The April 2026 NYDFS v Delta Dental $2.25M Ruling: One more reason to get your IR documentation up to speed.

05/18/2026

Quick Summary:

2,250,000 reasons why you should have both your CIRP and your IR policy at least reviewed, and most likely updated.
April 2025, NIST significantly upgraded the requirements for CIRPs. CIRPs need to integrate incident response into broader cybersecurity risk management, emphasizing a strategic, ongoing, and business-aligned approach rather than a standalone technical lifecycle. Detection standards have also been raised. *
Per the July ’23 SEC mandate, Annual Reports are now listing detailed narratives regarding cyber security: *
- Your Board of Directors’ (BOD) oversight responsibilities
- A myriad of reporting obligations: statutory, contractual, regulatory, etc.
- These (10-K) cybersecurity disclosures incur fiduciary / due diligence obligations. Should any of these efforts be deemed insufficient by regulators (e.g. NYDFS) or private litigants, and the organization could face significant consequences (e.g. litigation/fines).
- These stipulations must be fully implemented throughout the organization’s policies, plans (i.e. CIRP), procedures, training, exercises (i.e. TTXs), technologies, etc.[1]
Ensure your cyber insurance coverage is fully integrated with your IR documentation and consciousness. It may not cover your penalties. *

Detailed Narrative:

On April 30, 2026, the New York State Department of Financial Services (NYDFS) announced a $2.25 million settlement with Delta Dental (DDC/”The Companies”) for violations of NYDFS’s Cybersecurity Regulation (23 NYCRR Part 500).

I leveraged the Google AI tool Gemini for my research which cited this ruling. All Gemini produced materials will be shown in italics. While I did not validate the Gemini results, I not cite any Gemini information that I believed to be incorrect. The entire Gemini thread is available at gemini.google.com/app/10134330d771513b.

In May of 2023, Delta Dental suffered a zero-day MOVEit exploit that resulted in the theft of PHI/PII/NPI of approximately 7 million customers.

Per the NYDFS filing[2]:

“The Department has concluded that the Companies violated the following sections of the Cybersecurity Regulation:

(1) 23 NYCRR § 500.13, which requires Covered Entities to have policies and procedures for the secure disposal, on a periodic basis, of any Nonpublic Information (“NPI”) that is no longer necessary for business operations or for other legitimate business purposes;

(2) 23 NYCRR § 500.3(n), which requires Covered Entities to implement and maintain a written policy that addresses incident response, which includes providing sufficient detail and guidance concerning the Covered Entity’s regulatory reporting obligations to the Department;

(3) 23 NYCRR § 500.16(b)(6), which requires Covered Entities to establish a written incident response plan that addresses, inter alia, reporting of Cybersecurity Events; and

(4) 23 NYCRR § 500.17(a), which requires Covered Entities to provide timely notice of Cybersecurity Events to the Department. “

Additionally, from the filing:

“30. The Companies shall neither seek nor accept, directly or indirectly, reimbursement or indemnification with respect to payment of the penalty amount, including, but not limited to, payment made pursuant to any insurance policy.”

Here are some additional considerations that weren’t present when the attack occurred in May 2023, but apply now and should factor into the way you interpret this ruling:

The July 26, 2023, SEC Materiality reporting and BOD oversight requirement[3]. I have a blog with additional information on this[4].
The April 2025 update of the NIST 800-61 (r3) which now: “integrates incident response into broader cybersecurity risk management, emphasizing a strategic, ongoing, and business-aligned approach rather than a standalone technical lifecycle.” * The NIST Computer Security Incident Handling Guide (SP 800-61) is the gold standard that the NYDFS expects companies to emulate.

The following are some thoughts from almost 4 decades of cyber security experience:

This has become a really complicated job but very doable if you leverage the right approach: Top Down, Risk Based, Requirements Driven Execution is a good place to start.
I equate this to “Checkers versus Chess”, but that three dimensional Chess that Mr. Spock used to play on Star Trek. (Showing my age here.) Your move at the IR level may favor your opponent(s) at the litigation level. Or as in this NYDFS case above, some IT folks modified a factory default retention setting and are now being cited as: Delta Dental failed to implement data retention settings, policies, procedures, and controls designed to protect consumer data and the company’s IT systems as per section # (1) above.
Insurance Implications: Per section #30 (above) of the order, your insurance may be restricted from covering any penalty. Furthermore, does the IT modification of the 30 day retention limit invalidate the cyber insurance policy? Most cyber policies have an “Exclusion for Intentional Acts” or “Failure to Maintain Reasonable Security” clauses. The NYDFS found that employees manually disabled security controls. (Albeit 30 days was the default vendor setting for MOVEit.). I’m assuming their policy brought in the heavy hitters: Kroll & Clark Hill as well as covered the notifications & credit monitoring for approx. 7 million affected parties, and PR support (typical coverage). I have a couple of blogs on cyber insurance integration on my website[5].
Litigation Implications:
- Per (#A) above: Materiality Reporting and Annual Report cybersecurity stipulations need to be addressed. These (10-K) cybersecurity disclosures incur fiduciary / due diligence obligations. Should any of these efforts be deemed insufficient by regulators (e.g. NYDFS) or private litigants, and the organization could face significant consequences (e.g. litigation/fines).
- These stipulations must be fully implemented throughout the organization’s policies, plans (i.e. CIRP), procedures, training, exercises (i.e. TTXs), technologies, etc.[6]
- Delta Dental was private but: NYDFS Section 500.04: Cybersecurity Governance – (d) The senior governing body (i.e. BOD) shall exercise oversight of the covered entity’s cybersecurity risk management.
- Legal Yoga: “investigation” seems to last forever, then “incident”, and now you have 4 business days to make a “materiality” announcement (see #A above). I had a client who during their management TTX identified an obligation to notify the largest customer (50% of revenue) of a recently acquired company of all “Phishing Incidents”. One of the reasons I always fly back the following day: we spent the next 90 minutes after the TTX discussing the “legal elasticity” of the term “Phishing Incident” with their general counsel.
- Reporting Requirements: Contractual (e.g. Cyber Insurance, PCI MSA, I had a client discover a reporting requirement in a Purchase Order…), statutory (e.g. HHS OCR, etc.), regulatory (e.g. NYDFS, etc.), third party, and internal: management / technical / “need to know” versus shared awareness, and company/employee social media. Employee use of social media is a real problem.

Your CIRP Implications:
- “No plan survives first contact with the enemy” (USMC) versus “failing to plan is the same as planning for fail” (Benjamin Franklin)
- No plan ever covers 100% of the problem. For planning to be an effective corrective mechanism, it must provide a solid foundation for its execution, include specific information so that participants are empowered with current and relevant knowledge, and yet be broad enough to not constrict an organization’s ability to respond to unforeseen events. Planning will rarely answer all the questions that come up during an incident, but should provide a repository of thoughtful anticipation, collaboration, and research. Furthermore, to ensure a plan’s continued usefulness, it should be tested and updated on a regular basis. A plan’s true value is measured by the relevance of the information and processes it provides at a time of crisis.
- “Detect”: This new NIST requirement in #B above has a very detailed set of monitoring requirements that they want to see in or referenced by CIRPs. Indicators of Compromise (IOCs), “Anomalies & Deviations from expected activity”, and the ‘catch all’ of “other potentially adverse events” need to be documented. They want to know how you intend to do this for Networks, runtime environments, external service providers, the physical environment, and personnel activity/technology usage. They also want this information to be correlated from multiple sources. I have a methodology and some war stories that can help with this. You will have to invest some time. This won’t be solved by technology alone.
- Fog of War: You never have all the information you need to make a decision. Or in this case obtaining “Forensic Certainty” before providing notification. Be sure to include Assumption Tracking in your IR protocol. Especially if you cite “Nation State attacks” and/or “Zero Day attacks” in your 10-K cyber risk narrative.
- Friction: A common occurrence: Legal says you don’t need to do notifications of affected parties because you haven’t met the statutory requirements, but HR objects: “These are our employees. What kind of work environment do you want to create here?”. They’re both right. Decision Making is an important narrative.
- Make sure the CIRP isn’t overly prescriptive and risks NOT allowing the right things to happen. Legal issues are top of the list. Your General Counsel is well paid for a reason. Your CIRP shouldn’t make mandates or oversimplify requirements. Involve all of your experts early in the process and they can tell you whether or not they need to be involved. You may also need their participation initially just to determine if you even have a (material) incident in the first place. My IR attorney (the other “IR” = Investor Relations) almost every time would say: “Thanks for letting me know, but I don’t need to attend. Keep me in the loop.” I would never see her face to face except for TTXs and the occasional lunchroom encounter. Then for one incident, “I will be right down”. Materiality determinations and disclosures were a requirement decades before the SEC guidance noted above in #A.
- Leverage “Thresholds”: When you mobilize your CIRP, you usurp everyone from their normal duties with short notice. Should any of your IR team complain that you are “the boy who cries wolf”, work with them to develop a Threshold narrative that satisfies both of your needs.
- This is a very dynamic business. Your plan should be “contemplative” and not overly “prescriptive”. Decisions will be made meeting to meeting (OODA Loop) as the event unfolds and more information is known.
- Your CIRP may be reviewed by many parties before, during, and after an incident. Include sufficient information that gives them confidence you’ve covered all the bases (e.g. Requirements Driven Execution, by-name assignments, and a business level narrative for each requirement). But the CIRP itself shouldn’t be the “source of truth” for all matters. Even within the technical realm, you shouldn’t expect your CIRP to “know everything”. Forensics is a common “technical” requirement, but no CIRP narrative will ever adequately make someone a forensics expert. Process Guides (AKA Procedures) are typically where you find the detailed, often technical “how”, but sometimes they aren’t enough either. My CIRPs also have a “Preparation” section that is designed for your BOD’s benefit.