NYDFS Hits Delta Dental With $2.25M — The First 2026 Cyber Action Is About Notice and Retention, Not the Breach

TL;DR

• NYDFS’s first cybersecurity enforcement action of 2026 — a $2.25 million settlement with Delta Dental Insurance Company and Delta Dental of New York — is not about the MOVEit breach itself. It is about a six-month delay in notifying the Superintendent and an undocumented expansion of file retention settings.
• The two cited violations — 23 NYCRR § 500.17(a) (72-hour notice) and § 500.13 (secure disposal of NPI) — are the same controls that most incident response programs treat as ministerial. NYDFS just demonstrated they are not.
• The 60,000 exfiltrated files lived on a transfer tool because someone extended the default 30-day retention to 45 days and then 60 days, without a policy authorizing the change. The lesson is about governance over default settings, not vendor zero-days.
• For any practitioner working under Part 500, HIPAA, or a state breach law with a tight notice clock: the consent order is a free roadmap of where examiners will look on your next incident.

Most practitioners look at MOVEit and see a vendor problem. NYDFS looked at MOVEit and saw a governance problem. On April 30, 2026, Acting Superintendent Kaitlin Asrow announced a $2.25 million consent order against Delta Dental Insurance Company (DDIC) and Delta Dental of New York, Inc. (DDNY) — the Department’s first cybersecurity enforcement of 2026 and the latest in a string of post-MOVEit actions cleaning up after the 2023 Progress Software zero-day.

If you read only the headline, you would think this is a breach penalty. Read the consent order itself and the story changes. Delta Dental got fined for two things — neither of which is “you got hacked.”

What the Consent Order Actually Cites

The cyber facts are not in dispute. Between May 29 and May 31, 2023, the Cl0p ransomware group exploited a zero-day in Progress Software’s MOVEit Transfer product. Delta Dental was one of thousands of organizations whose MOVEit instance was hit. Approximately 60,000 files containing names, Social Security numbers, government identifiers, financial account information, and protected health information were exfiltrated — affecting nearly seven million individuals across DDIC and DDNY.

NYDFS did not penalize Delta Dental for any of that. The consent order cites two violations:

Both findings are about process — not impact. NYDFS has been signaling this direction for years, and the November 2023 amendments to Part 500 made it explicit. The Delta Dental order makes it expensive.

The 72-Hour Clock Is Not Aspirational

Section 500.17(a) is one of the shortest provisions in Part 500 and one of the most misunderstood. The rule, as it read at the time of the incident and as amended in November 2023:

Each covered entity shall notify the superintendent electronically … as promptly as possible but in no event later than 72 hours after determining that a cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party service provider.

The trigger is determination, not scoping completion, not full forensic confirmation, not public disclosure. In the Delta Dental matter, NYDFS pegged the latest defensible determination date at July 2023, when the company confirmed consumer data was implicated. December 15 notice was therefore not 71 hours late — it was roughly five months late.

This is the part that should worry every incident response leader. The reflex inside most IR programs is to wait for the forensic firm to confirm scope before notifying regulators. That reflex is exactly what NYDFS is now penalizing. If you have determined that a cybersecurity incident has occurred and that it meets one of the § 500.17(a) triggers — required notice to another government body, reasonable likelihood of material harm, or ransomware deployment — the 72-hour clock starts. You can update later; you cannot delay the initial notice while waiting for clean facts.

If you are still using a generic IR plan that defers regulator notice to legal counsel “at the appropriate time,” start with the Incident Response Plan Template — 6 Phases and pressure-test your notice obligations against the actual triggers in Part 500, HIPAA, the SEC’s 4-day 8-K materiality rule, and your state’s breach law. A unified triage chart belongs in your IR plan, not in a counsel’s head.

Section 500.13 — Where Defaults Go to Die

The retention finding is in some ways more interesting than the notification finding because it surfaces a category of risk most programs do not formally manage: vendor product defaults.

MOVEit Transfer, by design, is a managed file transfer (MFT) tool. Files land on it briefly while moving between organizations and then get cleaned up. Progress Software ships MOVEit with a 30-day default retention period for exactly this reason — long enough to handle reconciliation and re-transmission, short enough to limit blast radius if anyone breaks in.

Delta Dental extended that default. First to 45 days. Then to 60 days for many folders. According to the consent order, no policy authorized the change, no business justification was documented, and there was no periodic review of retention settings. When Cl0p arrived in May 2023, the consequence was that files which should have rotated off the platform weeks earlier were still sitting there to be exfiltrated.

NYDFS’s § 500.13 finding is not “60 days is too long.” It is “you changed a security-relevant default with no governance, and that is exactly what § 500.13 is supposed to prevent.” Any compliance officer running a vendor risk program should now treat default settings on critical vendor platforms as part of the third-party control inventory — not a sysadmin choice. The control owner needs to be named, the default needs to be documented, and any change needs to flow through change management.

This applies to far more than MFT. Same logic applies to:

• Cloud storage retention defaults (S3 lifecycle policies, blob retention, OneDrive/SharePoint)
• Backup retention windows
• Log retention in SIEM tools (where shortening defaults can also be a problem)
• Email archive policies
• Database soft-delete and snapshot retention
• Endpoint forensics agent telemetry retention

Each one is a § 500.13 conversation waiting to happen if the data is NPI.

The Pattern in NYDFS’s Post-MOVEit Enforcement

Delta Dental is not the first post-MOVEit penalty NYDFS has secured, and the pattern is now consistent enough to be predictive.

Look at three of the Department’s prior cyber settlements: PayPal ($2 million, January 2025) for failures around access control, identity management, and qualified cybersecurity personnel; the $19 million-plus auto insurance settlements (October 2025) over data breach response and protection of consumer information; and the OneMain Financial $4.25 million settlement for vendor management and access. None of them turned on the underlying breach being “worse” than peers. All of them turned on documented program gaps — notice timing, retention, access controls, vendor oversight.

NYDFS has effectively built an enforcement playbook where the question is not “did your defenses fail?” but “when they failed, did your program execute as the regulation requires?” If you cannot say yes — with documentation — to those questions, you have an enforcement risk regardless of how the breach started.

What Practitioners Should Pull From the Order

Five tactical takeaways, sized for a Monday-morning compliance huddle:

1. Build a notification decision tree, not a notification policy. A policy that says “notify NYDFS within 72 hours” is useless under pressure. What you need is a documented decision tree that walks an incident lead from detection → triage → § 500.17(a) trigger evaluation → notice with named decision-makers and timestamps. Your IR plan template should include this — the cyber incident response playbook walkthrough gives the structure.

2. Treat vendor product defaults as governed controls. Pull a list of every critical SaaS or vendor platform that touches NPI. For each, document the security-relevant defaults (retention, logging, access, encryption), the current setting, who owns it, and the rationale for any deviation. This is a § 500.13 audit waiting to happen and the consent order is your free template for what good looks like.

3. Audit any extension of default retention windows. If your team has lengthened retention on an MFT, backup, or log platform, run it through change management retroactively. Document the business justification, the residual risk acceptance, and the periodic review cadence. NYDFS will not accept “we needed more time to reconcile” without evidence.

4. Stop waiting for forensic certainty before initial regulator notice. The 72-hour clock under § 500.17(a) — and the analogous clocks under state breach laws — runs from determination, not confirmation. Build a workflow where the initial notice is filed on suspicion and updated as facts develop. Most regulators expect and accept this; NYDFS has now penalized the alternative.

5. Apply the same lens to fourth-party (Nth-party) risk. MOVEit was a third party. Cl0p hit thousands of fourth parties as a result. If a vendor’s vendor breaks the chain, your notice obligation does not wait for the chain to be repaired. The vendor breach response playbook covers the upstream/downstream notice mechanics in detail.

The Bigger Signal

This consent order, on its face, is a $2.25 million action against a single insurance company over an incident two and a half years old. That is not what makes it important.

What makes it important is that NYDFS — under acting leadership, in a year when federal enforcement priorities have softened in places like the CFPB and parts of SEC enforcement — chose to lead 2026 with a procedural-failure case. Not a record-breaking penalty. Not a flagship adviser. A reminder that two of the most basic provisions in Part 500 are also the most enforceable, and that the cost of treating them as administrative is now visible.

For practitioners, the answer is unchanged: write the policy, govern the default, file the notice, document the decision. The Delta Dental consent order is what it looks like when an organization does not.

Build the controls before the consent order forces you to. The Incident Response & Breach Notification Kit packages the IR plan template, the 72-hour decision tree, regulator notice templates for NYDFS, HIPAA, and all 50 state breach laws, and the retention audit worksheet — built for compliance teams operating under Part 500, HIPAA, GLBA, and state privacy regimes.