Today's Focus: Cybersecurity, Data Security & Cloud Security

On April 30, NYDFS announced a $2.25 million consent order against Delta Dental Insurance Company and Delta Dental of New York for violations of 23 NYCRR Part 500 — its first cybersecurity enforcement action of 2026. The underlying incident, a 2023 MOVEit Transfer zero-day affecting roughly 60,000 files of PII, SSNs, and PHI, was discovered in June 2023 but not reported to NYDFS until December 15, 2023 — about five months past the 72-hour deadline.

The order cites Part 500 §§ 500.13 (NPI disposal), 500.3(n) (incident-response policy), 500.16(b)(6) (IR plan must address Cybersecurity Event reporting), and 500.17(a) (72-hour notification). The signal to every Part 500 covered entity: the 72-hour clock is non-negotiable, and Acting Superintendent Asrow is enforcing it.

NYDFS press release

NERC CIP-003-11 enters force May 26 — 8 days out. FERC Order No. 918 approved CIP-003-11 in March, superseding CIP-003-10 for low-impact BES Cyber Systems with external routable connectivity. The new standard adds three control families: authenticate all remote users and protect that authentication data, protect authentication information in transit, and detect malicious communications to or between low-impact assets. Confirm in-scope inventory and document the new controls this week. Federal Register, Order No. 918

CISA KEV: two federal deadlines passed this month. CISA added Linux kernel CVE-2026-31431 ("Copy Fail", CVSS 7.8) on May 1 with an FCEB remediation deadline of May 15, and Cisco Catalyst SD-WAN Controller CVE-2026-20182 (CVSS 10.0 critical auth bypass) with an FCEB deadline of May 17. Private-sector operators of either platform should treat both deadlines as the de-facto industry benchmark and confirm remediation now. CISA KEV catalog

FedRAMP CR26 — public preview live; "Ready" retiring July 28. CR26 finalizes by June 30, takes effect July 1 with an optional transition through January 1, 2027. The legacy "FedRAMP Ready" designation retires 2026-07-28. "Authorization" becomes "Certification," and Low/Moderate/High/Ready are replaced with Class A/B/C/D (A = entry-level, D = High). CSPs holding or pursuing FedRAMP status: decide before July 28 whether to convert any existing "Ready" posture to a Class A pathway. FedRAMP CR26 preview

NERC CIP-003-11 — in force in 8 days (2026-05-26). Low-impact BES Cyber System owners with external routable connectivity must have authentication, in-transit protection, and malicious-traffic detection controls documented and operating.

Watch: GB 46864-2025 (China data sanitisation) — 2026-06-01 (14 days).

Re-test your 72-hour incident-notification path. Walk it from initial detection to a delivered notification at NYDFS (or your competent authority) and document the timestamps. If you cannot prove the path ran cleanly in the last 90 days, the Delta Dental order tells you what that gap costs.

Privacy — fresh state and EU developments from yesterday's privacy briefing.

CyberEyeQ — Actionable Regulatory Intelligence
Reply with feedback or forward to a colleague who needs this.
[email protected]