(Article from Insurance Law Alert, April 2025)
For more information, please visit the Insurance Law Alert Resource Center.
Holding
An Illinois district court ruled that an exclusion in one policy barred coverage for wire transfers stemming from fraudulent emails, but that issues of fact precluded a ruling as to coverage under a computer fraud provision in another policy. Office of the Special Deputy Receiver v. Hartford Fire Insurance Co., 2025 U.S. Dist. LEXIS 60484 (N.D. Ill. Mar. 31, 2025).
Background
Office of the Special Deputy Receiver (“OSD”), a non-profit corporation that administers estates of insolvent insurance companies, was the victim of a “spear phishing” attack. A hacker gained access to the Chief Financial Officer’s Outlook account, and then posing as him, sent emails to various OSD employees requesting wire transfers to purportedly fund new investments. The employees carried out the instructions and eight transfers were sent totaling approximately $6.85 million. OSD was able to recover some, but not all the funds and turned to its insurers for coverage.
Hartford and HSB Specialty denied coverage. OSD filed suit and the insurers moved to dismiss. The court granted Hartford’s motion but denied HSB Specialty’s motion.
Decision
The court ruled that Hartford’s policy, a Financial Institution Bond, did not cover the losses as a matter of law. The court concluded that an Electronic Mail Initiated Transfer Fraud Coverage exclusion (Rider 17) unambiguously applied because it excluded from coverage “loss resulting directly or indirectly from the Insured having, in good faith, transferred or delivered Funds, Certificated Securities or Uncertificated Securities, in reliance upon a fraudulent instruction sent to the Insured through electronic mail . . . .”
OSD argued that notwithstanding the exclusionary language of Rider 17, coverage was available under a Computer Systems Fraud Coverage clause (Rider 13), which applied to “Loss resulting directly from a fraudulent (1) entry of Electronic Data or Computer Program into, or (2) change of Electronic Data or Computer Program within any Computer System operated by the Insured . . . .” OSD claimed that Rider 13 was “self-contained and not modified at all by the exclusions in any other riders” or alternatively, created ambiguity when read in conjunction with Rider 17. Rejecting these assertions, the court ruled that both riders “modify the bond as a whole” and that Hartford need not “spell out, in every section of the Bond, that exclusions added to the bond apply” to the entire instrument.
However, the court denied HSB Specialty’s motion to dismiss, finding issues of fact as to whether coverage was available under a Computer Fraud provision in the cyber policy. HSB Specialty acknowledged coverage under a Social Engineering provision, which was subject to a $250,000 sublimit, but denied coverage under a Computer Fraud provision. The Computer Fraud provision covered loss incurred “as a direct result of Computer Crimes,” defining Computer Crimes as “the intentional, fraudulent or unauthorized input, destruction, or modification of electronic data or computer instructions into Computer Systems by any entity which is not an Insured Organization or person who is not an Insured Person.”
HSB Specialty argued that OSD’s loss did not “directly result” from a Computer Crime and instead resulted from human activity, such as the employees’ conduct in transferring money. In support of its argument, HSB Specialty cited decisions from other jurisdictions involving similar factual scenarios. The court distinguished those cases based on differing policy language and factual circumstances. In particular, the court emphasized that here, the chain of causation between the initial hacking and the financial loss involved fewer “links” and a shorter time frame than the cases cited by HSB Specialty. Additionally, the court noted that the underlying Computer Crime need not be the sole cause of the loss and that court decisions requiring a strict “direct-cause analysis” (rather than proximate causation) involved fidelity bonds, not insurance policies.
In any event, even applying a stricter standard, the court concluded that OSD pled facts establishing a direct link between the loss and the Computer Crime. The court explained that each fraudulent email could constitute a Computer Crime because “[s]ending an email requires the input of ‘electronic data or computer instructions’” and each wire transfer was “a direct response to those emails.”
Finally, the court rejected two other arguments asserted by HSB Specialty: that the Social Engineering and Computer Fraud coverages were mutually exclusive and that OSD failed to allege facts that fall within the Computer Fraud coverage provision. The court noted that a policy amendment specified that one subsection of the Social Engineering provision was mutually exclusive with the Computer Fraud provision but emphasized that HSB Specialty issued payment under a different subsection of the Social Engineering provision which was silent on mutual exclusivity. The court also held that OSD sufficiently alleged facts giving rise to a Computer Crime even though the company’s broader computer network was not breached, and no servers or hardware were altered. The court explained that the Computer Fraud provision did not include such requirements and that the hacker’s alteration of the Chief Financial Officer’s Outlook account was sufficient to allege the fraudulent or unauthorized “input, destruction, or modification of electronic data or computer instructions.”
Comments
As discussed in previous Alerts, several courts across jurisdictions have addressed whether losses stemming from fraudulently induced wire transfers “resulted directly” from computer fraud, or instead, were caused by the intervening actions of employees in effectuating those transfers. Decisions in this context turned on specific policy language, the factual record presented, and the causation standard (e.g., but for or proximate) applied by the court.