Regulators tighten consumer disclosure rules and claims-handling expectations as cybersecurity becomes core supervisory priority

Regulators tighten consumer disclosure rules and claims-handling expectations as cybersecurity becomes core supervisory priority

NEW YORK — Regulators across the United States, the European Union and the United Kingdom have stepped up enforcement and tightened supervisory expectations for insurers’ cybersecurity programs, disclosure practices and claims handling, citing a steady stream of high‑profile breaches and the mounting risk that cyber incidents pose to consumers and market stability. The changes, announced and implemented over the past two years, have produced multimillion‑dollar fines, new mandatory reporting requirements and sharper expectations for boards, third‑party oversight and how insurers communicate with policyholders about cyber risks and claim rights. (dfs.ny.gov)

What happened, who acted and why it matters

• Who: State insurance regulators and attorneys general in the U.S., national and supranational European supervisors (EIOPA and national competent authorities), and U.K. regulators (the Financial Conduct Authority and proposals in Parliament) have been central to the push. Industry standard‑setting at the National Association of Insurance Commissioners (NAIC) and new EU laws such as the Digital Operational Resilience Act (DORA) and the NIS2 directive are also reshaping expectations. (dfs.ny.gov)

• What: Regulators have tightened consumer disclosure rules, pressed insurers to strengthen cyber governance and vendor controls, and signaled tougher scrutiny of claims‑handling practices — including how and when insurers communicate with policyholders about incidents and payments. Enforcement has included consent orders and civil penalties against insurers accused of failing to secure consumer data. (dfs.ny.gov)

• When and where: Actions and rule changes escalated through 2023–2025 and remain an active supervisory priority in 2026. Notable enforcement actions — including New York settlements announced Nov. 25, 2024 — and subsequent regulatory amendments have crystallized the new enforcement environment in major insurance markets. (dfs.ny.gov)

• Why: Regulators say the move is necessary because cyber intrusions continue to expose sensitive personal information, enable downstream fraud, and test insurers’ operational resilience. Supervisors now view cyber risk as a core prudential and consumer‑protection concern that intersects with market conduct, policyholder protection and systemic stability. (dfs.ny.gov)

Enforcement in practice: fines, consent orders and litigation

New York’s regulatory program has become a leading example. On Nov. 25, 2024, the New York State Department of Financial Services (DFS) and the New York attorney general announced settlements that together required GEICO and Travelers to pay $11.3 million after investigations found weaknesses in online quoting tools and agent portals that exposed driver’s license numbers and other personal data for more than 120,000 New Yorkers. The settlements required remediation steps including comprehensive information‑security programs, inventories of private data, stronger authentication and logging, and enhanced incident response. DFS Superintendent Adrienne A. Harris and Attorney General Letitia James were quoted in the joint press release, stressing regulators’ intent to hold licensees accountable for protecting consumers’ nonpublic information. (dfs.ny.gov)

Those settlements are not isolated. Since implementing its cybersecurity rules, DFS has repeatedly used consent orders and civil penalties to enforce standards, and regulators elsewhere have followed suit. New York’s rule set (23 NYCRR Part 500) was amended in late 2023 and has required firms to adopt board‑level governance, accelerate incident reporting timelines and expand controls such as multi‑factor authentication and vulnerability management — changes that were enforced in the ensuing years. DFS says it has entered into multiple consent orders and secured sizable penalties under the strengthened regime. (dfs.ny.gov)

Across the Atlantic, EIOPA and national authorities are embedding cyber into prudential supervision. EIOPA’s 2024 oversight work and its 2025 consultations extended supervisory review processes to include IT and cyber risks and called for closer supervisory convergence on operational resilience and third‑party oversight. At the same time, European laws — notably DORA (applicable to financial entities) and the NIS2 directive (applied to essential/important entities) — created cross‑sectoral incident‑reporting and governance standards that national supervisors are adopting and enforcing, often with fines that can reach into the millions or a percentage of turnover for serious breaches. (eiopa.europa.eu)

In the United Kingdom, a government cyber security and resilience bill under discussion would give regulators broader powers and potentially enable fines up to 4% of annual turnover or £17 million (whichever is greater) for failures to report major cyber attacks within set timeframes or to prepare adequately. The proposal adds to the FCA’s parallel focus on consumer outcomes and claims handling under the Consumer Duty. (ft.com)

Regulatory expectations: disclosure, boards and claims handling

Regulators’ expectations now run well beyond technical controls.

• Consumer disclosure: Supervisors and consumer advocates want clearer, timely disclosures to policyholders about breaches, what information was exposed, what remediation will be provided (credit monitoring, identity restoration) and how cyber exclusions and coverages apply. The NAIC’s Roadmap for Cybersecurity Consumer Protections and the Insurance Data Security Model Law (Model #668) have long urged clear consumer protections; states continue adopting versions of the model law and issuing guidance that raises disclosure expectations for insurers. (content.naic.org)

• Board and senior accountability: Regulators demand board‑level oversight and documented reporting from chief information security officers. NYDFS amendments and the EU directives explicitly require senior governance attention and regular reporting by executive management on cyber posture and incidents. Supervisors are increasingly viewing inadequate governance as a supervisory failure in its own right. (dfs.ny.gov)

• Third‑party and vendor controls: Regulators stress that insurers remain responsible for vendor security even when functions are outsourced. DORA, NIS2 and national guidance require enhanced due diligence, contractual controls and, in some jurisdictions, new registration or oversight regimes for critical third‑party providers. EIOPA has urged supervisors to incorporate third‑party and ICT‑provider risks into the supervisory review process. (openkritis.de)

• Claims handling and consumer outcomes: U.K. supervisors have explicitly linked cyber risk and consumer protection to claims handling. The FCA’s July 2025 review of home and travel insurers’ claims‑handling arrangements highlighted weak oversight of outsourced claims operations, poor management information and communication lapses that leave consumers uninformed and sometimes disadvantaged. The FCA told reviewed firms it expected improvements and warned more supervisory action could follow. Consumer groups have petitioned the FCA for tougher enforcement. Regulators in other jurisdictions have likewise signaled that claims handling will be a feature of supervisory work. (which.co.uk)

Regulatory tools being used

Supervisors are combining traditional enforcement (consent orders, fines, injunctions) with market conduct reviews, thematic examinations, and public “naming and shaming” of poor practices. In some settlements, regulators specify remedial steps, independent monitoring, and prohibitions on using insurance proceeds to cover penalties or claims related to regulator‑imposed fines (language that has appeared in some U.S. consent orders). In Europe, DORA and NIS2 empower national competent authorities to impose administrative penalties calibrated to the gravity and duration of breaches. (dfs.ny.gov)

Industry response: underwriting, pricing and operational change

Insurers and brokers say the regulatory pressure is accelerating hardening in underwriting standards, contract conditions and risk selection, even as the cyber insurance market showed signs of softening in pricing in parts of 2024–2025. Underwriters now routinely require demonstrable security hygiene — MFA, endpoint detection, tested backups, and vulnerability management — as a condition of coverage and often tie pricing and limits to documented controls. Reinsurers and alternative capital providers have also pushed for clearer contract wordings and stricter eligibility standards. Market commentators report that cyber premiums and capacity remain dynamic: capacity grew during 2023–24 as new capital entered the market, and by 2025 some segments experienced rate compression; but underwriters warn that regulatory fines, systemic events and the rise of AI‑enabled attacks could re‑harden the market. (deepstrike.io)

Costs and collateral consequences

Beyond fines, regulators’ demands translate into substantial compliance and remediation costs: creating or expanding security teams, conducting penetration tests and risk assessments, upgrading identity and access management, documenting vendor oversight, and revising policy forms and consumer disclosures. Insurers also face litigation risk, reputational harm and remediation obligations to policyholders — and in some notable cases regulators have sued insurers for failure to notify consumers or for deficient post‑incident response. The New York attorney general’s 2025 litigation and settlements against multiple auto insurers that exposed driver’s license numbers illustrate how data‑security failures ripple into civil enforcement and consumer claims. (ag.ny.gov)

What this means for consumers and policyholders

Regulators say the tightening of rules and enforcement will improve consumer protection: clearer disclosures should help policyholders understand what their policies cover and how to respond after a breach; stronger claims‑handling expectations are meant to reduce delay and confusion in payouts; and stricter vendor oversight intends to lower downstream risk from third‑party compromises. But consumer advocates warn that gaps remain — for instance, inconsistent transposition of EU directives across member states, different state adoptions of NAIC models in the U.S., and unclear industry practices on whether post‑breach remediation will fully restore victims’ losses. Which?, the U.K. consumer group, has lodged a “super‑complaint” with the FCA citing ongoing consumer harm from weak claims handling in home and travel insurance and urging stronger enforcement. (content.naic.org)

Regulatory priorities to watch in 2026

• EU: Implementation and enforcement of DORA and NIS2, designation and oversight of critical third‑party ICT providers, and EIOPA’s work to fold cyber into supervisory review processes and stress testing. Supervisors will publish guidance and may begin firm‑level enforcement under the new frameworks. (openkritis.de)

• UK: The cyber security and resilience bill under parliamentary consideration, continuing FCA scrutiny of claims handling and Consumer Duty compliance, and potential post‑Brexit divergence on fines and supervisory approaches. (ft.com)

• U.S.: Continued patchwork: New York remains the most aggressive U.S. state regulator on cyber enforcement; NAIC model law adoption is spreading among states; federal rules (for example, incident reporting obligations for critical infrastructure and proposals around federal standards) could further influence insurer obligations; state attorneys general will remain active in data‑security litigation. Corporate filings and public disclosures indicate many insurers are already budgeting for higher compliance costs. (dfs.ny.gov)

Voices from regulators and industry

“GEICO and Travelers offer drivers protection during times of emergencies, but these companies failed to protect consumers’ personal information,” Attorney General Letitia James said in the New York settlement announcement, underscoring the consumer‑protection rationale behind enforcement. DFS Superintendent Adrienne A. Harris said the department’s “groundbreaking cybersecurity regulation establishes a vital foundation” and that enforcement actions “reinforce the Department’s commitment” to ensuring licensees protect consumer data. (dfs.ny.gov)

Insurers argue they are responding with technical and governance upgrades. Coverage market commentary and broker assessments indicate firms are tightening underwriting and pushing insureds to adopt specific cyber controls before granting or renewing coverage. But industry lawyers and compliance officers warn that evolving supervisory expectations, cross‑border rules and faster reporting windows will be a continuing source of regulatory risk and operational expense. (blog.cyberadvisors.com)

Analysts’ view and limited consensus

Market analysts see three persistent tensions. First, regulators want demonstrable operational resilience and consumer protection; second, insurers must balance underwriting portfolio economics and take‑up of cyber coverage; third, insureds — especially small and mid‑sized firms — sometimes lack resources to meet prescriptive hygiene requirements. The combination of tighter rules, stronger enforcement and sophisticated attacks (including AI‑assisted fraud) means regulators, insurers and customers are likely to remain engaged in a cycle of control upgrades and supervisory scrutiny for the foreseeable future. (deepstrike.io)

What insurers should do now

Industry and legal advisers — and supervisors in public guidance — offer overlapping advice:

• Elevate cyber to board level: document board oversight, regular management reporting and board approvals for cyber strategy. (dfs.ny.gov)

• Strengthen third‑party oversight: map critical suppliers, contractually require security standards and monitor vendor performance and incidents. (openkritis.de)

• Improve consumer disclosures and claims communications: publish clearer policy wordings, make breach notifications timely and provide practical remediation guidance to affected policyholders. (content.naic.org)

• Test and document controls: undertake regular penetration testing, vulnerability management, incident simulations and maintain an up‑to‑date inventory of nonpublic information. (dfs.ny.gov)

• Prepare for cross‑border rules: map differing EU member‑state transpositions, U.K. changes and state model‑law adoptions to ensure consistent compliance across jurisdictions. (cms-lawnow.com)

Conclusion: enforcement increasingly central to cyber supervision

Regulators in major insurance markets have moved cyber from a technical control problem to a core supervisory priority that implicates market conduct, consumer protection and prudential oversight. That shift has produced visible enforcement — including multimillion‑dollar settlements in the United States — and a wave of new or revised rules that increase reporting obligations, board accountability and vendor scrutiny. For insurers, the message from supervisors is explicit: written policies are necessary but not sufficient; regulators expect effective implementation, demonstrable boards’ oversight, and claims processes that protect consumers and deliver timely, transparent outcomes. The combined force of litigation, fines and tightened supervisory expectations suggests the regulatory stance toward cyber in insurance will remain active and, in some jurisdictions, punitive — until industry practices and consumer outcomes measurably improve. (dfs.ny.gov)

Sources (selected)

• New York State Department of Financial Services, press release, “Attorney General James and DFS Superintendent Harris Secure $11.3 Million from Auto Insurance Companies over Data Breaches,” Nov. 25, 2024. (dfs.ny.gov)
• New York Attorney General press releases on subsequent insurance‑sector enforcement, Jan.–March 2025. (ag.ny.gov)
• NAIC — Insurance topics: Cybersecurity; Insurance Data Security Model Law (Model #668) and Roadmap for Cybersecurity Consumer Protections. (content.naic.org)
• European Insurance and Occupational Pensions Authority (EIOPA), oversight activity and consultations integrating IT/cyber risk into supervisory review (2024–2025). (eiopa.europa.eu)
• Digital Operational Resilience Act (DORA) and NIS2 coverage and supervisory impacts (industry analyses and supervisory commentary). (openkritis.de)
• Financial Times reporting on proposed UK cyber security and resilience bill and penalties. (ft.com)
• Financial Conduct Authority (U.K.), “Home and travel claims handling arrangements: good practice and areas for improvement,” July 2025; and Which? super‑complaint and commentary. (which.co.uk)
• Industry market reports and analyses on cyber insurance pricing, underwriting and capacity (2024–2025). (deepstrike.io)

(Reporting by [staff reporter]; regulatory documents, press releases and industry analysis reviewed include primary regulator releases and supervisory consultations cited above.)