According to the DFS Consent Order:
· Following identification of a zero-day vulnerability in a file transfer application called MOVEit, it was determined that Delta Dental’s default retention settings for certain files were longer than necessary, or even that, in some instances, Delta had disabled certain folders’ retention settings entirely, thus allowing for exfiltration of PII of insureds.
· Additionally, DFS found that Delta Dental’s incident response policies and procedures lacked sufficient detail and guidance concerning the Companies’ regulatory reporting obligations, including their reporting obligations to the Department, which contributed to the Companies’ failure to timely report a Cybersecurity Event to the Superintendent.
· DFS found that Delta waited approximately six months before notifying DFS of the Cybersecurity Event, instead of within 72 hours as required by Part 500.
· The Consent Order did note that Delta otherwise took appropriate steps in responding to the Cybersecurity Event.
· No remediation appears to be required by the Consent Order.