2025 Cybersecurity and AI Regulation Overview for Insurance Industry

By 2026, U.S. federal and state regulatory bodies are expected to continue enforcing stringent cybersecurity standards. Organizations are urged to adopt comprehensive compliance strategies, perform integrated risk assessments, and adapt to evolving AI and cybersecurity guidelines to meet these regulatory compliance requirements.

The year 2025 was pivotal for regulatory activities related to cybersecurity, privacy, and AI management. The U.S. Securities and Exchange Commission (SEC) and the California Privacy Protection Agency (CPPA) introduced new mandates addressing third-party risk management and incident reporting. In addition, the New York Department of Financial Services (DFS) enforced its Part 500 cybersecurity regulation rigorously. AI governance gained prominence, highlighted by CPPA regulations on automated decision-making technologies (ADMT), the White House’s AI Action Plan, and various state-level AI usage laws gaining traction.

Litigation in 2025 saw an increase in class action and individual lawsuits under the California Invasion of Privacy Act (CIPA) concerning web tracking. Claims centered on whether third-party tracking elements like cookies violated CIPA by collecting and sharing user information. Divergent court rulings underscored the ongoing challenges in interpreting CIPA relative to digital advancements.

In July 2025, the Executive Office of the President launched a comprehensive AI Action Plan to enhance AI innovation, develop AI infrastructure, and lead international AI diplomacy and security. The plan advocates for strengthening cybersecurity measures for critical infrastructure and promoting secure AI technologies.

January 2025 saw the introduction of the New York AI Act aimed at regulating algorithmic discrimination and bolstering consumer rights related to automated decision-making. The act requires independent audits of high-risk AI systems and proposes enforcement measures, including financial penalties. The legislative process continues as the bill progresses through committee reviews.

Amendments to SEC’s Regulation S-P took effect in December 2025, demanding larger entities establish detailed incident response plans and improve customer breach notification protocols. Compliance requirements cover service provider oversight and expanded recordkeeping, with full compliance due by June 3, 2026, for the affected entities.

The CPPA updated regulations in September 2025, requiring annual cybersecurity audits and risk assessments for specific data processing operations, including targeted advertisements and sensitive data management. These new measures, set to be implemented from January 2026 through 2028, aim to enhance consumer rights regarding ADMT and foster transparency in decision-making processes.

Texas enacted the Texas Responsible Artificial Intelligence Governance Act (TRAIGA) in June 2025, defining AI systems broadly and setting consumer protection standards. The act formed the Texas AI Council to tackle innovation barriers and guide legislative initiatives, with enforcement authority delegated to the Texas attorney general.

The DFS issued several consent orders throughout 2025 related to cybersecurity violations, including substantial penalties for PayPal Inc. and Healthplex Inc. Additionally, in October 2025, DFS secured $19 million in penalties from eight auto insurance companies for insufficient cybersecurity controls.

The Federal Trade Commission (FTC) concluded a case against GoDaddy Inc. in May 2025, following allegations of misleading security practices that led to data breaches. The settlement mandates implementing a robust information security program and external audits.

In November 2025, the SEC dismissed a case against SolarWinds Corporation and its chief information security officer involving allegations of misleading cybersecurity disclosures. The dismissal, without explanation, highlights the complexities surrounding liability in cybersecurity risk communications.