Multijurisdictional enforcement actions signal tougher oversight of insurer cyber controls and breach reporting

Multijurisdictional enforcement actions signal tougher oversight of insurer cyber controls and breach reporting
By [Staff Writer]

NEW YORK — Who: state and federal regulators, international supervisors and attorneys general; What: a wave of enforcement actions, settlements and new reporting rules targeting insurers’ cybersecurity controls and breach disclosures; When: actions and rulemakings from 2023 through 2025 and continuing into 2026; Where: United States, the European Union and other advanced jurisdictions; Why: regulators say insurers’ failures to secure online quoting tools, agent portals and third‑party integrations have exposed consumers’ nonpublic personal information and amplified fraud and stability risks. The result: larger fines, mandated remediation, and an expanding set of reporting obligations that together mark a tougher regulatory posture toward insurers’ cyber risk management. (dfs.ny.gov)

Summary
Regulators from New York’s attorney general and the New York Department of Financial Services (DFS) to federal agencies and European supervisors have intensified scrutiny of insurance companies’ cyber defenses and breach‑reporting practices. Recent high‑profile settlements and enforcement actions — including multi‑million‑dollar fines tied to weaknesses in online quoting tools and agent portals — are being coupled with federal disclosure requirements for public companies and new EU rules on operational resilience. Industry executives and counsel say the combined effect is to shift cybersecurity from a largely technical, IT‑led function to a regulatory, board‑level priority, with significant compliance costs and legal risk for insurers that fail to act. (dfs.ny.gov)

The immediate catalyst: quoting tools, agent portals and stolen driver’s‑license numbers
Since late 2024 regulators have publicly identified a recurring pattern: threat actors exploited so‑called “pre‑fill” functions and unsecured agent quoting portals to harvest driver’s‑license numbers, dates of birth and other identifiers from multiple U.S. auto insurers. Those data were in some cases later used to file fraudulent unemployment claims, amplifying both consumer harm and regulatory attention. On Nov. 25, 2024, New York Attorney General Letitia James and DFS Superintendent Adrienne A. Harris announced settlements with GEICO and Travelers that together required $11.3 million in penalties and mandated remediation such as comprehensive cybersecurity programs, stronger authentication and improved logging and monitoring. The DFS noted the incidents were part of an industry‑wide campaign. (ag.ny.gov)

New York’s enforcement drive continued in 2025. The attorney general’s office secured a $975,000 settlement with Root on March 20, 2025 for similar failures affecting roughly 45,000 New Yorkers, and later pursued additional settlements and lawsuits that raised the total penalties extracted from multiple car insurers into the millions more. In October 2025 the office announced $14.2 million in settlements with eight car insurers arising from related attacks that affected more than 825,000 New Yorkers. Those agreements included civil penalties and legally binding commitments to remediate cybersecurity gaps. (databreaches.net)

“Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously,” Attorney General James said in announcing the 2024 DFS/AG settlements. DFS Superintendent Adrienne Harris said the state’s cybersecurity rules provide a “vital foundation” for protecting consumer data and that enforcement will continue. (dfs.ny.gov)

A shifting regulatory architecture: federal, state and transatlantic levers
The enforcement push against insurers is coming as multiple regulatory levers — federal disclosure rules, impending federal incident reporting, and new EU operational‑resilience regulation — converge.

• SEC disclosure rule. In July 2023 the U.S. Securities and Exchange Commission adopted final rules requiring public companies to disclose material cybersecurity incidents on Form 8‑K within four business days of determining materiality, and to include annual disclosures on cybersecurity risk management and governance in Form 10‑K filings. SEC officials framed the move as a transparency reform for investors; the rule has added urgency for insurers that are SEC registrants to formalize materiality decision processes and faster disclosure flows. (sidley.com)

• CISA / CIRCIA. At the federal level, the Cybersecurity and Infrastructure Security Agency (CISA) is implementing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The CISA proposed rule would require covered critical‑infrastructure entities to report “substantial cyber incidents” within 72 hours and ransom payments within 24 hours; the NPRM was published March 27, 2024, and the final rule is expected by late 2025 with implementation beginning in 2026. Insurers that meet the CIRCIA definition of covered entities (many in the financial sector will) could therefore have a parallel federal reporting duty in addition to SEC and state notice rules. (congress.gov)

• European DORA. In the EU, the Digital Operational Resilience Act (DORA) entered into application on Jan. 17, 2025 and establishes harmonized ICT‑risk management, third‑party oversight, testing and incident reporting requirements for banks, insurers and other financial firms. DORA imposes an EU‑wide incident reporting template and timelines and gives supervisors new tools to oversee critical third‑party ICT providers. EIOPA and national supervisors have been active in issuing implementing standards and guidance. For multinational insurers operating in the EU, DORA marks a major uplift in cross‑border regulatory expectations. (eiopa.europa.eu)

Together these developments create overlapping and sometimes divergent obligations: rapid public reporting to the SEC for U.S. public insurers, potential CISA reporting for covered entities, state AG and insurance‑regulator enforcement for consumer harms, and EU‑wide incident templates and third‑party oversight under DORA. Industry counsel say harmonizing internal processes across these regimes — within tight timeframes and without revealing sensitive remediation plans to attackers — is one of the sector’s most difficult compliance challenges. (sidley.com)

Enforcement tactics and remedies: fines, consent orders and mandated programmatic fixes
Regulators are deploying a mix of civil penalties, consent orders and prescriptive remediation obligations. New York’s settlements are illustrative: the GEICO/Travelers consent orders imposed monetary penalties (GEICO $9.75 million; Travelers $1.55 million), required penetration testing and comprehensive risk assessments, demanded data inventories and logging/monitoring upgrades, and imposed specific authentication controls. The NYDFS told industry that since adopting its Cybersecurity Regulation it has entered consent orders with a growing number of entities and imposed more than $100 million in fines. (dfs.ny.gov)

Across the Atlantic, DORA’s toolkit prioritizes incident reporting, threat‑led testing, and tighter contractual controls over cloud and third‑party providers; EIOPA has withdrawn prior overlapping national guidelines in favor of the DORA framework to avoid duplication. UK supervisors — the Prudential Regulation Authority and Financial Conduct Authority — have also emphasized operational resilience and third‑party governance through programmes such as CBEST and thematic reviews. Regulators say these programmatic obligations drive deeper operational change than one‑off fines because they require board‑level oversight, governance changes and continuous testing. (eiopa.europa.eu)

Why insurers are in regulators’ crosshairs
Regulators and enforcement agencies point to several recurring failings:

• Inadequate authentication and access controls on agent portals and quoting tools, including lack of multifactor authentication (MFA), allowing compromised credentials to be used to extract large volumes of personally identifiable information (PII). (dfs.ny.gov)

• Failures to inventory and protect sensitive data stored in ancillary systems and PDFs generated by quoting workflows, creating “shadow” data that evades oversight and encryption. (dfs.ny.gov)

• Slow detection and reporting. Investigations found some intrusions went undetected for months, while other firms delayed notification — failures that heightened both consumer harm and regulatory sanction risk. (dfs.ny.gov)

• Third‑party and supply‑chain risks. Many insurers rely on data‑prefill services, cloud vendors and agent‑facing platforms. When those suppliers are compromised, insurers can be vulnerable even with mature perimeter controls. DORA and PRA guidance place special emphasis on contractual clauses, testing and oversight of third‑party ICT providers. (eiopa.europa.eu)

Cost and risk: why enforcement matters to insurers’ bottom lines
The financial calculus is stark. The IBM Cost of a Data Breach Report 2024 found the global average cost of a breach rose to $4.88 million (and higher in the United States and financial services sector). For financial services organizations, including insurers, the average costs can run materially above the global mean; IBM’s 2024 data showed financial services among the more costly sectors. Beyond direct remediation costs, insurers face regulatory fines, legal exposure from class actions, the cost of customer notification and credit monitoring, and potential increases in cyber‑insurance premiums and lost business. (prnewswire.com)

An immediate compliance burden is the need to “prove” programmatic robustness to supervisors. Consent orders typically require third‑party audits, penetration testing, implementation of MFA, logging and monitoring systems tuned to detect automated probing, and board‑level reporting. For many insurers — particularly midsized carriers with legacy platforms and thin cybersecurity headcount — meeting those technical and documentation obligations is expensive and time consuming. (dfs.ny.gov)

Industry posture and reactions
Insurer statements accompanying settlements typically say they have remediated vulnerabilities and will cooperate with regulators. In coverage of the GEICO/Travelers settlements, company spokespeople told reporters they had taken steps to improve authentication and agent‑portal security. Industry groups and trade associations acknowledge the need for stronger controls but have frequently urged harmonization of reporting requirements and careful calibration to avoid disclosure that could aid attackers. (forbes.com)

In the EU, insurers and trade bodies have pressed for clarity on implementing DORA’s technical standards and for transitional arrangements on contractual obligations with cloud and other ICT providers. “German insurers have swiftly adapted their processes to align with the known provisions. However, optimal implementation requires resolving outstanding issues, such as contract design with IT service providers,” Jörg Asmussen, CEO of the German Insurance Association (GDV), said in January 2025. Supervisors and industry are continuing dialogue over detailed technical rules. (gdv.de)

Multijurisdictional enforcement: coordination, complexity and precedent
What makes the recent episode notable is the multijurisdictional character of enforcement: state attorney general investigations often involve parallel supervisory reviews by state insurance regulators (or DFS in New York), while federal agencies set reporting expectations for public companies (SEC) and CISA prepares to impose additional incident reporting for covered critical infrastructure. In Europe, DORA creates cross‑border supervisory mechanisms and harmonized incident reporting templates.

That multiplicity means insurers may face simultaneous demands: prompt public disclosure under SEC rules, parallel questions from state attorneys general about consumer harms, potential administrative subpoenas or notices from CISA, and European incident reports and third‑party oversight obligations for EEA operations. Regulators have signaled willingness to pursue both fines and programmatic fixes; multistate cooperation in past privacy and consumer cases suggests coordinated, transatlantic work is now likely in major incidents. (cooley.com)

Legal and governance consequences
Enforcement activity has legal ripple effects. Consent orders and findings of regulatory noncompliance are used in private‑party litigation and class actions alleging negligence and consumer harm. The SEC’s disclosure regime raises the risk that public companies and their officers could face securities enforcement for inadequate disclosures about material cyber risks or incidents. At the corporate‑governance level, regulators are increasingly asking whether boards receive adequate reporting and whether senior executives — including CISOs and CROs — have sufficient authority and resources. (sidley.com)

What insurers are doing — and still need to do
Insurers across markets report steps to harden online quoting systems, apply MFA to agent portals, inventory sensitive data, implement logging and monitoring, and run tabletop exercises and threat‑led penetration testing. Many are also expanding cyber incident playbooks so that materiality determinations and disclosure triggers can be made “without unreasonable delay,” as required under SEC rules. Industry counsel also advise preserving certain investigative details from public disclosure where possible, balancing regulatory transparency mandates with the operational imperative not to supply a road map to attackers. (dfs.ny.gov)

But several challenges persist:

• Legacy systems and bespoke agent tools that predate modern security architectures are difficult and costly to harden.
• Supply‑chain and third‑party risk management remains uneven, especially where insurers rely on numerous small vendors for data prefill or lead generation.
• Smaller insurers and MGAs (managing general agents) may lack the budgets and talent to meet heightened reporting and testing obligations without pooling services or partnerships. (eiopa.europa.eu)

Looking ahead: enforcement posture and industry implications
Regulators show few signs of dialing back enforcement. The convergence of state investigations and consent orders, SEC disclosure requirements, impending CISA reporting rules and the EU’s DORA regime creates a new normal: faster reporting, deeper supervisory expectations and programmatic remediation obligations. Regulators have signaled that fines will be accompanied by requirements that change how insurers design, test and govern technology. “These enforcement actions reinforce the department’s commitment to ensuring that all licensees … uphold their duty to implement robust measures that shield New Yorkers from potential data breaches and cyber threats,” Superintendent Adrienne Harris said in November 2024. (dfs.ny.gov)

For policyholders and consumers the upshot is mixed. Stronger controls and tougher supervision should reduce the likelihood and impact of identity theft and fraud, but insurers also face rising compliance costs that may be reflected in operating expenses and, in some lines, pricing. For boards and senior management, cyber risk is now clearly a regulatory and reputational risk equivalent to underwriting, capital and liquidity oversight. (prnewswire.com)

Conclusion
Enforcement actions across states and continents — coupled with new disclosure and reporting mandates — are reshaping insurers’ duties on cybersecurity. Regulators’ recent settlements and consent orders show they will not treat data security lapses as mere technical failures; they are enforcement matters that invite civil penalties, mandated remediation and sustained supervisory oversight. For insurers, the imperative is clear: accelerate investments in authentication, data inventory and logging, bolster third‑party governance, and institutionalize rapid, well‑documented materiality and reporting processes that can satisfy simultaneous state, federal and international obligations. Those that fail to do so risk both regulatory sanction and the financial, legal and reputational costs that follow a serious breach. (dfs.ny.gov)

Sources and selected reporting

• New York State Office of the Attorney General press releases (GEICO/Travelers settlement Nov. 25, 2024; Root settlement March 20, 2025; multicar settlements Oct. 14, 2025). (ag.ny.gov)
• New York State Department of Financial Services press release, Nov. 25, 2024. (dfs.ny.gov)
• SEC final rule on cybersecurity disclosures (Commission adoption, July 26, 2023) and related staff commentary. (sidley.com)
• Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) NPRM and analysis; CISA rulemaking timeline and requirements. (congress.gov)
• European Digital Operational Resilience Act (DORA) materials and EIOPA guidance; DORA application Jan. 17, 2025. (eiopa.europa.eu)
• IBM, “Cost of a Data Breach Report 2024,” key findings on breach costs and sector impacts. (prnewswire.com)

(Reporting contributed from regulatory filings, supervisory press releases and public commentaries by the European Supervisory Authorities, the U.S. SEC, CISA and industry analysts.)