Auto Insurers Hit with $19 Million in Penalties After DFS Cybersecurity Probe

Key Takeaways

• $19 Million in Penalties: Eight auto insurers, including Farmers, Liberty Mutual, and Hartford, will pay more than $19 million to New York State over cybersecurity failures.
• DFS Cybersecurity Regulation Violations: The companies failed to implement adequate data protection controls, allowing hackers to access driver’s license numbers and other personal data.
• Late Breach Reporting: Farmers and Infinity were cited for failing to promptly notify regulators about their cybersecurity incidents.
• Remedial Measures Required: All insurers must review and strengthen how they store and secure consumer nonpublic information.

Deep Dive

Eight major auto insurance companies have agreed to pay more than $19 million in penalties to New York State following a sweeping cybersecurity investigation by the Department of Financial Services (DFS). The enforcement action, announced Tuesday by Superintendent Adrienne A. Harris, revealed failures in data security controls that exposed the personal information of New Yorkers through online insurance quoting systems.

DFS found that the companies violated the state’s pioneering cybersecurity regulation, which mandates financial institutions to implement strong controls and procedures to protect consumer data. Hackers were able to access sensitive nonpublic information (NPI), including driver’s license numbers and dates of birth, via public-facing web applications and agent portals used to provide auto insurance quotes.

The enforcement represents one of the largest collective cybersecurity settlements in the insurance sector since DFS’s landmark regulation took effect in 2017. Farmers Insurance will pay $2.775 million; Hagerty Insurance, $1.85 million; Hartford Fire Insurance, $3 million; Infinity Insurance, $2.25 million; Liberty Mutual Insurance, $2.7 million; Metromile Insurance $2.05 million; Midvale Indemnity, $2 million; and State Automobile Mutual Insurance, $2.5 million.

Superintendent Harris said the penalties underscore the Department’s “unwavering commitment” to holding institutions accountable. “DFS’s first-in-the-nation cybersecurity framework has become a model for safeguarding the integrity of our financial system and the personal information of millions of New Yorkers,” she said.

DFS and the New York State Attorney General’s Office conducted the coordinated investigation, which remains ongoing. In addition to inadequate cybersecurity measures, DFS found that Farmers and Infinity failed to promptly report their data breaches, an essential notification requirement under the regulation.

As part of the settlements, the insurers must conduct comprehensive reviews of how consumer data is stored and accessed within their systems and take remedial actions to prevent future incidents.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.