The New York Department of Financial Services hit eight auto insurers and agencies with more than $19 mn in fines after finding inadequate cybersecurity controls that exposed consumer data through online quoting platforms.
DFS said the breaches left personal details, including driver’s license numbers and birth dates, accessible.
The regulator noted that Farmers Insurance Exchange and Infinity Insurance Co. compounded violations by failing to report incidents in a timely manner, undermining consumer safeguards.
The settlements require the companies to adopt remedial measures, including a full review of how consumer data is stored and accessed.
Penalties by company:
- Farmers Insurance Exchange – $2.8 mn
- Hagerty Insurance Agency LLC – $1.9 mn
- Hartford Fire Insurance Co. – $3 mn
- Infinity Insurance Co. – $2.3 mn
- Liberty Mutual Insurance Co. – $2.7 mn
- Metromile Insurance Co. – $2.1 mn
- Midvale Indemnity Co. – $2 mn
- Safe Automobile Mutual Insurance Co. – $2.5 mn
DFS Superintendent Adrienne Harris said the enforcement shows the state’s commitment to accountability under New York’s cybersecurity framework, first enacted in 2017 and updated in 2023. That framework has served as a model for other financial regulators.
DFS’s actions demonstrate the department’s unwavering commitment to holding institutions accountable when they fail to meet these robust standards and to ensuring that consumers remain protected from data breaches and other cyber risks.
Adrienne Harris, DFS Superintendent
Liberty Mutual issued a statement saying it takes data protection seriously and continues to invest in its cybersecurity program. Other companies did not provide comment.
The department added that its investigation into related breaches is ongoing.
According to Aon’s Global Cyber Risk Report, stands alone in its ability to help businesses make better cyber risk decisions thanks to the unique way we have drawn together data and interpretation across critical cyber security controls, cyber events and the cyber insurance market – globally and by region.
Cyber insurance premiums fell by an average of 7% in Q1 2025, marking the tenth consecutive quarter of declines for U.S.-based risks.
Increased market capacity and competition created favorable conditions for buyers, particularly mid-market firms.
Cyber claim frequency rose in 2024, with 1,228 incidents reported among Aon’s U.S. broking clients — a 22% year-over-year increase. Despite this, average ransomware payments dropped 77%, reflecting stronger cyber controls and fewer ransom payments.
Companies with $100 mn to $2 bn in revenue accounted for 52% of cyber claims. Many lacked basic preparedness, such as response plans or full-scope vulnerability scans, leaving them more exposed to business interruption and financial losses.
Ransomware incidents increased 24% compared to 2023, but only 25% of companies paid ransoms — the lowest rate recorded. While average ransom demands grew to $553,959 in Q4 2024, median payments fell by 45% to $110,890.
