The New Mexico Court of Appeals has held that cyber policy language affording coverage “for” a security breach was ambiguous and must be construed broadly to provide coverage for a breach of contract claim “because of,” “resulting from,” or “on account of” a security breach. Kane ex rel. N.M. Health Connections, Inc. v. Syndicate 2623-623 Lloyd’s of London, 2025 WL 1733046 (N.M. Ct. App. June 16, 2025).
A fraudster gained access to a health insurance company’s computer system and requested payment of legitimate vendor invoices to a fraudulent bank account. The health insurance company wired over $4.4 million to the fraudster. The vendor never received payment for its invoices and alleged breach of contract. The company sought coverage for the vendor’s claim under its cyber insurance policy. The cyber insurer denied coverage on the ground that the vendor’s claim was not “for” a security breach; rather, it was a “garden-variety claim for breach of contract.” The district court disagreed, holding that the phrase “for” a security breach was ambiguous and must be construed to provide coverage for claims “because of” or “resulting from” a security breach, like the vendor’s claim. The district court also rejected the insurer’s alternative argument that two exclusions barred coverage because the stolen funds were either in the “care, custody or control” of the insured or were “lost, diminished, or damaged during transfer.”
On appeal, the New Mexico Court of Appeals affirmed, concluding that under New Mexico law “for” a security breach was ambiguous because (1) “for” was not defined in the policy; (2) an insured could read “for,” “resulting from,” and “arising from” interchangeably; (3) coverage was not limited to damages “as a direct result of” a security breach; (4) there are competing dictionary definitions of “for” that reflect both parties’ views; (5) there is a lack of interpretive consensus among courts construing “for” in the context of insuring clauses; and (6) “[a] business purchasing cybersecurity coverage . . . may view the insurance policy as protecting against all but the most clearly stated exceptions to coverage.” The court thus construed “for” a security breach broadly in favor of the insured to afford coverage for claims “because of,” resulting from,” or “on account of” a security breach, such as the vendor’s claim. The court also affirmed the district court’s holding that the two loss of money exclusions did not bar coverage, concluding that the funds at issue did not lose value during their transfer and that under New York law, which governed pursuant to the policy’s choice-of-law provision, the funds deposited with the insured’s bank were within the bank’s “care, custody or control” at the time of transfer rather than the insured’s.
[View source.]
