New York DFS Fines Delta Dental $2.25 Million for Cybersecurity Rule Violations

The settlement reinforces the importance of aligning written policies, technical controls and incident‑response execution—particularly in the context of third‑party software vulnerabilities and supply‑chain risk.

Key Enforcement Findings
Based on its investigation, NYDFS concluded that the Companies violated multiple provisions of the Cybersecurity Regulation, including:

• failure to maintain adequate policies and procedures for the secure disposal of Nonpublic Information (NPI) no longer necessary for business purposes (§ 500.13);
• failure to implement and maintain a written incident response policy that adequately addressed regulatory reporting obligations (§ 500.3(n));
• failure to maintain a written incident response plan addressing the reporting of Cybersecurity Events (§ 500.16(b)(6)); and
• failure to provide timely notice of a Cybersecurity Event to NYDFS (§ 500.17(a)).

DFS also cited deficiencies in the Companies’ data‑retention controls, including extended or disabled retention settings on MOVEit servers without corresponding documentation in written policies, which contributed to the scope of data exposure.

The MOVEit Zero‑Day Vulnerability
NYDFS’s investigation focused on the Companies’ use of MOVEit Transfer from Progress Software Corporation servers to exchange files with customers, business partners, medical professionals and employees. The Companies, as affiliates, used the cybersecurity program of Delta Dental of California (DDC).

In mid‑2023, threat actors exploited a zero‑day vulnerability in the MOVEit software, enabling unauthorized access to affected servers. Progress Software released a security advisory on June 1, 2023. The same day, DDC identified the vulnerability on its servers, deployed patches and took steps to remediate the vulnerability. On June 2, 2023, NYDFS issued industry guidance alerting regulated entities to the vulnerability and its remediation.

On July 6, 2023, DDC confirmed that the threat actors had exfiltrated files from the MOVEit Transfer between May 28 and May 30, 2023. On November 27, 2023, DDC confirmed that approximately 60,000 files had been exfiltrated. According to NYDFS, the exfiltrated files contained records of “insureds’ names, addresses, social security numbers, driver’s license and other state identification numbers, passport numbers, financial account information, tax identification numbers, health insurance policy numbers, and patient health information.” 

On December 15, 2023, the Companies notified NYDFS about the Cybersecurity Event. Affected consumers were notified in March 2024.

Settlement Terms
Without admitting or denying the findings, the Companies agreed to resolve the matter through a Consent Order and to pay a $2.25 million civil monetary penalty. The Consent Order expressly prohibits the Companies from seeking indemnification or insurance reimbursement for the penalty or for claiming a federal, state or local tax deduction or tax credit.

NYDFS emphasized that covered entities are expected to maintain compliant cybersecurity programs on an ongoing basis.

Regulatory Context
NYDFS’s Cybersecurity Regulation has been in effect since March 2017, with significant amendments effective November 2023 that strengthened cyber governance, risk management, and accountability obligations for regulated entities. NYDFS has described its cybersecurity regulation as “nation‑leading” and continues to signal aggressive enforcement against institutions that do not maintain robust, fully implemented cybersecurity programs. (For more information, see our prior analysis: How Financial Cos. Can Prep As NYDFS Cyber Changes Loom and How Safe is Your Multi-Factor Authentication? Complying With the New York State Department of Financial Services and Other Cybersecurity Regulators.) 

As this case shows, NYDFS continues to be active in its enforcement of the cybersecurity regulation. (For more information, see our client alert discussing the imposition of a $2 million penalty for violations of the NYDFS cybersecurity regulation.)

Key Considerations for Regulated Entities
The latest settlement underscores several enforcement priorities that NYDFS continues to emphasize:

• Incident response plans must be operational, detailed and tested, not merely documented.
• Timely regulatory notification remains a strict expectation of NYDFS, as well as other regulators.
• Third‑party and file‑transfer vulnerabilities—particularly widely exploited zero‑days—remain a core supervisory focus.
• Data‑retention controls are enforcement‑relevant, particularly where outdated or unnecessary NPI remains accessible in third‑party systems.
• Reliance on an affiliate’s enterprise cybersecurity program does not eliminate accountability at the regulated‑entity level.
• The subjects addressed by the 2023 amendments are being enforced aggressively, with governance and accountability failures drawing monetary penalties.