more than 500. The incident was indicative of a shift in terrorist strategy to include more relatively low-tech and lone-wolf attacks in Western countries. For example, in attacks in London in March and June, Stockholm in April, Barcelona in August, and New York in October, assailants drove into crowds of pedestrians and, in some cases, stabbed additional victims after exiting their vehicles.
United States Withdraws from Paris Agreement
June 1
President Donald Trump announced that the United States would withdraw from the Paris Agreement, stating that compliance with the climate change mitigation accord would have a detrimental effect on the country’s economy. The agreement, which went into effect last year, calls for nations to hold the increase in global average temperature to less than 2°C above pre-industrial levels and pursue efforts to further limit the increase to 1.5°C. After Nicaragua and Syria recently pledged to sign the agreement, the United States is now the only country that has declined to participate. Under the terms of the agreement, the United States cannot officially withdraw until 2020.
House Votes to Dismantle Dodd-Frank
June 9
In an effort to make good on President Trump’s stated desire to repeal the Dodd-Frank Act, the U.S. House of Representatives voted to pass the Financial Choice Act, which would undo parts of the 2010 financial reform law. The bill continues to face opposition in the Senate, however. Passed in the wake of the 2008 financial crisis, Dodd-Frank increased the regulatory requirements for banks by establishing capital requirements, especially for global systemically important banks, mandating annual stress tests, and restricting certain types of investments and trading methods. Banks have argued that compliance with the regulations has hampered their ability to lend capital and stay competitive. Proponents of Dodd-Frank believe that its repeal could recreate the market conditions from 2008 and lead to another financial meltdown.
London Tower Blaze Kills 80
June 14
A fire at Grenfell Tower, a 24-story apartment block in central London, killed at least 80 people and resulted in an estimated £50 million ($66 million) in property and liability insurance claims. Investigators believe that the rapid spread of the blaze may have been due to highly flammable cladding on the building’s exterior. Although banned in many countries, particularly for use in high-rises, the cladding has been used throughout Britain. Some experts have blamed this practice on a 2005 fire safety order that removed requirements for government fire safety inspections and allowed building owners to establish their own, sometimes cheaper, standards.
Uber CEO Resigns Amid Scandals
June 21
After pressure from investors to step down, Uber CEO Travis Kalanick resigned from the ride-sharing company that he helped found in 2009. Kalanick’s resignation comes as Uber navigates multiple scandals, including reports of a workplace culture rife with incidents of sexual harassment and discrimination that led to the firing of 20 employees this year. The company is also embroiled in an intellectual property dispute with Google over self-driving car technology, and is facing allegations that it used software to evade law enforcement and manipulated driver data to underpay its drivers. Kalanick was personally the focus of controversy earlier this year when a video surfaced showing him arguing with an Uber driver over fare reductions. Although he will no longer have a leadership role, Kalanick will remain on Uber’s board of directors.
Google Hit with $2.8 Billion EU Fine
June 27
Google was fined a record €2.42 billion ($2.81 billion) by the European Union’s antitrust regulator for manipulating search results to give prominent placement to its Google Shopping price-comparison service while demoting rival sites. The penalty was the largest ever handed down to a single company by the European Commission, more than doubling an antitrust fine levied against Intel in 2009. The commission ordered Google to discontinue the practice within 90 days or face an additional penalty of up to 5% of its average daily revenue for every day it did not comply. Google faces two more EU antitrust investigations for shutting out competitors to both its Android operating system and AdSense advertising placement service.
Law Enforcement Agencies Team Up Against Corruption
July 5
With the formation of the International Anti-Corruption Coordination Centre (IACCC), law enforcement agencies from around the world announced a new initiative to combat high-level corruption. The group is currently made up of agencies from the United States, Canada, the United Kingdom, Australia, New Zealand and Singapore, with Interpol scheduled to join at a later date. From its base in the United Kingdom, the IACCC will focus on cases of grand corruption—acts by politically-exposed individuals that involve large quantities of assets and can threaten political stability and sustainable development. This includes bribery of public officials, embezzlement, abuse of function, and laundering the proceeds of crime. The center will improve intelligence-sharing and assist countries that have suffered grand corruption, particularly those that do not have the resources to investigate these crimes.
Charlottesville Protest Turns Deadly
August 12
When officials in Charlottesville, Virginia, decided to join a growing movement to remove statues of Confederate figures from public spaces, a white supremacist rally organized in protest drew national attention before taking a tragic turn when a man drove his car into a crowd of counter-protestors. One person was killed and 19 were injured. The year was marked by a number of civil rights protests and clashes between right- and left-wing activists around the country. These events have taxed security budgets, particularly for municipalities and universities, where many of the demonstrations took place.
Harvey and Irma Strike Southern U.S. and Caribbean
August 17
After more than a decade without a major hurricane making landfall in the United States, Hurricanes Harvey and Irma cut destructive paths through the South in August and September. Mere weeks apart, Category 4 Harvey inundated Houston and the Gulf of Mexico region with nearly 52 inches of rain, and Category 5 Irma—one of the strongest storms ever recorded in the Atlantic basin—devastated the Caribbean before making landfall in Florida. Almost 200 people were killed by the two storms, and damage estimates in the United States alone have exceeded $200 billion. RMS predicted that insured losses from the hurricanes could be as high as $90 billion.
Wells Fargo’s Fake Account Scandal Deepens
August 31
After an internal investigation into its ongoing fraudulent account scandal, Wells Fargo announced that it found an additional 1.4 million accounts that were opened without customer consent, bringing the total number of suspicious accounts to 3.5 million. The scandal, which broke last year, has already resulted in $185 million in regulatory penalties, the firing of 5,300 employees and the resignation of CEO John Stumpf. In July, it was also revealed that the bank had charged as many as 800,000 auto loan customers for additional collateral protection insurance that they did not need, causing 274,000 customers to default on their loan payments and 25,000 vehicles to be wrongfully repossessed. The bank set aside $80 million to reimburse auto loan customers, and may face additional penalties.
Mexico Shaken by Deadly Earthquakes
September 7
In the span of 12 days, Mexico was hit by pair of deadly earthquakes. On Sept. 7, an 8.1 magnitude quake, struck the southern coast near Chiapas damaging more than 40,000 homes, killing at least 98 people and affecting an estimated 1.5 million. It was the strongest earthquake to hit the country in more than 230 years. On Sept. 19, a 7.1 magnitude temblor struck near Mexico City, toppling buildings in the capital city and killing at least 200 people. The quake hit 32 years to the day after the 1985 Mexico City earthquake, which left up to 10,000 people dead and hundreds of thousands homeless.
Equifax Breach Exposes 160 Million Consumers’ Data
September 7
Credit reporting agency Equifax reported that the personal data of 145.5 million consumers in the United States and 15.2 million in the U.K. may have been compromised in a cyberattack that occurred from mid-May through July of this year. The data includes names, Social Security numbers, birth dates, addresses, credit card numbers and some driver’s license numbers. The company was criticized for its handling of the breach, including how long it took to notify customers—the hack was discovered on July 29, six weeks before the public announcement. Equifax’s free credit monitoring and identity theft protection service, established after the breach, also came under fire for fine print that initially stated that, in order to sign up, enrollees had to waive their rights to sue the company. Three company executives also sold $1.8 million worth of Equifax stock soon after the company became aware of the hack, but before it was disclosed to the public. More than 70 lawsuits have been filed over the incident.
Hurricane Maria Devastates Puerto Rico
September 20
Just two weeks after Hurricane Irma, Hurricane Maria slammed into Puerto Rico. The storm destroyed almost all of the power lines that carry electricity from distribution centers on the island, leaving the majority of its 3.4 million residents without access to electricity for months. Destruction of other infrastructure compounded the crisis, with towns cut off by landslides and flooding, and 95% of cellphone towers reportedly toppled. Experts expect a lengthy recovery period from the first Category 4 storm to make direct landfall on the island since 1932 and first major hurricane to hit since 1989. AIR Worldwide estimated insured losses across the Caribbean from Hurricane Maria will total between $40 billion and $85 billion, with Puerto Rico alone accounting for more than 85% of the toll.
59 Killed, 500 Injured in Las Vegas Shooting
October 1
A gunman on the 32nd floor of the Mandalay Bay hotel carried out the deadliest mass shooting in modern American history, firing on a crowd of 22,000 people attending a country music festival on the Las Vegas strip. Stephen Paddock wounded more than 500 people and killed 58 before killing himself. Local police said Paddock was not known to them before the incident, had no notable political or terrorist connections, and appeared to have purchased his sizable cache of weapons legally, and thus would not have raised red flags with current threat models. In the wake of the tragedy, hotels have faced questions of how to better screen visitors, but many believe the training, equipment and time required to thoroughly examine guests and their belongings would make significant changes unfeasible.
Amazon Charged with $300 Million EU Tax Bill
October 4
The European Commission continued its crackdown on American tech companies evading taxes in business-friendly member-states, ruling that Luxembourg violated EU rules by granting “undue tax benefits” to Amazon. Approximately three-quarters of Amazon’s European profits were attributed to a holding company that went untaxed, resulting in almost $300 million in unpaid taxes, according to the EC. Last year, the commission found that Ireland’s business-friendly tax laws led Apple to underpay by about $15 billion. The EC also announced plans to take Ireland to court for ignoring this ruling and failing to collect these taxes. To further combat corporate tax-dodging in the EU, the commission has proposed changes to cross-border value-added tax rates that it hopes will reduce tax revenue losses and eliminate some incentive for firms to move to nations with low VAT rates.
Hollywood Producer Harvey Weinstein Accused of Sexual Misconduct
October 5
Reports in the New Yorker and New York Times revealed that movie producer Harvey Weinstein had engaged in a decades-long campaign of sexual misconduct against dozens of women. As more and more women came forward with their accounts of sexual harassment, sexual assault and rape, Weinstein was fired from his motion picture company, The Weinstein Company, and kicked out of the Academy of Motion Picture Arts and Sciences. The Weinstein scandal set off a flood of sexual harassment allegations as additional victims shared their experiences of misconduct by other prominent figures including actor Kevin Spacey, director James Toback, journalist Mark Halperin, and former President George H.W. Bush. Earlier in the year, Fox News commentator Bill O’Reilly was fired from the network after multiple sexual harassment allegations and lawsuits.
Justice Department Reverses Transgender Worker Protection Policy
October 5
U.S. Attorney General Jeff Sessions reversed an Obama-era policy that interpreted sex discrimination to include discrimination based on gender identity, saying Title VII of the Civil Rights Act only applies to discrimination between men and women. The previous policy was one of several that had expanded protections for transgender workers in recent years, prompting greater attention on the need to develop workplace policies and increased enforcement action for noncompliance. A significant number of federal courts have found in favor of protections for transgender employees in Title VII lawsuits, so while the policy change means the DOJ will not take the side of these employees in discrimination suits, it is unclear what impact the reversal will have in practice.
California Wildfires Kill 43, Cause Billions in Damage
October 8
A week of devastating wildfires in northern California killed 43 people, destroyed 8,900 homes and buildings, and burned more than 245,000 acres. Collectively, it was the deadliest wildfire event in state history. AIR Worldwide estimated that insured losses could range from $2 billion to $3 billion, while AccuWeather estimated that economic losses could reach $85 billion. Even before the California fires broke out, the Forest Service had already spent a record $2.4 billion fighting fires in 2017. From Jan. 1 to Oct. 31, more than 52,000 fires had burned over 8.8 million acres across the United States, far exceeding the 10-year average from 2006 to 2016 of 6.1 million acres burned, according to the National Interagency Fire Center. Wildfires were devaststing in Europe as well, with blazes in Spain and Portugal killing at least 39 people in October. 8
Trump Administration Halts Obamacare Subsidies
October 13
After several failed attempts by Congressional Republicans to repeal and replace the Affordable Care Act, also known as Obamacare, the Trump Administration announced that it would stop paying cost-sharing subsidies to reimburse insurers for reducing deductibles and co-pays for lower-income enrollees. Many consider the subsidies to be integral to the long-term viability of the health care law. Health insurance advocates have warned that, without these subsidies, insurers will likely raise premium rates and begin offering fewer coverage options.
U.S. Opioid Crisis Declared a Public Health Emergency
October 26
With opioid addiction in the United States reaching epidemic proportions—a BlueCross BlueShield study found that the number of people diagnosed with opioid addiction increased by 493% between 2010 and 2016—President Trump declared the crisis an official “public health emergency” under the Public Health Services Act. The declaration allows federal agencies to redirect grant money and other resources to combat the opioid problem. In an effort to recoup spiraling costs related to drug treatment, a number of states and municipalities filed suits this year against drug companies for misrepresenting opioid risks.
Gunman Kills 26 in Texas Church Shooting
November 5
Just one month after the Las Vegas massacre, a gunman opened fire on a church congregation in Sutherland Springs, Texas, killing 26 and injuring 20. The assailant, Devin Patrick Kelley, ultimately took his own life after fleeing the scene. Because he was convicted of domestic violence in 2012 while in the U.S. Air Force, Kelley should not have been allowed to purchase the gun used in the shooting. The Air Force did not properly record the conviction in the FBI’s National Crime Information Center database, however, enabling Kelley to successfully pass the background checks required. According to the Mass Shooting Tracker, which records incidents where four or more people were shot, this was the 378th mass shooting in the United States this year.