Eight auto insurance companies just got hit with $19 million in fines from New York’s Department of Financial Services. The reason? They failed to protect your personal data according to state cybersecurity rules.
If you have auto insurance in New York, your information—driver’s license numbers, Social Security details, payment data—might have been at risk. HSF Kramer reported these October 2025 penalties mark one of the largest cybersecurity enforcement actions against insurers in state history.
The bigger question: Is your auto insurance company on the list?
Which Auto Insurers Got Fined (And Why It Matters to You)
The New York Department of Financial Services hasn’t publicly released the names of all eight companies yet. That’s standard procedure during ongoing regulatory reviews, but it leaves roughly 10 million New York auto insurance customers wondering if their provider made the list.
What we know: These weren’t small violations. $19 million in fines suggests serious, systemic failures in how these companies handled cybersecurity. We’re talking about insurers who likely:
- Failed to conduct proper risk assessments of their systems, leaving vulnerabilities undetected for months or years.
- Didn’t have adequate incident response plans. When breaches happened, they couldn’t react fast enough.
- Skipped mandatory cybersecurity training for employees who handle sensitive customer data daily.
- Lacked multi-factor authentication on systems storing your personal information, making hacker access easier.
The state’s 23 NYCRR Part 500 cybersecurity regulation has been in effect since 2017. These companies had eight years to comply. They didn’t.
Your Data at Risk: What These Violations Actually Mean
Here’s what most people miss about insurance cybersecurity failures.
Auto insurers collect everything about you: full name, address, date of birth, Social Security number, driver’s license details, credit score, payment information, and even your daily driving patterns if you use telematics devices. A single breach puts you at risk for identity theft, financial fraud, and years of credit damage.
The violations DFS cited typically fall into specific categories:
| Violation Type | What It Means for Your Data | Real-World Risk |
|---|---|---|
| No Risk Assessment | Company didn’t identify weak points in data systems | Hackers found entry points insurers didn’t know existed |
| Missing Response Plans | No clear process when breaches happen | Your data exposed for weeks before company notices |
| Inadequate Access Controls | Too many employees could view sensitive records | Higher chance of internal data theft or accidental leaks |
| Poor Vendor Management | Third-party partners (body shops, tow companies) not vetted | Your data shared with companies with zero security standards |
The Insurance Information Institute reports that insurance companies face an average of 43 cyberattacks per day. When your insurer cuts corners on cybersecurity, you become the target.
3 Steps to Take If Your Insurer Got Fined
Don’t wait for your insurance company to send a breach notification letter. By then, damage might already be done.
Step 1: Request Your Data Security Disclosure
New York law lets you ask insurers how they protect your information. Call your company’s customer service and ask:
- “Was [Company Name] one of the eight insurers fined by DFS in October 2025?”
- “What specific cybersecurity improvements have you made this year?”
- “Do you offer free credit monitoring after data breaches?”
Document everything. If they refuse to answer or give vague responses, that’s a red flag.
Step 2: Freeze Your Credit (Free in New York)
Contact all three credit bureaus and place a security freeze. It’s free for New York residents and stops identity thieves from opening new accounts in your name. Visit:
Takes about 15 minutes total. Your credit score won’t change, but criminals can’t use your stolen data to get loans or credit cards.
Step 3: Consider Switching Insurers
If your company got fined, they’ve proven they don’t take data security seriously. New York has over 100 licensed auto insurers. Shop around using comparison tools and ask new providers direct questions about their cybersecurity practices during the quote process.
Why New York Is Leading the Insurance Cybersecurity Crackdown
New York’s 23 NYCRR Part 500 is the toughest state-level cybersecurity regulation in the country. It requires all financial services companies—including insurers—to:
- Appoint a Chief Information Security Officer (not just an IT manager wearing two hats)
- Conduct annual penetration testing where ethical hackers try to break into systems
- Encrypt all sensitive data both in storage and during transmission
- Report breaches within 72 hours to DFS and affected customers
The regulation went into effect in 2017, with full compliance required by March 2019. These eight companies had over six years. The $19 million penalty sends a clear message: DFS isn’t accepting excuses anymore.
Other states are watching. California, Texas, and Ohio are drafting similar regulations. If you live outside New York, your insurer might be getting away with weaker protections right now.
The Hidden Cost of These Fines (Hint: You Might Pay It)
Here’s the uncomfortable truth about regulatory fines: insurance companies often pass costs to customers through premium increases.
$19 million divided across millions of policies equals a few dollars per customer. You might not notice a $3-5 quarterly increase, but it adds up. The industry calls this “compliance cost recovery.”
However, there’s a counterargument. Companies that invest in proper cybersecurity from the start avoid fines entirely. They also prevent costly breaches—the average insurance data breach costs $5.9 million according to IBM’s 2024 Cost of a Data Breach Report. That’s way more expensive than compliance.
If your premiums go up next renewal and your insurer was one of the eight fined, you’re paying for their negligence. That’s a legitimate reason to shop for a new policy with a company that got cybersecurity right the first time.
What Happens Next for These 8 Companies
Paying the fine isn’t the end. DFS typically requires:
- Quarterly compliance reports for 12-24 months showing cybersecurity improvements
- Independent audits by certified cybersecurity firms (company pays)
- Mandatory training for all employees handling customer data
- System upgrades meeting specific technical standards outlined by DFS
If companies fail follow-up audits, DFS can suspend their license to operate in New York. That’s rare but has happened. In 2023, DFS pulled the license of a small health insurer after repeated cybersecurity failures.
For consumers, this means these eight companies will likely have better data protection 12 months from now than they do today. The question: Do you trust them to get it right this time, or switch to a company that never got fined?
Frequently Asked Questions
How do I find out if my auto insurance company was one of the eight fined?
Call your insurer’s customer service and ask directly: “Was [Company Name] one of the eight auto insurance companies fined by New York DFS in October 2025 for cybersecurity violations?” They’re required to answer truthfully. You can also check the DFS press release archive periodically, as detailed enforcement actions are eventually made public with company names.
Will these fines cause my auto insurance premium to increase?
Possibly, but not dramatically. If your insurer was fined, they might pass along compliance costs through small premium increases—typically $3-8 per quarter. However, New York requires insurers to justify all rate increases to DFS. If your premium jumps significantly and your company was fined, that’s a good reason to shop for quotes from competitors who maintained proper cybersecurity and avoided penalties.
Should I cancel my policy if my insurer got fined?
Not necessarily, but get quotes from other carriers. These fines mean your insurer had serious cybersecurity gaps, but DFS enforcement typically forces rapid improvements. The company will likely have better data protection 6-12 months from now under regulatory supervision. However, if you can find comparable coverage at a similar price with an insurer that wasn’t fined, switching sends a market signal that cybersecurity failures have consequences.
What specific data do auto insurers collect that could be at risk?
Auto insurers typically store your full name, address, date of birth, Social Security number, driver’s license number, credit score, payment information (bank account or credit card), claims history, vehicle identification numbers, and telematics data (driving patterns, locations, times). If you’ve filed claims, they also have accident details, police reports, and medical records. A comprehensive breach exposes everything needed for identity theft, financial fraud, and targeted phishing attacks.
Are other states cracking down on insurance cybersecurity like New York?
Yes, but New York remains the strictest. California’s Insurance Department issued new data security guidelines in 2024. Ohio passed the Ohio Data Protection Act requiring reasonable cybersecurity measures. Texas is drafting regulations similar to New York’s 23 NYCRR Part 500. However, most states still lack New York’s specific technical requirements and aggressive enforcement. If you live outside New York, your insurer may operate under much weaker cybersecurity standards.
Bottom Line: Your Data Protection Starts With You
The $19 million in fines proves that even licensed, regulated insurance companies cut corners on cybersecurity. New York’s DFS is holding them accountable, but enforcement happens after failures—not before.
You can’t control your insurer’s security practices, but you can control your response. Freeze your credit, monitor your accounts, and ask direct questions about data protection. If your company was fined, they’ve shown you who they are. Believe them.
Over 100 auto insurers operate in New York. At least 92 of them didn’t get fined for cybersecurity failures. Your data deserves better than gambling on companies that needed a $2+ million penalty to take security seriously.