(Article from Insurance Law Alert, July/August 2025)
For more information, please visit the Insurance Law Alert Resource Center.
Holding
Affirming a trial court decision, a New Mexico appellate court ruled that a cyber policy was ambiguous and therefore construed it in favor of coverage. Kane v. Beazley USA Servs., Inc., 2025 N.M. App. LEXIS 38 (N.M. Ct. App. June 16, 2025).
Background
The coverage dispute arose out of a security breach in which a hacker posed as an account manager for OptumRX, a vendor of New Mexico Health Connections, Inc. (“NMHC”). The hacker sent a fake invoice to NMHC, after which NMHC wired approximately $4.4 million to the hacker’s bank account. When amounts due to OptumRX were not paid, OptumRX sued. NMHC sought defense and indemnity from Beazley, which denied coverage. Beazley argued that OptumRX’s claims did not trigger third-party coverage under the cyber policy, and even if they did, that two exclusions applied.
In ensuing litigation between NMHC and Beazley, a trial court granted NMHC’s summary judgment motion. The court ruled that a policy provision covering damages to third parties “for a security breach” was ambiguous and should be construed in NMHC’s favor. The trial court further found that the exclusions did not clearly apply to the loss at issue. The appellate court affirmed.
Decision
The parties did not dispute that the incident constituted a “security breach,” defined by the policy as “a failure of computer security to prevent . . . unauthorized access or use of [the insured’s] computer systems.” Rather, the dispute centered on whether OptumRX’s claim was a claim “for” a security breach.
Beazley argued that the term “for” limits coverage to claims directly for a security breach itself, such as a suit seeking damages for a policyholder’s loss of a third-party’s private data. Beazley therefore claimed that the policy did not extend to a breach of contract claim based on NMHC’s failure to pay OptumRX’s invoices, even where the breach of contract originated with a security breach. In contrast, NMHC argued that the phrase “for a security breach” included all third-party claims where the loss was causally related to a security breach.
The appellate court agreed with the trial court that the provision was ambiguous. The court determined that the dictionary did not resolve any ambiguity because there were multiple competing dictionary definitions of “for.” Additionally, the court found that decisions from other jurisdictions construing the meaning of “for” were inapposite because those cases concerned commercial general liability coverage (e.g., for bodily injury) rather than cyber insurance coverage and, according to the appellate court, lacked an “interpretive consensus.”
The appellate court also ruled that two exclusions did not apply. One exclusion applied to loss arising out of a diminution of monetary value during the transfer of funds between accounts. The court deemed this provision inapplicable because the factual record lacked evidence of a loss in value during a monetary transfer. The second exclusion barred coverage for loss of funds “in the care, custody or control of the insured organization.” The court ruled that the lost funds were not within the care, custody, or control of NMHC because the funds were held at a Wells Fargo bank. Applying New York law in accordance with a choice of law policy provision, the court ruled that money deposited with a bank “belongs to the bank and is not the property of the depositor.”
Comments
The nature of the policy at issue—a cyber breach response policy—was relevant to the court’s finding of ambiguity. The court noted that cybersecurity insurance is a relatively new product and posited that purchasers of such coverage “often have little knowledge about the breadth and sophistication of cybersecurity risks they face” whereas insurers “are far more knowledgeable.” The court further reasoned that the “imbalance is exacerbated by the lack of standard policy language among insurers to define or limit coverage.”