Monetary penalties for lax cybersecurity drive emergency compliance programs at major carriers

Monetary penalties for lax cybersecurity drive emergency compliance programs at major carriers

NEW YORK — Regulators across the United States and Europe are imposing multimillion‑dollar penalties on insurance companies for weak cybersecurity practices, prompting major carriers to launch emergency compliance programs, overhaul vendor controls and accelerate investments in identity protection and breach detection. The enforcement actions — led in recent years by New York’s Department of Financial Services and national data protection authorities in the European Union and Spain — have targeted failures ranging from missing multifactor authentication and inadequate risk assessments to poorly governed third‑party access, and have required immediate remedial measures as part of consent orders and fines. (dfs.ny.gov)

What happened, who is involved and why it matters

• Who: State and national regulators (notably the New York Department of Financial Services and state attorneys general in the U.S., and national data protection authorities in the EU such as Spain’s AEPD) and large insurers, including GEICO, Travelers, Generali España and smaller specialty carriers. (dfs.ny.gov)
• What: Civil penalties and consent orders imposing monetary fines (ranging from hundreds of thousands to millions of euros/dollars), mandatory remedial steps (risk assessments, penetration testing, enhanced logging and multifactor authentication), and ongoing supervision or third‑party audits. (dfs.ny.gov)
• When and where: Enforcement has accelerated since 2021 and continued through 2024 and into 2025, with high‑profile actions announced in New York in late 2024 and major GDPR fines decided in Spain in late 2024. Regulators in other first‑world jurisdictions have taken related actions or signaled tougher oversight. (dfs.ny.gov)
• Why: Regulators say insurers failed to implement basic cybersecurity controls and governance, leaving consumer personal information and nonpublic personal information (NPI) exposed to credential stuffing, phishing and other intrusions. Many enforcement actions cite missing multifactor authentication (MFA), inadequate information inventories and failure to manage third‑party risks. Regulators contend the failures create consumer harm and systemic risk for financial services. (dfs.ny.gov)

Inverted‑pyramid summary: the enforcement trend and its consequences
Regulatory enforcement has moved beyond warning letters and guidance into civil penalties and enforceable consent orders that both punish past failures and compel near‑term remediation. In November 2024, New York’s attorney general and DFS jointly secured $11.3 million in penalties from GEICO and Travelers after an industry‑wide campaign by hackers exploited quoting tools and agent portals to steal driver’s license numbers and other personally identifiable data; the settlements required the insurers to implement comprehensive security programs, data inventories, strengthened authentication and improved monitoring. “GEICO and Travelers offer drivers protection during times of emergencies, but these companies failed to protect consumers’ personal information,” New York Attorney General Letitia James said in the DFS announcement. DFS Superintendent Adrienne A. Harris described the department’s cybersecurity regulation as “a vital foundation” for consumer protection. (dfs.ny.gov)

Across the Atlantic, Spain’s data protection authority imposed a €4 million penalty on Generali España for a prolonged breach in 2022 that exposed personal records of former customers; the regulator cited failures to implement adequate technical and organizational measures and to perform required data‑protection impact assessments. That decision — and similar GDPR‑era enforcement in other EU countries — has reinforced the message that insurers operating in Europe face substantial fines and mandatory corrective measures when security controls are insufficient. (brandi.net)

Case studies: how penalties are structured and what regulators have demanded
New York: GEICO and Travelers (Nov. 25, 2024)
The New York state settlements summarized a cluster of attacks on auto‑insurance quoting applications used by agents and consumers during 2020–21. Regulators found GEICO’s agent quoting tool and parts of its public site were not adequately protected, that sensitive fields were left unencrypted, and that GEICO had failed to conduct a comprehensive systems review after industry warnings. GEICO agreed to pay $9.75 million; Travelers agreed to pay $1.55 million. Both carriers were ordered to maintain a robust information security program, develop and maintain data inventories, implement reasonable authentication procedures, and enhance logging, monitoring and incident response. “These enforcement actions reinforce the Department’s commitment to ensuring that all licensees… uphold their duty to implement robust measures,” Superintendent Harris said. (dfs.ny.gov)

Spain: Generali España (decision dated Dec. 10, 2024)
Spain’s AEPD concluded a long‑running investigation into an attack that began in September 2022 and became public in November 2022. The authority found that attackers had used a compromised broker account to extract large volumes of client data; investigators determined Generali had failed to adopt adequate technical and organizational safeguards and omitted a required DPIA (data protection impact assessment). The original administrative sanction was reduced on procedural grounds but remained material: the final sanction imposed €4 million and obligations to complete DPIAs and corrective programs. The decision explicitly cited violations of Articles 5, 25, 32 and 35 of the GDPR (integrity/confidentiality, data‑protection by design and default, security of processing, and data‑protection impact assessment). (brandi.net)

New York: EyeMed Vision Care (Oct. 2022)
A phishing attack that began in June 2020 exposed six years of consumer data in a shared mailbox. NYDFS’s consent order found EyeMed lacked MFA for email accounts, had weak access controls (shared logins and weak passwords), and had not implemented effective data‑retention and disposal policies. The insurer paid $4.5 million and agreed to a series of remedial measures, including comprehensive risk assessments and an action plan to remediate deficiencies; NYDFS commended the insurer’s cooperation but stressed that the failures were fundamental. Legal commentators said the EyeMed case showed the department’s willingness to use civil penalties plus corrective orders to force rapid compliance. (cliffordchance.com)

Historical precedent and enforcement mechanics
NYDFS’s Cybersecurity Regulation (23 NYCRR Part 500), effective in 2017 and amended in late 2023, gives the agency clear authority to require minimum cybersecurity controls, board oversight, reporting and timely breach notification; the regulation is often used as the model for other U.S. state and federal efforts. Under Part 500, regulators may demand third‑party audits, impose civil penalties and require specific technical measures such as MFA, encryption and vulnerability testing. NYDFS says it has entered into multiple consent orders that, taken together, have resulted in tens of millions of dollars in penalties and mandatory remediation across a dozen licensees. (dfs.ny.gov)

In Europe, GDPR provides national data protection authorities authority to levy administrative fines up to €20 million or 4% of global annual turnover, whichever is higher, for serious violations; authorities can also impose corrective measures such as mandatory audits, orders to cease processing or to strengthen technical measures and governance. Several DPAs have used those powers against insurance companies whose breaches revealed systemic deficiencies. (gdprhub.eu)

Common failure modes flagged by regulators
A review of consent orders and DPA decisions shows repeated, avoidable control failures that regulators identify as root causes of breaches:

• Missing or incomplete multifactor authentication on agent portals, administrative accounts and customer forms. Regulators repeatedly name lack of MFA as a central failing that allowed stolen credentials or credential stuffing to succeed. (dfs.ny.gov)
• Inadequate third‑party and vendor governance: insurers continue to rely on third‑party quoting, prefill and broker portals without sufficiently auditing those suppliers or ensuring contractual security controls. Regulators have faulted companies for onboarding vendors without complete risk assessments. (dfs.ny.gov)
• Flawed data inventories, retention and disposal practices: email accounts and legacy data stores have held years of unnecessary information that increased exposure; regulators have ordered insurers to build accurate inventories and to implement retention limits and secure disposal. (cliffordchance.com)
• Weak logging, monitoring and response capabilities; slow detection: in the Travelers case regulators said the intrusion went undetected for months, underscoring deficiencies in logging and detection. (dfs.ny.gov)
• Inadequate risk assessments and DPIAs: European regulators have cited failures to perform or complete DPIAs as violations, especially where processing involves sensitive or large‑scale datasets. (brandi.net)

Regulators’ remedies: fines plus structural fixes
Enforcement is rarely limited to a monetary settlement. Consent orders and DPA decisions typically include a package of required actions:

• Comprehensive cybersecurity risk assessments and penetration testing to be completed and reported to the regulator. (dfs.ny.gov)
• Strengthening authentication (MFA), encryption and access controls, and eliminating shared account credentials. (cliffordchance.com)
• Development and maintenance of a data inventory and data‑minimization protocols; completion of DPIAs where required. (dfs.ny.gov)
• Enhanced logging, monitoring and incident response playbooks; requirements to notify regulators promptly. (dfs.ny.gov)
• Independent third‑party audits and remediation milestones subject to regulatory review. (complianceconcourse.willkie.com)

Why monetary penalties spur emergency compliance programs
Monetary fines are costly, but consent orders’ required remediation often imposes larger near‑term costs: immediate third‑party audits, contractors for remediation, accelerated software and identity controls, and long‑lead hiring for security roles. Legal analyses and consent orders frequently praise cooperation and fast remediation while noting that penalties would likely have been greater without early, visible corrective action — an incentive that drives insurers to launch emergency compliance programs to avoid protracted enforcement or higher sanctions. In EyeMed’s NYDFS consent order, for example, regulators noted the company’s “commitment to remediation” and “significant financial and other resources” devoted to corrective steps. (cliffordchance.com)

Business impact and boardroom consequences
Insurers say the regulatory pressure has altered board agendas and capital planning. Enforcement is driving firms to:

• Create or elevate chief information security officers and cyber risk committees; regulators increasingly expect board‑level attention and evidence of active oversight. (dfs.ny.gov)
• Launch rapid vendor‑risk remediation programs, especially for agent portals and third‑party quoting tools identified in multiple actions. (dfs.ny.gov)
• Accelerate identity controls and penetration testing cycles and to fund dedicated incident‑response and threat‑hunting teams. These costs can be material in the near term: industry surveys and market data show cybersecurity budgets rising across sectors, and insurers are no exception. Analysts note that compliance and remediation work — from DPIAs to logging‑and‑monitoring upgrades — often requires expensive external services and software. (reinsurance.org)

Market signals: insurers, reinsurers and buyers of cyber insurance
Enforcements have ripple effects through underwriting and the cyber‑insurance market. Insurers that suffer enforcement actions may face higher reinsurance costs, increased premiums for cyber coverage and tougher underwriting terms. The market itself has shifted: reinsurers and underwriting platforms are tightening terms, adding exclusions and demanding demonstrable security improvements from insureds. Meanwhile, many corporate buyers of cyber insurance are investing in security controls to qualify for coverage at favorable rates, creating a virtuous (if costly) cycle of remediation. Surveys indicate a majority of companies enhance defenses to secure coverage or better terms; industry discussions also show carriers re‑tooling underwriting guidelines to account for emerging exposures such as AI and supply‑chain risk. (reinsurance.org)

Regulatory convergence and new rules: what’s next
Regulatory frameworks are proliferating. In the U.S., state regulators and the Federal Trade Commission are signaling tougher scrutiny; New York’s Part 500 remains influential as other states consider similar rules. In the EU, the Digital Operational Resilience Act (DORA) — which came into force for many financial entities in early 2025 — extends binding operational‑resilience and ICT‑risk requirements to insurers and other financial firms, overlapping with GDPR responsibilities and prompting coordinated compliance programs across jurisdictions. Collectively, these rules raise the stakes for international insurers that must meet differing but converging expectations for governance, vendor oversight and incident readiness. (dfs.ny.gov)

Voices from the field: regulators, lawyers and compliance officers
“Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously,” New York Attorney General Letitia James said in the state’s GEICO/Travelers announcement. DFS Superintendent Adrienne Harris called the state’s cybersecurity regulation “a vital foundation” for protecting consumer data. Those public statements accompanied detailed consent‑order requirements that compel near‑term technical work and board‑level reporting. (dfs.ny.gov)

Legal and industry observers say the enforcement pattern is deliberate. “NYDFS and DPAs are combining monetary penalties with compliance milestones to force systemic change in a rules‑based manner,” said a partner at a law firm that monitors cybersecurity enforcement (analysis of the EyeMed and GEICO cases by legal observers has noted the same pattern). Commentators point to repeated findings — lack of MFA, weak vendor controls, poor data inventories — as evidence that many insurers have not operationalized basic cyber hygiene across legacy systems and broker networks. (cliffordchance.com)

Practical implications for insurers and policyholders

• For insurers: firms should prioritize an information inventory, enforce MFA and strong access controls across agent and broker portals, accelerate DPIAs where sensitive processing is undertaken, and adopt continuous monitoring and tabletop incident‑response exercises. Regulators increasingly expect documented plans with timelines, third‑party attestations and evidence of board oversight. (dfs.ny.gov)
• For policyholders: better insurer cybersecurity lowers the risk of identity theft and fraud that can affect claims and coverage; consumers should monitor accounts and expect insurers to offer identity‑protection services and clearer breach notifications as part of remediation packages. Regulatory settlements frequently require improved consumer protections and monitoring offers. (dfs.ny.gov)

Limits of enforcement and outstanding questions
Enforcement improves baseline cybersecurity but can also create compliance‑centric, short‑term fixes rather than long‑term resilience. Observers warn of several open questions: Will fines scale to deter large international groups when 4% turnover thresholds under GDPR may be harder to apply to diversified global carriers? Can regulators synchronize cross‑border supervision to avoid regulatory arbitrage? And will increased remediation costs materially affect policy pricing and product design? Analysts also note persistent workforce shortages in cybersecurity talent, complicating insurers’ ability to implement and maintain high‑quality programs quickly. (gdprhub.eu)

Conclusion: enforcement as a forcing function
Regulators in wealthy jurisdictions are treating cybersecurity lapses at insurers as not merely technical failings but as governance and consumer‑protection issues that warrant civil penalties and binding remedial requirements. The combination of monetary fines, consent‑order obligations and supervisory follow‑up has produced a wave of emergency compliance programs at carriers large and small. Those programs — expensive, urgent and often painful — are intended to close widely known gaps (MFA, vendor governance, inventories and DPIAs) that regulators have repeatedly cited. Whether that work produces lasting resilience will depend on insurers’ ability to move from compliance checklists to sustained governance, staffing and investment strategies that match the evolving threat environment. (dfs.ny.gov)

Methodology and sources
This article is based on regulator press releases and consent orders (New York Department of Financial Services; New York Attorney General office), public decisions and summaries from European data‑protection authorities and legal analyses of consent orders and DPA decisions, together with industry reporting and market studies on cyber spending and insurance market responses. Key primary sources include NYDFS’s Nov. 25, 2024 press release and consent orders involving GEICO and Travelers; NYDFS and attorney‑general consent orders and public materials in EyeMed’s enforcement; Spain’s AEPD decision against Generali España (December 2024); and contemporaneous reporting and legal analyses. (dfs.ny.gov)

Selected source citations

• New York Department of Financial Services and New York State Attorney General press release and consent‑order summary (GEICO and Travelers), Nov. 25, 2024. (dfs.ny.gov)
• Clifford Chance analysis and NYDFS consent‑order reporting on the EyeMed Vision Care enforcement, Oct. 2022. (cliffordchance.com)
• Spanish data protection authority decisions and public reporting on Generali España’s €4 million sanction (case documents and AEPD reports, Dec. 10, 2024). (brandi.net)
• Legal summaries of prior NYDFS insurance enforcement actions (Unum/Paul Revere, NYDFS consent orders 2021 and earlier) and practitioner analyses. (paulweiss.com)
• Industry and market analyses on cyber insurance markets, spending trends and underwriting responses. (reinsurance.org)

(Reporting: [This article synthesizes regulator announcements, public consent orders and legal commentary; selected primary sources are cited in the text.])