Home - Article

Featured Article

October 15, 2025

New York Fines Auto Insurers $19 Million for Cybersecurity Failures


Key Takeaways:

  • The New York Department of Financial Services (DFS) fined eight auto insurance companies over $19 million for cybersecurity lapses that exposed sensitive consumer data.
  • Superintendent Adrienne A. Harris said the penalties reaffirm DFS’s leadership in enforcing its pioneering cybersecurity regulation.
  • The enforcement underscores New York’s ongoing effort to strengthen cyber protections across industries, aligning with recent actions by the state and federal authorities.
  • DFS found multiple companies failed to secure personal data and report breaches promptly, violating state cybersecurity rules.
  • The case follows broader initiatives in New York to modernize its cyber laws and hold institutions accountable for protecting consumers.

The New York Department of Financial Services has announced a series of penalties totaling more than $19 million against eight auto insurance companies, citing cybersecurity deficiencies that allowed hackers to steal personal information from New Yorkers seeking online insurance quotes. The DFS investigation determined that these companies failed to meet the standards outlined in the state’s cybersecurity regulation, exposing sensitive data such as driver’s license numbers and dates of birth.

Superintendent Adrienne A. Harris said in a statement that “DFS’s first-in-the-nation cybersecurity framework has become a model for safeguarding the integrity of our financial system and the personal information of millions of New Yorkers.” She added that the department remains “committed to holding institutions accountable when they fail to meet these robust standards.”

The companies fined include Farmers Insurance Exchange ($2.775 million), Hagerty Insurance Agency ($1.85 million), Hartford Fire Insurance ($3 million), Infinity Insurance ($2.25 million), Liberty Mutual ($2.7 million), Metromile Insurance ($2.05 million), Midvale Indemnity ($2 million), and State Automobile Mutual ($2.5 million). The DFS and the Office of the New York State Attorney General conducted a coordinated investigation, which remains ongoing.

Strengthening Cyber Enforcement

The DFS investigation found that the companies did not adequately protect consumer data on web applications and agent portals used for generating insurance quotes. These vulnerabilities enabled unauthorized access to nonpublic information. In some cases, companies also failed to report the incidents in a timely manner—a key requirement under the state’s cybersecurity framework that allows regulators to assess risks and protect consumers more effectively.

Each insurer has agreed to take corrective measures, including a comprehensive review of their systems and how consumer data is stored and accessed. The DFS emphasized that such remedial steps are crucial for reducing the risk of future incidents and restoring consumer confidence.

Under Superintendent Harris, the DFS has entered into consent orders with 27 entities for cybersecurity violations, resulting in more than $144 million in penalties. The department’s cybersecurity regulation, first enacted in 2017 and updated in 2023, continues to shape both state and federal cyber governance. It has influenced frameworks developed by agencies including the Federal Trade Commission, the National Association of Insurance Commissioners, and the Conference of State Bank Supervisors.

Broader Context: New York’s Expanding Cyber Crackdown

This latest enforcement action fits into a broader effort by New York officials to tighten cybersecurity across sectors. In a recent Apex Technology Services report, New York’s new cybersecurity law was described as a turning point in the state’s cyber strategy, setting higher expectations for compliance and response. Governor Kathy Hochul also signed a landmark bill earlier this year aimed at fortifying cyber defenses across critical infrastructure and financial institutions.

Former New York Attorney General Dennis Vacco argued in another Apex column that New York must “guard its cyber borders” through stronger enforcement and public-private coordination. Vacco, who previously prioritized consumer protection, pointed out that cyberattacks have become a leading threat to both individuals and small businesses.

The DFS’s latest announcement follows a trend of heightened scrutiny from both state and federal agencies. Earlier this year, the New York Attorney General’s office filed suit against the operator of Zelle, alleging failure to safeguard consumers from fraud. In another example, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI jointly warned about an escalation in ransomware campaigns targeting interlock systems used by government agencies and private firms.

Together, these developments point to an aggressive, coordinated cybersecurity agenda designed to protect New York residents and institutions from evolving digital threats.

Implications for the Financial and Insurance Sectors

For financial and insurance companies operating in New York, the DFS action reinforces that cybersecurity is no longer a back-office compliance issue—it is central to business operations and reputation management. Regulators are signaling that any lapses in data protection or breach reporting will carry substantial financial and regulatory consequences.

The DFS’s approach is also influencing other states and even federal agencies, which are increasingly adopting New York’s standards as a baseline for their own cybersecurity frameworks. This ripple effect could lead to greater uniformity in compliance expectations nationwide, though smaller institutions may find the heightened requirements challenging to meet without significant investment in IT infrastructure and expertise.

Looking Ahead

Cybersecurity in the financial and insurance industries continues to evolve amid rising digital risks and regulatory expectations. The DFS’s latest enforcement action underscores that proactive compliance—rather than reactive response—will define successful risk management going forward. Companies that fail to invest in strong cyber defenses may not only face fines but also reputational harm that can be difficult to recover from.

New York’s stance is clear: cybersecurity is a public safety issue, not just a corporate responsibility. As Superintendent Harris’s actions demonstrate, the state is committed to setting and enforcing standards that protect consumers and hold organizations accountable.

The role of Apex Technology Services

Given the scale and persistence of these threats, many firms in the region are recognizing the need for specialized guidance. Apex works directly with businesses in the tri-state to help them map vulnerabilities, integrate intelligence into daily operations, and run simulations that prepare leadership teams for real-world scenarios. By combining deep local experience with advanced monitoring and threat intelligence, Apex helps companies stay resilient in one of the world’s most challenging threat environments. Also, consider other top MSPs/IT service providers or even an MSSP to help you stay secure. 






SHARE THIS ARTICLE
Apex Technology Services
Choose from comprehensive, affordable solutions for IT consulting, network services and computer help desk support in Fairfield county including Norwalk, Darien, Stamford, Greenwich, Ridgefield and Bridgeport. Also Westchester county including Rye, New Rochelle, White Plains, Yonkers and New York including Manhattan and the five boroughs.
IT SERVICES

IT SERVICES

Apex Technology Services is a cutting edge MSP offering quality IT support to financial, medical, legal, Fortune 500 and government agencies while adhering to the highest of quality...

LEARN MORE
CYBERSECURITY Services

CYBERSECURITY

Apex Technology Services has the cybersecurity expertise to help your business in a world filled with attackers looking to shut down your business hold it ransom or steal your valuable...

LEARN MORE
CLOUD SERVICES

CLOUD SERVICES

Apex Technology Services delivers a combination of traditional IT functions such as infrastructure as a service (IaaS), applications, software, security, monitoring, storage...

LEARN MORE

Ranked Top 10 Network security Solution Provider

One Stop Shop For All Your Technology Needs


Contact us Now!