Authored by Donald Dinnie and Mmathabo Lekalakala
In June 2025, the New Mexico court of appeals held that a health insurer that paid over USD 4 million to a fraudulent bank account after an unauthorised third party accessed its computer system was entitled to recover the loss under its cyber insurance policy.
The court confirmed that coverage "for a security breach" in a cyber insurance policy is ambiguous and must be interpreted in favour of the insured. The court also found that the policy's exclusions for loss, transfer, or theft of money in the case, custody and control of the insured, did not bar coverage.
A third party gained unauthorised access to the insured's computer system and email in April 2020. The unauthorised third party obtained a copy of a legitimate invoice from one of the insured's vendors, substituted fraudulent bank account details and emailed the altered invoice to the insured. The insured transferred approximately USD 4.4 million to the fraudulent account.
The vendor subsequently demanded payment of the outstanding amounts still owed under its contract with the insured. The insured claimed under its cyber policy for this loss. The insurer denied coverage, arguing that the vendor's claim was not "for a security breach" as required by the policy and that the exclusion for loss of money applied.
The court held that the preposition "for" in the phrase "for a security breach" was ambiguous. It could mean "equivalent to" (limiting coverage to direct losses from the breach itself) or it could mean "because of", "resulting from", or "on account of" (extending coverage to losses causally connected to the breach). Since dictionary definitions, other policy provisions, and court decisions from other jurisdictions supported both interpretations, the court applied the established principle that ambiguous policy terms must be construed in favour of the insured. It was found to be a loss on account of a security breach.
The court also rejected the insurer's reliance on two exclusions for loss of money. The exclusion for money "in the care, custody or control" of the insured did not apply because, under New York law, money deposited with a bank belongs to the bank, not the depositor. The funds were therefore in the bank's care, custody and control when transferred.
This judgment reinforces that insurers drafting cyber policies should use clear, unambiguous language to define the scope of coverage. The court noted that cyber insurance is a relatively new field lacking standardised policy language, leaving policyholders vulnerable to uncertainty about their coverage.
Kane v Syndicate 2623-623 Lloyd's of London, 2025 WL 1733046 (N.M. Ct. App. June 16, 2025