New York fines eight auto insurers $19 million over cybersecurity violations

Published on October 22, 2025

New York State Department of Financial Services (DFS) Superintendent Adrienne A. Harris has collected more than $19 million in penalties for the state from eight auto insurance companies that violated DFS’s cybersecurity regulation, according to a DFS press release.

“Inadequate cybersecurity controls allowed hackers to steal New Yorkers’ personal information, including driver’s license numbers and dates of birth, from online automobile insurance quoting applications,” the release states. “The department’s investigations into these data breaches remain ongoing.”

Harris added, “DFS’s first-in-the-nation cybersecurity framework has become a model for safeguarding the integrity of our financial system and the personal information of millions of New Yorkers. Today’s actions demonstrate the department’s unwavering commitment to holding institutions accountable when they fail to meet these robust standards, and to ensuring that consumers remain protected from data breaches and other cyber risks.”

Eight insurance companies will pay the following civil monetary penalties to the state:

- Farmers Insurance Exchange: $2.775 million;
- Hagerty Insurance Agency: $1.85 million;
- Hartford Fire Insurance Co.: $3 million;
- Infinity Insurance Co.: $2.25 million;
- Liberty Mutual Insurance Co.: $2.7 million;
- Metromile Insurance Co.: $2.05 million;
- Midvale Indemnity Co.: $2 million; and
- State Automobile Mutual Insurance Co.: $2.5 million

The DFS investigation concluded that the auto insurance companies didn’t comply with DFS’s cybersecurity regulation, which requires the implementation of policies, procedures, and controls to protect consumer data and the information systems of the financial institutions themselves.

As a result, threat actors were able to access consumer nonpublic information (NPI) stored on and accessible through their information systems, including driver’s license numbers, via public-facing web applications and agent portals that the insurance companies used to provide automobile insurance quotes to prospective customers, the release says. DFS alerted all regulated entities of the attacks in two industry letters, dated February 16, 2021, and March 30, 2021.

DFS also found that Farmers and Infinity failed to report their respective cybersecurity events promptly, noting that the notice requirement is “a critical safeguard that enables the department to carry out its responsibility to protect consumers.”

As part of the settlements, the companies have agreed to conduct remedial measures, including conducting a comprehensive review of the accessibility of consumer NPI stored on their information systems.

Under Harris, DFS has entered into consent orders with 27 entities for cybersecurity regulation violations, resulting in fines of over $144 million, according to the release. Harris announced in September that she would leave her role. Effective Oct. 18, DFS is run by Kaitlin Asrow, who Gov. Kathy Hochul appointed to serve as acting superintendent.

On Tuesday, Asrow issued new cybersecurity guidance to address the risks associated with entities becoming increasingly reliant on third-party service providers (TPSPs), according to a DFS press release.

“While third-party service providers have driven innovation and enabled significant efficiencies in our financial system, regulated entities are still ultimately accountable for protecting consumers and managing risk,” said Asrow in the release. “To ensure the safe and secure operation of financial services and the protection of nonpublic information, entities must establish and maintain appropriate internal risk management controls when using third-party service providers.”

DFS says the guidance doesn’t impose new requirements or obligations on DFS-regulated entities. Instead, it’s intended to clarify regulatory requirements under DFS’s cybersecurity regulation and share best practices that entities should consider implementing, the release states.

In an industry letter to the executives and information security personnel at all entities regulated by the New York DFS, the department states that exposure to threats will continue to grow as entities increase their reliance on technologies managed by TPSPs, such as cloud computing, file transfer systems, artificial intelligence, and fintech solutions.

“The growing scale and complexity of cyber risks posed by TPSPs demand a proactive, risk-based, and continuously adaptive approach to third-party governance,” the letter states. “Senior governing bodies and senior officers must engage actively in cybersecurity risk management, including the oversight of TPSP-related risks.

“Unless a covered entity qualifies for an applicable exemption, senior governing bodies must have a sufficient understanding of cybersecurity-related matters to exercise appropriate oversight, which includes the ability to provide a credible challenge to management’s cybersecurity-related decisions to ensure that those decisions align with the entity’s overall risk posture and resiliency objectives. The cybersecurity regulation (Part 500) also requires a senior officer or the senior governing body to review and approve the covered entity’s cybersecurity policies and procedures at least annually.”

In March, New York Attorney General Letitia James filed a lawsuit against National General and Allstate Insurance Co. for failing to protect New Yorkers’ personal information from cyberattacks.

National General, an Allstate company, suffered two back-to-back data breaches, which exposed personal information in 2020 and 2021, according to the Office of the Attorney General (OAG). It says the breach exposed the driver’s license numbers of more than 165,000 New Yorkers.

Allstate released a statement in response to the suit.

“We resolved this issue years ago, promptly securing our systems after finding vulnerabilities in online quoting tools that could have exposed driver’s license numbers,” Allstate’s statement says. “We promptly notified regulators, contacted potentially affected consumers and offered free credit monitoring as a precaution.

In November 2024, the OAG and DFS also fined GEICO and Travelers Indemnity Co. $11.3 million in penalties for poor data security, which compromised the personal information of more than 130,000 New Yorkers, according to a press release.

Images

Featured image credit: Alex Cristi/iStock

Continue reading on website

Other news

CAPA adds five new board members

October 22, 2025

The Certified Automotive Parts Association (CAPA) announced the election of five new members to its Board of Directors on Monday. “CAPA is excited to welcome these new members to the Board,” said CAPA Board Chair Gerry Poirier in a press release. “Their unique voices and years of expertise will further CAPA’s mission to provide affordable and quality alternative part options and strengthen the col

J.D. Power: Auto insurance switching at ‘all-time high’

October 22, 2025

Auto insurance carrier switching is at an “all-time high,” according to J.D. Power’s Q3 Insurance Shopping Loyalty Indicator and Shopping Trends (LIST) report.Switching rose to 4.5% during the quarter, up 0.3 percentage points quarter-over-quarter (QoQ) and year-over-year (YoY). Among those who switched, the average amount of premium moving carriers is more than $4,500Shopping increased only sligh