The 30-second take
A recent Crowell & Moring client article highlights the New York Department of Financial Services’ $2.25 million settlement with Delta Dental of New York and Delta Dental Insurance Co. following alleged cybersecurity, consumer data protection and incident reporting failures. The matter arose from a MOVEit-related breach involving sensitive policyholder information and regulatory concerns around data disposal, incident response planning and notification timing.
The lesson for boards and management teams is not simply that cybersecurity regulation is becoming tougher.
The deeper lesson is that cyber risk maturity must be embedded into normal strategic, operational, supplier and technology assessments.
Regulatory compliance should be an outcome of strong business analysis, not the only reason the work is done.
Cyber risk is now a business maturity issue
Cybersecurity is often treated as a specialist control area. That is a mistake.
A cyber event rarely stays inside technology. It quickly becomes a customer issue, supplier issue, operational resilience issue, legal issue, regulatory issue, reputational issue and executive decision-making issue.
The Crowell article notes that regulators focused on issues including secure data disposal, incident response planning, vendor tool risk, notice requirements and broader cybersecurity governance. These are not narrow technical questions. They are business questions.
Risk management should be asking:
- What critical services rely on this system?
- What sensitive data sits inside the process?
- Which suppliers are part of the control chain?
- Who owns the risk end to end?
- What evidence shows the controls work?
- How quickly can the organisation escalate and act?
That is where cyber risk maturity becomes real.
Compliance is important, but it is not enough
Regulatory compliance matters. It sets expectations, creates discipline and makes accountability visible.
But if the organisation only asks, “Are we compliant?”, the conversation is too narrow.
A stronger question is:
Can we evidence that our cyber risk, supplier risk, data risk and operational resilience controls are understood, owned, tested and connected to real business outcomes?
The Crowell article makes clear that regulators are looking closely at whether organisations have practical policies, timely incident response, vendor oversight and current control evidence. That should not require a regulatory investigation to discover.
The organisation should already know.
The maturity test leaders should apply
A mature cyber risk assessment should not sit outside normal business planning. It should be embedded into:
- strategic planning;
- technology change;
- supplier onboarding and renewal;
- operational resilience assessments;
- data governance reviews;
- product and service design;
- incident response exercises; and
- assurance planning.
This is how regulatory compliance is achieved in a more sustainable way.
Not by chasing obligations one by one, but by understanding the business properly.
The risk management question
Cyber risk maturity is not proven by having a policy, framework or dashboard.
It is proven by whether the organisation can show clear ownership, current dependency mapping, tested controls, timely escalation, supplier visibility and evidence-based decision-making.
Boards and executives should not wait for an incident or regulator finding to ask the harder question:
Are our cyber risk assessments genuinely helping us understand how the business operates, where it is exposed, and how quickly we can respond when conditions change?
That is the difference between compliance activity and business maturity.
Innovation of Risk provides risk maturity and assessment tools to help organisations have better internal risk, governance and assurance discussions. This post is general information only and is not legal, regulatory, audit or professional advice.

