Semantics and Sophistry of “For”

Cyberattacks are continuing to increase in both volume and sophistication. This is demonstrated by a record number of 33,561 reported cyber claims in 2024.[1] Cybercriminal sophistication has increased to a level where they utilize multiple avenues to obtain information and misuse that information, blurring the lines between historical cyber and crime exposures. This begs the question about how courts will interpret such hybrid tactics under insurance policies. Although the legal principle of contra proferentem is well settled, will courts strain to find ambiguity in colloquial undefined policy terms, such as “for”, in order to find coverage for an insured? On June 16, 2025, the Court of Appeals of New Mexico answered this question in the affirmative and found the word “for” ambiguous in a cyber liability policy.

In Kane v. Syndicate 2623-623 Lloyd’s of London, the insured, New Mexico Health Connections, Inc. (“NMHC”), sought coverage under its cyber liability policy for payment of a fraudulent invoice. A bad actor, posing as a vendor of NMHC (OptumRX), emailed a fraudulent invoice to NMHC, which NMHC paid.[2] The bad actor obtained a copy of a legitimate invoice sent by OptumRX when it breached NMHC’s computer system and sent a fraudulent invoice by substituting fraudulent account numbers in place of OptumRX’s account number.[3] NMHC wired approximately $4.4 million from its Wells Fargo bank account to the fraudulent bank account.[4] As a result, NMHC never paid OptumRX amounts due pursuant to the parties’ contract, triggering OptumRX to send NMHC a demand letter for the unpaid amounts.[5]

NMHC tendered the third-party claim from OptumRX to its cyber insurer, Syndicate 2623/623 Lloyd’s of London d/b/a Beazley USA Services, Inc. (“Beazley”).[6] While Beazley agreed that the unauthorized access to NMHC’s computer system constituted a “security breach”, it denied coverage for the unpaid invoice amounts, maintaining that such loss did not trigger the policy’s grant of coverage.[7] The policy provided coverage for loss on account of “any claim first made against an insured during the policy period for … a security breach.”[8]

Even though courts typically parse through policy definitions in insuring agreements, here the Court looked instead to an undefined colloquial word used in the majority of insurance policies – “for”. So what does “for” mean?

Beazley maintained that OptumRX did not assert “a claim against NMHC ‘for a security breach’” because there was no allegation that, “as a result of such a breach, information pertaining to OptumRX was stolen or compromised.”[9] As such, Beazley argued that “for” means “equivalent to” and that “coverage is provided only for a loss directly connected to the security breach.”[10] On the other hand, NMHC argued that the phrase “a claim for a security breach” only required “a causal connection between the loss or damages claimed and the security breach.”[11]

The Court rejected Beazley’s argument and held that the word “for” was ambiguous and that the coverage included “claims of loss ‘because of,’ ‘resulting from,’ or ‘on account of’ a security breach.”[12] The Court reasoned, in part, that purchasers of cyber insurance often have “little knowledge about the breadth and sophistication of the cybersecurity risks they face” and are “unlikely to imagine all of the consequences of the increasingly sophisticated methods of breaching computer security and may view the insurance policy as protecting against all but the most clearly stated exceptions to coverage.”[13]

The Court’s holding raises several potential issues for cyber insurers. First, as the Court acknowledged in a footnote, this is a case of funds transfer fraud. In fact, Beazley paid its $250,000 fraudulent instruction coverage limit, but because Beazley did not argue that this coverage was exclusive, there was no further analysis of this fact. Funds transfer fraud “involves the fraudulent transfer of monies from one financial institution to another by means of electronic banking websites, email communications and/or phone calls.”[14] Often, fund transfer fraud involves a hack or business email compromise.[15] To the extent cyber underwriters intend for such sublimit to be the sole exclusive remedy for all fraudulent fund transfers, claims handlers should reserve their right to maintain such sublimit is the sole exclusive coverage for all cases of funds transfer fraud in their initial coverage correspondence, and ultimately, preserve that argument for any coverage litigation that may ensue.

Second, the Court’s holding did not take into account that a claim for a security breach usually involves the theft of the insured’s client’s or customer’s personally identifiable information (“PII”) in the insured’s care, custody, and control and transmission of malicious code to a third party’s computer system.[16] Here, there is no allegation that the bad actor obtained any of OptumRX’s customer’s PII or that any malicious code infiltrated OptumRX’s computer system. Nor did OptumRX allege that the bad actor hacked, or gained access to, its computer system. Rather, OptumRX alleges that NMHC breached the parties’ contract by failing to remit payment of OptumRX’s invoice. The claim asserted by OptumRX is far removed from the security breach at issue and is an action for breach of contract – not a security breach. The Supreme Court of New Mexico has held that “[r]esort will not be made to a strained construction for the purpose of creating an ambiguity when no ambiguity in fact exists” and that “ambiguity does not exist simply because a controversy exists between the parties, each favoring an interpretation contrary to the other.”[17] Here, however, it appears the Court took an opposite approach finding coverage in favor of an insured.

The Kane decision shows that insurers must continue to expect the unexpected. It is unlikely that of all the words contained in that cyber liability policy, the policy drafter expected or intended “for” to be seen as ambiguous. While it remains to be seen whether other courts will follow Kane and read ambiguity into the word “for” to find coverage for third party claims without a direct relation to the security breach, prudent cyber insurers should stay informed as the case law continues to develop in this area and adapt as necessary.

References:

[1] Cyber Roundup: Claims Report 2025, Cowbell, https://cowbell.insure/wp-content/uploads/pdfs/CB-US-Cyber-Roundup-ClaimsReport2025.pdf.

[2] 2025 N.M. App. LEXIS 38, 4.

[3] Id.

[4] Id.

[5] Id. at 4-5.

[6] Id. at 5.

[7] Id.

[8] Id. at 11. (emphasis added).

[9] Id. at 11-12 (emphasis added).

[10] Id. at 12.

[11] Id.

[12] Id. at 19.

[13] Id. at 18-19. The court also rejected Beazley’s argument that two policy exclusions applied to preclude coverage. Id. at 20-23.

[14] Understanding the Fraud Coverage Within a Cyber Liability Policy: Computer Fraud vs. Funds Transfer Fraud, Lockton Affinity (Mar. 12, 2022), https://locktonaffinityadvisor.com/blog/understanding-the-fraud-coverage-within-a-cyber-liability-policy-computer-fraud-vs-funds-transfer-fraud/.

[15] Id.

[16] Information Security and Privacy Liability Coverage, IRMI, https://www.irmi.com/term/insurance-definitions/information-security-and-privacy-liability-coverage.

[17] Battishill v. Farmers All. Ins. Co., 127 P.3d 1111, 1115 (N.M. 2006).

Meet the Author

Zachary S. Auslander, Product Counsel

Bowhead Specialty Underwriters

Zachary S. Auslander serves as Product Counsel at Bowhead Specialty Underwriters and is located in the Chicago office. He focuses on the following lines of business: Professional Liability, Casualty, and Healthcare Liability. He may be reached at zauslander@bowheadspecialty.com.