New York Fines Auto Insurers Over $19M for Cybersecurity Violations

When Cyber Controls Fail: What the Recent NYDFS Penalties Teach Us

Last year, New York’s Department of Financial Services (DFS) slapped eight auto insurers with more than $19 million in penalties. The reason? Weak cybersecurity on consumer-facing quoting platforms, which allowed hackers to pull sensitive personal data like driver’s license numbers and birthdates.

The insurers hit included big names—Farmers Insurance Exchange, Hartford Fire Insurance, Liberty Mutual, and others. Penalties ran between about $1.85 million up to $3 million per company.

What lessons should the insurance sector take from this enforcement sweep? What behaviors or gaps are regulatory bodies watching most closely? Let’s unpack what went on, how it relates to your world, and how insurers can guard against becoming the next headline.

“These enforcement actions reinforce the Department’s commitment to ensuring that all licensees … uphold their duty to implement robust measures that shield New Yorkers from potential data breaches and cyber threats.”
— Superintendent Adrienne A. Harris, NYDFS

What Went Wrong: Common Failures the Regulator Flagged

To understand how to avoid similar pitfalls, it’s useful to look at the specific missteps the DFS found:

• Weak or absent risk assessments and penetration tests. Some insurers hadn’t done full-scope, up-to-date risk scanning or red-team testing covering all the systems that handle nonpublic consumer data.

• Excessive data exposure in responses. In some cases, API or quoting endpoints would return full driver’s-license numbers or other personal data in clear text—even for queries made via public-facing interfaces.

• Delayed incident reporting. Insurers like Farmers and Infinity were cited for missing the regulatory window to notify the regulator once an incident was detected.

• Poor access controls. Use of shared credentials (especially for agent tools), lack of multifactor authentication, and overly broad privileges made it easier for attackers to escalate access.

These are not “niche tech problems” they are systemic control failures. DFS has made clear that insurers must bake in controls and governance—this is no longer optional.

Broader Context: New York’s Regime and Why It Matters Beyond the State

You might ask: “We aren’t headquartered in New York—why should we care?” There are several good reasons:

1. NYDFS’s rules are influential. New York’s cybersecurity regulation (23 NYCRR Part 500) has long served as a model for other states’ data security laws and is broadly consistent with the NAIC’s Insurance Data Security Model Law.

2. Regulatory drift and adoption. As states adopt or update their cyber/data laws, they tend to look at how NY enforces Part 500. The lessons from these fines often port over.

3. Amendments are coming. NYDFS has recently rolled out amendments that impose stricter requirements (for example, requiring MFA by November 2025, tighter controls around access reviews and asset inventories).

4. Cyber risk spans geographies. A breach in one jurisdiction can cascade reputationally, financially, and via class actions across states.

Indeed, even insurers outside New York should take these actions as industry signals of how regulators tighten their expectations over time.

“If your public-facing systems give away too much or your incident reporting is late, regulators won’t treat that as a “tech glitch” — they’ll treat it as compliance failure.”
— (Hypothetical industry CISO, paraphrased)

What Insurers Should Do: A Practical Roadmap to Hardening Cyber Posture

Below is a high-level checklist insurers may adopt (or recheck) to raise their guard:

• Conduct periodic, full-scope risk assessments and penetration testing (including all systems handling PII or NPI)

• Build and maintain a detailed asset inventory of all information systems and track key metadata (owner, data sensitivity, location)

• Segregate access privileges, enforce least privilege principles, require MFA for all sensitive systems

• Encrypt data in transit and at rest wherever feasible

• Monitor and log anomalous behavior proactively; set up alerting and response capability

• Formalize incident response plans and test them periodically

• Train employees and third parties on cyber hygiene, data handling, and early detection

• Ensure timely internal and regulatory reporting once any breach or unauthorized access is suspected

This is not an exhaustive list, but it captures many of the regulatory “lines in the sand.” Focusing effort in these areas can significantly reduce the odds of regulatory penalty.

Why This Matters Strategically

These enforcement actions underscore what we’ve long known: the biggest exposures in modern insurance now include cybersecurity and regulatory compliance.

• Financial risk. The fines are serious—and that’s separate from remediation costs, litigation, and customer fallout.

• Reputational risk. Consumers trust insurers to safeguard their most sensitive data. A public breach erodes that trust instantly.

• Regulatory momentum. Regulators are upping the ante, especially as threats evolve. Compliance minima today may look lax tomorrow.

• Competitive differentiation. As cyber risk becomes a board-level topic, insurers with strong cyber maturity may win favor from enterprise clients, reinsurers, or capital providers.

If your organization is not actively assessing its gaps relative to what NYDFS is penalizing, now is the time to begin. Use these cases as a reality check.

In the end, cybersecurity isn’t just a tech issue—it is a strategic resilience issue. In a world of intensifying attacks and evolving regulation, insurers that treat cyber and compliance as central to operations will better survive and lead.