205-967-8822 Contact

News & Insights

COURTS REMAIN UNDECIDED ON HOW TO HANDLE CYBER SECURITY EVENTS

Posted on

Although the number of cyber security attacks continues to rise, courts are not unified on how insurance policies apply. This is evident by how two cases were decided differently despite the insureds suffering similar cyber security events.

In Kane v. Syndicate 2623-623 Lloyd’s of London, 2025 WL 1733046 (N.M. Ct. App. June 16, 2025), a hacker sent a fraudulent invoice to New Mexico Health Connections, Inc. (“NMHC”) posing as a manager for OptumRX, a NMHC vendor. Following the fraudulent instructions, NMHC wired $4.4 million to the hacker over the course of five transactions in less than a month. The parties did not dispute these facts or that these facts constituted a security breach as defined by the policy.

Due to the fraudulent transfer, NMHC did not pay OptumRX for its legitimate invoices. OptumRX demanded NMHC pay the outstanding invoices pursuant to the parties’ contract. NMHC reported the claim to its cyber insurer Beazley. Beazley denied NMHC’s claim contending that OptumRX’s claim did not trigger coverage.

NMHC sued Beazley asserting that the phrase “claim for a security breach” would require only a causal connection to the loss. Beazley argued that OptumRX’s demand was caused by NMHC’s failure to pay its vendor and was therefore a garden variety breach of contract and not a claim “for a security breach.”

The district court granted summary judgment for NMHC, holding the phrase “for a security breach” was ambiguous and that Beazley was required to provide coverage to NMHC. On appeal, the New Mexico Court of Appeals looked to other policy provisions, the dictionary definition of “for”, opinions from other courts, and insurance industry practice and drafting history. The Court of Appeals affirmed the district court’s grant of summary judgment finding that every avenue it turned to for assistance provided multiple reasonable meanings.

In Certain Underwriters at Lloyd’s, London v. Galey Consulting, LLC, 2025 WL 2104966 (Ill. Ct. App. July 28, 2025), Monroe Infrastructure, LLC was hired for a construction project in Nashville, Tennessee. Monroe engaged Galey Consulting, LLC for professional construction management services which included handling payments to subcontractors. Galey’s email account was hacked and emails from subcontractor Nashville Electric Service (“NES”) were diverted. The hacker sent Galey an email from a fictious NES account, pretending to be an NES employee and advising Galey that NES procedures had changed and only electronic funds transfers would be accepted.

Galey did not call NES to confirm the change in procedure but instead emailed its contact at NES. The hacker confirmed the instructions with Galey. Galey ultimately told Monroe that the hacker’s request “was a legit request” and Monroe transferred $673,381.18. Galey reported the claim to its insurer Underwriters and provided a summary of events concerning the hack and the funds transfer. The parties did not dispute the facts in Galey’s summary of events.

Underwriters determined that there was no cyber or privacy coverage which would apply to the fraudulent transfer and Galey’s Errors & Omissions insurance contained “an exclusion . . . that precluded coverage for any claim ‘arising directly or indirectly out of any cyber event.’” Monroe’s counsel communicated with Underwriters and attempted to circumvent the exclusion by arguing that Galey was negligent for “failing to have in place a protocol and system to ensure that invoices presented were properly paid . . . [and for] failing to ‘utilize telephonic conformation’ prior to making electronic payment . . . .”

Monroe eventually filed suit against Galey to recover the transferred funds. Monroe again attempted to get around the exclusion by never mentioning the hack or the fraudulent instructions. Monroe and Galey entered into a consent judgment and Monroe proceeded directly against Underwriters.

The district court granted summary judgment for Underwriters relying on Galey’s summary of events to determine that the exclusion for cyber events applied. On appeal, the Illinois Court of Appeals found that though Monroe’s complaint did not mention the hack or the fraudulent instructions, Galey’s summary established that “Monroe’s loss can only be characterized as ‘arising directly or indirectly out of’ a cyber event, even if other potential causes of the loss can also be identified.” As such, the Court of Appeals affirmed the district court’s grant of summary judgment for Underwriters.

Despite the same facts – a claim against an insured by a rightful payee after the insured was tricked into wiring funds to a fraudster – the cases had different outcomes. This highlights the importance of policy language and the consciousness of jurisdiction-specific precedent.

Contact

Let’s talk about what our firm can do for you.

Our locations in Birmingham and Pensacola are conveniently located for clients in the Southeast.

Get In Touch