What a $2.25 Million Cybersecurity Settlement Means for Business Owners

By Tracey Birkenhauer, journalist and Chief Impact Officer, STACK Cybersecurity

Picture this: your company uses a well-known file transfer platform to exchange contracts, billing records, and employee documents with partners and vendors. Criminals exploit a flaw in that software and quietly pull files off your servers over a long weekend.

You find out weeks later. You patch the vulnerability, notify customers, and work with a forensics firm to understand the scope. You think you've handled it.

Then regulators come knocking, not because you got hacked, but because your written policies didn't meet the standard and you waited five months to tell them.

That's what happened to Delta Dental.

In April 2026, the New York State Department of Financial Services (NYDFS) announced a $2.25 million settlement with Delta Dental Insurance Company and Delta Dental of New York, Inc. after finding the companies violated the state's cybersecurity regulation following the 2023 MOVEit Transfer vulnerability. The attack itself was not unique to Delta Dental. Hundreds of companies were hit. What set Delta Dental apart was the paper trail, or the absence of one.

If your business stores sensitive records, moves files with vendors, or works with health, financial, or legal data, this case matters to you regardless of whether you're in financial services or regulated by New York.

What Is MOVEit and Why Did So Many Companies Get Hit?

MOVEit Transfer is a managed file transfer platform made by Progress Software. Companies use it to securely move large volumes of sensitive files between internal teams, clients, business partners, and service providers. It's common in health care, financial services, insurance, and any industry that needs auditable, encrypted file exchange. Delta Dental's cybersecurity affiliate used MOVEit to move eligibility records, claims files, and other data on behalf of its network of affiliated companies.

In late May 2023, criminal group CL0P began exploiting a previously unknown flaw in MOVEit, identified as CVE-2023-34362, a SQL injection vulnerability rated 9.8 out of 10 in severity by NIST's National Vulnerability Database.

Because the flaw was a zero-day, meaning it was unknown to the software developer and its customers before it was exploited, companies running MOVEit had no advance warning. Delta Dental was one of about 2,700 companies affected by the automated mass exploitation attacks. Progress Software released a security advisory and patches on June 1, 2023. NYDFS published its own industry alert to regulated entities the next day. The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI jointly warned that CL0P had used the flaw to steal data from hundreds of companies worldwide.

Delta Dental's cybersecurity affiliate detected suspicious activity on its MOVEit servers on June 1, the same day Progress issued its advisory. The affiliate removed the malicious files, deployed patches, and reset administrative credentials that same day. On July 6, 2023, investigators confirmed threat actors had exfiltrated files between May 28 and May 30. Memorial Day fell on Monday, May 29, 2023.

A forensic review that concluded Nov. 27, 2023, determined about 60,000 files had been taken from the servers. The broader Delta Dental network reported that nearly 7 million patients were affected across its affiliate system. The stolen files included names, addresses, Social Security numbers, driver's license numbers, passport numbers, financial account information, tax identification numbers, health insurance policy numbers, and patient health information.

Four Violations, One Consent Order

The consent order (PDF) signed April 29, 2026, names four specific violations of 23 NYCRR Part 500, New York's cybersecurity regulation for financial services companies.

Delta Dental failed to implement and maintain a written incident response policy addressing its reporting obligations to regulators. It failed to establish a written incident response plan that sufficiently covered those obligations. It failed to maintain policies and procedures for the secure and periodic disposal of nonpublic information no longer needed for business operations. And it failed to notify NYDFS of the cybersecurity event within the required 72-hour window.

That last one is where the timeline becomes striking.

Delta Dental's affiliate identified a webshell on the MOVEit servers June 1, 2023. Under NYDFS rules, evidence of unauthorized access, including webshell installation, is itself a reportable cybersecurity event even before any data theft is confirmed. The companies confirmed data had been exfiltrated on July 6, 2023. They didn't notify NYDFS until Dec. 15, 2023, more than five months later.

The consent order states directly the incident response policies "lacked sufficient detail and guidance concerning the Companies' regulatory reporting obligations" and this deficiency "contributed to the Companies' failure to timely report the Cybersecurity Event to the Superintendent."

In other words, the response team may not have known what they were required to report, to whom, or how fast. That's a policy gap, not a technology gap.

Data Retention Problem

The second major finding involves how long files sat on the MOVEit servers. The platform sets a default retention period of 30 days, after which uploaded files are automatically deleted.

Delta Dental's cybersecurity affiliate had extended that default to 45 or 60 days for many folders and, in some cases, disabled the retention setting entirely. The consent order doesn't suggest those decisions were inherently wrong. What NYDFS cited was the complete absence of any written policy governing them. There was no documented process for requesting, reviewing, or approving changes to folder retention settings.

As a result, the majority of the roughly 60,000 exfiltrated files had been sitting on the servers longer than 30 days, and most were in folders where someone had extended or disabled the default retention, without any record of why. NYDFS concluded this violated Section 500.13 of the regulation, which requires covered entities to have policies for the periodic and secure disposal of nonpublic information that's no longer needed for business operations.

The principle here translates directly to any business. If you're holding customer records, employee files, or financial data longer than your stated policy says you should, regulators, insurers, and your clients' attorneys will want to know why. "No one made a decision about it" isn't an answer that protects you.

Always Have a Plan

Acting Superintendent Kaitlin Asrow said: "The Department's nation-leading cybersecurity regulation requires financial institutions to have robust policies in place to protect the personal information of New Yorkers. As cybersecurity threats continue to grow, the Department is committed to holding institutions accountable."

Regulators are increasingly focused on governance and preparedness, not just whether an attack happened. The question on the table isn't only "were you breached?" It's "did you have a defensible plan before the breach, and did you execute it correctly after?" For business leaders, that's the shift worth internalizing. Getting hit by a sophisticated attack on widely used software doesn't insulate you from a fine. Having a plan that falls short does.

Why This Case Reaches Beyond New York

Part 500 applies specifically to entities holding New York financial services licenses. Delta Dental held New York insurance licenses, which brought it under that framework. But the enforcement priorities in this case mirror what's emerging across sectors: written policies, data retention controls, timely escalation, and documented decision-making authority. Those expectations appear in cyber insurance underwriting questionnaires, vendor due diligence requirements, state data protection laws, and frameworks like NIST's Cybersecurity Framework and SOC 2.

Tax and accounting firms face this directly. The IRS requires firms that handle federal tax returns to maintain a Written Information Security Plan, or WISP, which includes incident response procedures. If you're in that space, the Delta Dental case is a near-perfect illustration of what happens without one.

Read more about WISP requirements for tax and accounting firms.

Health care providers, manufacturers that work with defense contractors, and any company subject to state privacy laws are operating in the same environment. A company that can't answer basic questions about reporting thresholds, retention schedules, and escalation authority faces exposure that extends well past downtime. It affects cyber insurance claims, contract compliance, and client trust after an event.

What to Review Now

Start with the incident response plan. If it hasn't been reviewed in the last 12 months, it probably doesn't reflect your current vendors, leadership team, cyber insurance carrier, outside counsel, or regulatory obligations. The Delta Dental consent order cites the absence of policies that gave "sufficient detail and guidance" on regulatory reporting specifically, not just response steps. A plan that says "notify legal" without specifying who makes the call, how fast, and what the reporting thresholds are isn't enough.

See our incident response best practices guide for a starting framework.

Then look at data retention. If your company holds customer, employee, or patient records beyond a default or stated period, document the reason and the process that governs that decision. The absence of documentation is what NYDFS cited, not the retention itself. This is also a cyber insurance issue: carriers increasingly ask about data minimization practices at renewal.

Finally, test the escalation chain. The most dangerous gap for most businesses isn't technical detection. It's the handoff from IT to legal, executive leadership, compliance, insurance, and communications. If your team can't determine within a few hours who has authority to declare an incident and start required notifications, that's the highest-priority item to address first.

Facts from the Settlement

The $2.25 million penalty was announced April 30, 2026, and covers Delta Dental Insurance Company and Delta Dental of New York, Inc. The companies are affiliates in the insurance holding company system of Delta Dental of California and used that affiliate's cybersecurity program, a structure permitted under Part 500.

New York's regulation, codified at 23 NYCRR 500.17(a), requires notification to the superintendent within 72 hours of determining a reportable cybersecurity event has occurred.

Delta Dental waited more than five months.

The exfiltration occurred May 28 through May 30, 2023, and was confirmed July 6, 2023. Forensic review concluded Nov. 27, 2023. Companies notified NYDFS Dec. 15, 2023. About 60,000 files were exfiltrated from MOVEit Transfer servers.

The broader Delta Dental network reported nearly 7 million patients affected across its affiliate system. CVE-2023-34362, the vulnerability at the center of the attack, is rated 9.8 critical severity by NIST. New York's Part 500 regulation took effect Aug. 29, 2017, with significant amendments effective Nov. 1, 2023. The consent order notes NYDFS acknowledged the companies' cooperation throughout the investigation and its prompt remediation of identified issues.

Frequently Asked Questions (FAQs)

What is an incident response plan and why does it matter?

An incident response plan is a written document that defines how a company prepares for, responds to, and recovers from a suspected or confirmed cybersecurity event. It should identify who has authority to declare an incident, how notifications to regulators, legal counsel, and insurers get made, and what documentation requirements apply. CISA describes it as a living document that should be formally approved by senior leadership and reviewed regularly. The Delta Dental consent order cites the absence of a written policy with "sufficient detail and guidance" on regulatory reporting obligations as a direct factor in the company's failure to notify NYDFS on time. See our incident response best practices guide for what a defensible plan should include.

Why did New York fine Delta Dental $2.25 million?

NYDFS cited four violations of its Part 500 cybersecurity regulation: no written incident response policy addressing regulatory reporting, no written incident response plan that sufficiently addressed reporting obligations, no policies or procedures for the secure and periodic disposal of nonpublic information no longer needed for business operations, and failure to notify the Department within 72 hours of determining that a reportable event had occurred. The companies didn't report to NYDFS until Dec. 15, 2023, more than five months after confirming data had been exfiltrated.

What is New York's 72-hour cybersecurity reporting rule?

Under 23 NYCRR 500.17(a), covered entities must notify the superintendent electronically as promptly as possible and no later than 72 hours after determining that a reportable cybersecurity event has occurred. A reportable event includes any incident requiring notice to a government body or with a reasonable likelihood of materially harming normal operations. NYDFS also clarified in its June 2023 industry letter that evidence of unauthorized access, including webshell installation, constitutes a reportable event even before data exfiltration is confirmed.

Does this case apply to businesses outside New York financial services?

Part 500 applies to entities licensed by NYDFS. Delta Dental held New York insurance licenses, which placed it under that framework. But the enforcement priorities this case reflects, written policies, documented data retention, and timely escalation, align with what cyber insurers, enterprise clients, and regulators across many sectors now expect. Tax preparers and accounting firms must maintain a Written Information Security Plan under IRS requirements. Health care businesses operate under HIPAA. State privacy laws in Michigan and elsewhere are moving in the same direction. Read more on WISP requirements for tax and accounting firms.

What data retention issue did NYDFS cite?

The consent order found that Delta Dental's cybersecurity affiliate had extended MOVEit Transfer's default 30-day folder retention settings to 45 or 60 days in many cases, and had disabled the setting entirely in others, without any written policy governing those decisions. The majority of the roughly 60,000 exfiltrated files had been on the servers longer than 30 days at the time of the attack. NYDFS concluded this violated Section 500.13 of the regulation, which requires policies for the periodic and secure disposal of nonpublic information no longer needed for business operations.

What was the MOVEit vulnerability involved in this case?

The attack exploited CVE-2023-34362, a zero-day SQL injection vulnerability in Progress Software's MOVEit Transfer platform rated 9.8 out of 10 in severity by NIST. Because it was a zero-day, affected companies had no advance warning. Progress Software released its advisory and patches June 1, 2023. CISA and the FBI confirmed that the CL0P ransomware group exploited the flaw beginning in late May 2023 to steal data from hundreds of organizations worldwide.

What should a business owner do first after reading this case?

Review your written incident response plan and confirm it specifically addresses who determines whether an event is reportable, how fast that determination must be made, and where notifications go, including regulators, legal counsel, cyber insurance, and executive leadership. If the plan hasn't been updated in the past year, it likely doesn't reflect your current vendors, personnel, or obligations. Then confirm your data retention practices are documented and that any departures from default settings have a written rationale. Contact STACK Cybersecurity if you'd like help building or reviewing either.

Related Cybersecurity Resources

• Incident Response Best Practices
• WISP Requirements for Tax and Accounting Firms
• Cyber Liability Insurance Guide
• Cyber GRC: Governance, Risk, and Compliance
• False Claims Act and Cybersecurity Liability
• Cybersecurity Overconfidence
• STACK Cybersecurity Risk Assessment