Law360
July 9, 2025
A June 16 appellate decision involving the construction of a cyberinsurance policy demonstrates a concerning lack of judicial understanding about the nature and scope of cyber liability coverage and implicitly incentivizes policyholders to manufacture litigation to avoid contractual limitations on other cyber coverages.
In Kane v. Beazley USA Services Inc., the New Mexico Court of Appeals found coverage for funds transfer fraud under a cyber liability provision insuring an entirely different risk — security breaches.[1] To get to that result, the court strained to find and then resolve an alleged ambiguity, selectively applying rules of contract construction to achieve the desired result.
Ultimately, the court appears to have lost the forest for the trees by focusing on all potential and hypertechnical meanings of a single preposition, "for," instead of reading the coverage provision at issue in the context of the policy as a whole. In doing so, the court seemed to misunderstand the purpose of cyber liability coverage and important distinctions between various cyber risks and the coverages that address them.
Classic Case of Funds Transfer Fraud
New Mexico Health Connections, a now insolvent healthcare insurer, lost $4 million when it was tricked into paying a bad actor instead of its pharmacy vendor. The story is all too common.
In April 2020, NMHC's email system was hacked. The hacker intercepted invoices from the vendor, altered the bank account information and emailed a revised invoice to NMHC's accounting department. The accounting department, thinking it was paying its vendor, paid the hacker's bank account $4 million over a one-month period. When the vendor contacted NMHC seeking payment, NMHC discovered the breach.
Many cyberinsurance policies offer funds transfer fraud coverage to insure this exact scenario. Indeed, NMHC purchased such coverage subject to a $250,000 sublimit. The coverage insured "any direct financial loss sustained resulting from ... fraudulent instruction." Fraudulent instruction included transfer of money "as a result of fraudulent ... instructions provided by a third party, that is intended to mislead an Insured."
The loss fell squarely within this coverage, and the insurer paid the $250,000 sublimit.
NMHC then refused to pay the vendor, forcing the vendor to sue. This resulted in a predictable third-party action by the vendor, which NMHC then tendered for coverage to its cyber carrier.
Of course, the vendor was blameless; it emailed an invoice and waited to receive payment. NMHC's system was hacked, not the vendor's. In its briefing, NMHC argued that the vendor "was as much a direct victim of the breach as was NMHC."
This argument ignores the fact that, under a cyber policy, who owns the compromised computer systems is of critical significance. There are separate coverages for a breach of the insured's systems and a breach of a dependent business's systems. The vendor's system was not breached in any sense of that word. If the vendor was a victim, it was a victim only of NMHC's attempt to obtain insurance proceeds. Indeed, NMHC's attempt to pay the vendor the $4 million was an admission that the amount was rightfully owed.
Selective Application of Policy Construction Principles
Apart from providing sublimited first-party coverage for funds transfer fraud, the policy at issue contained a separate third-party provision covering data and network liability for a security breach for:
Any Claim first made against any Insured during the Policy period for:
1. a Data Breach;
2. a Security Breach;
3. the Insured Organization's failure to timely disclose a Data Breach or Security Breach.
For the last decade or more, standard stand-alone cyber policies have contained both first-party and third-party coverages.
The first-party coverages insure the policyholder's direct loss from a breach — data recovery costs, forensic investigation expenses, business interruption losses, and other specialized first-party coverages, such as reputational harm and funds transfer fraud.
The third-party coverages insure the policyholder's liability to third parties as a result of the breach such as a class action by employees or customers alleging harm due to the exposure of their personal health or financial data. This liability coverage can also insure the cost of defending regulatory actions based on violations of privacy or consumer protection-related statutes.
The Kane court's results-oriented decision focused not on the obvious intent of the third-party liability coverage under a cyber policy, but instead on the meaning of the word "for" in the phrase "for ... a security breach." Focusing myopically on this word, the lower court and the appellate court found ambiguity, concluding that "for" could mean either "directly connected" or "causally connected."
But whether a provision could have been worded differently or more clearly is not the test for finding ambiguity.[2]
After finding the provision ambiguous, the Court of Appeals went about determining the intent of the parties. As explained by the well-respected treatise, Couch on Insurance, "The intent and understanding of the parties to an insurance contract is far more important than the strict and literal sense of the words used in the contract. Thus, it is equally important to consider the subject matter of the insurance and the subject or object that the parties had in view at that time."
Contrary to this principle, the court focused on the strict and literal sense of the language (specifically, one word: "for") and gave little consideration as to the object of the coverage. Selectively applying certain rules of contract construction, the court looked at other policy provisions and the dictionary to uncover the meaning of "for" in this context.
The court of appeals noted that the policy's data recovery costs coverage provision covered costs incurred "as a direct result of a security breach." The court reasoned, when the liability coverage says "for a security breach" without specifying "direct," it must mean "direct and indirect." The court ignored the fact that "as a result" was also not in the liability provision and its interpretation reads that language into the policy in a way that renders the provision nonsensical: "direct or indirect for a security breach."
More troubling, the court rejected its own logic in rebutting the insurer's argument about the other policy language. The insurer noted that other policy provisions used the phrases "arising out of" and "resulting from" and as such "for a security breach" cannot mean the same thing as "arising out of a security breach" or the insurer would have used this broader language.
The court — with no explanation as to how it reconciles the logic of the direct versus indirect discussion — argues there is no indication these terms "mean something special" and cannot be "used interchangeably." With no support, the court says the term "for" and the phrase "arising out of" are commonly used to mean the same thing.
The court also ignored one of the principal rules of contract construction — to read the policy as a whole giving meaning to all its parts. The court's order does not address the critical fact that the policy contained funds transfer fraud coverage up to $250,000. An insured should not be permitted to manufacture a lawsuit based on a funds transfer fraud in order to avoid this sublimit.[3]
Another key rule of contract construction is to avoid a reading of a provision that renders other policy terms unnecessary. If one reads "for a security breach" to mean "arising out of" a security breach, then there would be no need for the policy to specify that it cover claims for "the Insured Organization's failure to timely disclose a Data Breach or Security Breach." Subpart 3 of that section is rendered superfluous under the court's broad interpretation of Subpart 2.
The court of appeals also considered dictionary definitions of "for." The court noted that it could mean "equivalent to," "because of," "on account of," or "as regards." The court suggested any of these might apply. But missing from the court's analysis is any explanation as to how, even accepting the broader "because of" meaning, the claim made by the vendor was "because of" the security breach.
The court did not address causation principles at all. New Mexico has not adopted the efficient proximate cause doctrine. In fact, causation principles are largely unsettled under New Mexico law.
A jurisdiction adopting efficient proximate cause would likely have determined that NMHC's decision not to pay the invoice — not the security breach — was the most important or primary cause of the vendor's lawsuit. But even under the but for causation standard, independent intervening causes can break the causal chain.
Deliberate acts are frequently deemed intervening causes. And clearly NMHC's continued refusal to pay the invoice was deliberate. Ultimately, New Mexico's murky causation law may have discouraged either party from arguing about causation. This is an important consideration when attempting to apply this holding outside of New Mexico.
Misunderstanding of Cyber Risks and Coverages
In its journey to find intent, the court of appeals revealed its numerous misconceptions about cyberinsurance. For instance, the court stated that cyberinsurance is "a relatively new area of insurance coverage" and cited to a law review article from 2023 discussing the need for new contract language to address unique issues that arise in claims for loss resulting from cybersecurity breaches.
The court, citing the law review article as support, concluded that insurance companies are "far more knowledgeable" as to "the breadth and sophistication of the cybersecurity risks" companies face. But is that true? Isn't a business more knowledgeable as to its cybersecurity risks than its insurance company?
More significantly, however, the court's decision reveals its own incorrect view that all cyber risks are the same. Here, the court failed to appreciate the material difference between coverage for fund transfer fraud and liability coverage for cybersecurity breaches which, in this case, required a third-party claim.
Dangerous Incentive for Policyholders
Here the policyholder, by denying payment to the vendor, created circumstances that were calculated to give rise to a lawsuit against it that it could tender to its cyber insurer.
The NMHC decision, much like the U.S. Court of Appeals for the Fifth Circuit's Southwest Airlines Co. v. Liberty Insurance Underwriters Inc. decision last year, raises the question of whether third-party cyber insurance, or any insurance for that matter, should cover losses caused by an insured's voluntary actions.[4]
If Southwest had chosen to give each customer $1,000 for a missed flight would that be insured? If NMHC had chosen not to pay its electric bill or rent that month, would that have been caused by the security breach? If a business loses money in a cyber extortion scheme, can it refuse to pay its debts, wait to get sued and seek liability coverage under its cyber policy? The answers to these questions must be a resounding "no."
In finding coverage, the court created an incentive for policyholders facing coverage gaps for certain cyber risks, e.g., fund transfer fraud, to institute litigation solely in order to trigger third-party coverages. The NMHC ruling is a cautionary tale about what happens when a court fails to understand the broader implications of its holdings.
___________________________________________________
[1] Kane v. Syndicate 2623-623 Lloyd's of London d/b/a Beazley USA Services Inc. , No. A, No. A-1-CA-41254, 2025 WL 1733046 (N.M. Ct. App. June 16, 2025).
[2] See Cont'l Cas. Co. v. Northland Ins. Co. , No. A-4794-11T1, 2013 WL 6009575, at *2 (N.J. Super. Ct. App. Div. Nov. 14, 2013) ("simply because different wording could possibly make a provision more clear, does not render the language chosen ambiguous"); 2 Couch on Ins. § 22:9 ("Yet, the fact that the insurer's choice of words was unfortunate from the standpoint of the meaning attempted to be given the contract is no justification for disregarding the plain import of the language in the policy.")
[3] 2 Couch on Ins. § 22:10 ("If one interpretation of a contract of insurance capable of two interpretations would lead to an absurd conclusion, looking to the other provisions of the contract and its general scope and object, this construction must be abandoned and that adopted which will be more consistent with reason and probability.")
[4] Southwest Airlines Co. v. Liberty Insurance Underwriters Inc. , 90 F.4th 847 (5th Cir. 2024).
