Feature Incident Response
NYDFS Hits Delta Dental With $2.25M — The First 2026 Cyber Action Is About Notice and Retention, Not the Breach
NYDFS's first 2026 cybersecurity enforcement penalizes Delta Dental for a six-month notification delay and lengthened MOVEit retention settings — not for getting hit. What practitioners should pull from the consent order.
Table of Contents
TL;DR
- NYDFS’s first cybersecurity enforcement action of 2026 — a $2.25 million settlement with Delta Dental Insurance Company and Delta Dental of New York — is not about the MOVEit breach itself. It is about a six-month delay in notifying the Superintendent and an undocumented expansion of file retention settings.
- The two cited violations — 23 NYCRR § 500.17(a) (72-hour notice) and § 500.13 (secure disposal of NPI) — are the same controls that most incident response programs treat as ministerial. NYDFS just demonstrated they are not.
- The 60,000 exfiltrated files lived on a transfer tool because someone extended the default 30-day retention to 45 days and then 60 days, without a policy authorizing the change. The lesson is about governance over default settings, not vendor zero-days.
- For any practitioner working under Part 500, HIPAA, or a state breach law with a tight notice clock: the consent order is a free roadmap of where examiners will look on your next incident.
Most practitioners look at MOVEit and see a vendor problem. NYDFS looked at MOVEit and saw a governance problem. On April 30, 2026, Acting Superintendent Kaitlin Asrow announced a $2.25 million consent order against Delta Dental Insurance Company (DDIC) and Delta Dental of New York, Inc. (DDNY) — the Department’s first cybersecurity enforcement of 2026 and the latest in a string of post-MOVEit actions cleaning up after the 2023 Progress Software zero-day.
If you read only the headline, you would think this is a breach penalty. Read the consent order itself and the story changes. Delta Dental got fined for two things — neither of which is “you got hacked.”
What the Consent Order Actually Cites
The cyber facts are not in dispute. Between May 29 and May 31, 2023, the Cl0p ransomware group exploited a zero-day in Progress Software’s MOVEit Transfer product. Delta Dental was one of thousands of organizations whose MOVEit instance was hit. Approximately 60,000 files containing names, Social Security numbers, government identifiers, financial account information, and protected health information were exfiltrated — affecting nearly seven million individuals across DDIC and DDNY.
NYDFS did not penalize Delta Dental for any of that. The consent order cites two violations:
| Provision | What It Requires | What Went Wrong |
|---|---|---|
| 23 NYCRR § 500.17(a) | Notify Superintendent within 72 hours of determining a cybersecurity incident occurred | Delta Dental learned of the incident in June 2023, confirmed consumer data was affected in July 2023, and did not notify NYDFS until December 15, 2023 |
| 23 NYCRR § 500.13 | Maintain policies and procedures for secure disposal of NPI no longer necessary for business operations | No policy governed MOVEit retention settings; defaults were extended from 30 → 45 → 60 days for many folders without documented business justification |
Both findings are about process — not impact. NYDFS has been signaling this direction for years, and the November 2023 amendments to Part 500 made it explicit. The Delta Dental order makes it expensive.
The 72-Hour Clock Is Not Aspirational
Section 500.17(a) is one of the shortest provisions in Part 500 and one of the most misunderstood. The rule, as it read at the time of the incident and as amended in November 2023:
Each covered entity shall notify the superintendent electronically … as promptly as possible but in no event later than 72 hours after determining that a cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party service provider.
The trigger is determination, not scoping completion, not full forensic confirmation, not public disclosure. In the Delta Dental matter, NYDFS pegged the latest defensible determination date at July 2023, when the company confirmed consumer data was implicated. December 15 notice was therefore not 71 hours late — it was roughly five months late.
This is the part that should worry every incident response leader. The reflex inside most IR programs is to wait for the forensic firm to confirm scope before notifying regulators. That reflex is exactly what NYDFS is now penalizing. If you have determined that a cybersecurity incident has occurred and that it meets one of the § 500.17(a) triggers — required notice to another government body, reasonable likelihood of material harm, or ransomware deployment — the 72-hour clock starts. You can update later; you cannot delay the initial notice while waiting for clean facts.
If you are still using a generic IR plan that defers regulator notice to legal counsel “at the appropriate time,” start with the Incident Response Plan Template — 6 Phases and pressure-test your notice obligations against the actual triggers in Part 500, HIPAA, the SEC’s 4-day 8-K materiality rule, and your state’s breach law. A unified triage chart belongs in your IR plan, not in a counsel’s head.
Section 500.13 — Where Defaults Go to Die
The retention finding is in some ways more interesting than the notification finding because it surfaces a category of risk most programs do not formally manage: vendor product defaults.
MOVEit Transfer, by design, is a managed file transfer (MFT) tool. Files land on it briefly while moving between organizations and then get cleaned up. Progress Software ships MOVEit with a 30-day default retention period for exactly this reason — long enough to handle reconciliation and re-transmission, short enough to limit blast radius if anyone breaks in.
Delta Dental extended that default. First to 45 days. Then to 60 days for many folders. According to the consent order, no policy authorized the change, no business justification was documented, and there was no periodic review of retention settings. When Cl0p arrived in May 2023, the consequence was that files which should have rotated off the platform weeks earlier were still sitting there to be exfiltrated.
NYDFS’s § 500.13 finding is not “60 days is too long.” It is “you changed a security-relevant default with no governance, and that is exactly what § 500.13 is supposed to prevent.” Any compliance officer running a vendor risk program should now treat default settings on critical vendor platforms as part of the third-party control inventory — not a sysadmin choice. The control owner needs to be named, the default needs to be documented, and any change needs to flow through change management.
This applies to far more than MFT. Same logic applies to:
- Cloud storage retention defaults (S3 lifecycle policies, blob retention, OneDrive/SharePoint)
- Backup retention windows
- Log retention in SIEM tools (where shortening defaults can also be a problem)
- Email archive policies
- Database soft-delete and snapshot retention
- Endpoint forensics agent telemetry retention
Each one is a § 500.13 conversation waiting to happen if the data is NPI.
The Pattern in NYDFS’s Post-MOVEit Enforcement
Delta Dental is not the first post-MOVEit penalty NYDFS has secured, and the pattern is now consistent enough to be predictive.
Look at three of the Department’s prior cyber settlements: PayPal ($2 million, January 2025) for failures around access control, identity management, and qualified cybersecurity personnel; the $19 million-plus auto insurance settlements (October 2025) over data breach response and protection of consumer information; and the OneMain Financial $4.25 million settlement for vendor management and access. None of them turned on the underlying breach being “worse” than peers. All of them turned on documented program gaps — notice timing, retention, access controls, vendor oversight.
NYDFS has effectively built an enforcement playbook where the question is not “did your defenses fail?” but “when they failed, did your program execute as the regulation requires?” If you cannot say yes — with documentation — to those questions, you have an enforcement risk regardless of how the breach started.
What Practitioners Should Pull From the Order
Five tactical takeaways, sized for a Monday-morning compliance huddle:
1. Build a notification decision tree, not a notification policy. A policy that says “notify NYDFS within 72 hours” is useless under pressure. What you need is a documented decision tree that walks an incident lead from detection → triage → § 500.17(a) trigger evaluation → notice with named decision-makers and timestamps. Your IR plan template should include this — the cyber incident response playbook walkthrough gives the structure.
2. Treat vendor product defaults as governed controls. Pull a list of every critical SaaS or vendor platform that touches NPI. For each, document the security-relevant defaults (retention, logging, access, encryption), the current setting, who owns it, and the rationale for any deviation. This is a § 500.13 audit waiting to happen and the consent order is your free template for what good looks like.
3. Audit any extension of default retention windows. If your team has lengthened retention on an MFT, backup, or log platform, run it through change management retroactively. Document the business justification, the residual risk acceptance, and the periodic review cadence. NYDFS will not accept “we needed more time to reconcile” without evidence.
4. Stop waiting for forensic certainty before initial regulator notice. The 72-hour clock under § 500.17(a) — and the analogous clocks under state breach laws — runs from determination, not confirmation. Build a workflow where the initial notice is filed on suspicion and updated as facts develop. Most regulators expect and accept this; NYDFS has now penalized the alternative.
5. Apply the same lens to fourth-party (Nth-party) risk. MOVEit was a third party. Cl0p hit thousands of fourth parties as a result. If a vendor’s vendor breaks the chain, your notice obligation does not wait for the chain to be repaired. The vendor breach response playbook covers the upstream/downstream notice mechanics in detail.
The Bigger Signal
This consent order, on its face, is a $2.25 million action against a single insurance company over an incident two and a half years old. That is not what makes it important.
What makes it important is that NYDFS — under acting leadership, in a year when federal enforcement priorities have softened in places like the CFPB and parts of SEC enforcement — chose to lead 2026 with a procedural-failure case. Not a record-breaking penalty. Not a flagship adviser. A reminder that two of the most basic provisions in Part 500 are also the most enforceable, and that the cost of treating them as administrative is now visible.
For practitioners, the answer is unchanged: write the policy, govern the default, file the notice, document the decision. The Delta Dental consent order is what it looks like when an organization does not.
Build the controls before the consent order forces you to. The Incident Response & Breach Notification Kit packages the IR plan template, the 72-hour decision tree, regulator notice templates for NYDFS, HIPAA, and all 50 state breach laws, and the retention audit worksheet — built for compliance teams operating under Part 500, HIPAA, GLBA, and state privacy regimes.
◆ Related template
Incident Response & Breach Notification Kit
Step-by-step incident response playbooks and breach notification templates for all 50 states.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
Why did Delta Dental get fined by NYDFS if the MOVEit vulnerability was a vendor zero-day?
What does 23 NYCRR § 500.17(a) actually require?
What is § 500.13 and why did the MOVEit retention settings violate it?
Does this enforcement apply to non-financial institutions?
What does 'determination of a cybersecurity incident' mean for the 72-hour clock?
How does this consent order interact with the November 2023 amendments to Part 500?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Incident Response & Breach Notification Kit
Step-by-step incident response playbooks and breach notification templates for all 50 states.
◆ Keep reading
Related posts.
Incident Response
AI-Powered BEC Stole $3 Billion in 2025: What Your Incident Response Playbook Is Missing
The FBI's 2025 IC3 report logged $3.046 billion in BEC losses—86% via wire or ACH—with AI now generating the emails, cloning the voices, and running the deepfakes. Most financial institution IR playbooks were written before this threat existed. Here's the gap analysis and what to add before the next one hits.
Jul 8, 2026
Incident Response
KYC in the Deepfake Era: Why Document + Selfie Verification Is Failing and What Actually Works
FinCEN's November 2024 alert formally put financial institutions on notice that AI-generated deepfakes are bypassing KYC onboarding at scale. Here's what's failing in the document+selfie stack, what examiners expect, and which controls are working in 2026.
Jul 5, 2026
Incident Response
Breach Notification Letter Template: What the Law Requires, What Regulators Charge For, and Why Your Approval Process Fails Under Pressure
The content of a breach notification letter isn't optional — multiple regulatory frameworks specify exactly what must be in it, and enforcement actions from the FTC, SEC, and CFTC show how specific the mistakes regulators will charge you for. Here's what goes in the letter and how to build an approval process that holds up when the 30-day clock is running.
Jul 3, 2026