Cover sheet of the DFS settlement with Delta Dental

DFS Secures $2.25 Million Cybersecurity Settlement with Delta Dental

Byhostinger.rake304
Cover sheet of the DFS settlement with Delta Dental

Key quote:

“As cybersecurity threats continue to grow, the Department is committed to holding institutions accountable.”

Why it matters: The MOVEit zero-day was exploited starting in May 27, 2023. Progress Software shipped a patch on May 31. CISA added CVE-2023-34362 to its Known Exploited Vulnerabilities catalog that June. But here we are in April 2026, and Delta Dental’s still paying for it, $2.25 million to New York’s DFS, with 6.9 million individuals’ data exposed across the broader Delta Dental network. The breach itself was fast, and the consequences are playing out in slow motion three years later. That lag is the real risk most enterprise registers underestimate. The patch was available, and the government flagged it. This failure to act turned a known vulnerability into a multi-year legal and regulatory liability.

Now think about what’s coming. LLM-generated zero-days are going to compress the timeline from disclosure to exploitation even further. If organizations couldn’t close the gap on a vulnerability with a public patch and a CISA advisory, the next generation of threats will expose the same institutional inertia at a much faster clip. Organizations should be reviewing and re-considering their regulatory and legal risk tolerances, as well as their patch exception sign-off processes.

Understand the stories that matter.

Every week, I break down the most important updates in cybersecurity and AI law and policy. Human-written, deeply analyzed.

I don’t spam! Read the privacy policy for more info.