Hunton Insurance Recovery Blog

A New Mexico Court of Appeals decision illustrates that when a policy term is undefined and ambiguous, the term must be interpreted liberally and in favor of coverage. In Kane v. Syndicate 2623-623 Lloyd’s of London, 2025 WL 1733046 (N.M. Ct. App. June 16, 2025), the court affirmed summary judgment for a policyholder and held that a cyber liability policy afforded coverage for the policyholder’s loss that resulted from a post-breach fraudulent funds transfer because the preposition “for” was broad enough to afford coverage for a third party claim resulting from a security breach.

Background

After New Mexico Health Connections’ (NMHC) email system was hacked, a bad actor emailed fraudulent invoices on the form that one of NMHC’s vendors used for its invoices. The fraudulent invoices altered the receiving bank account information and requested over $4 million before sending them to NMHC’s accounting department. NMHC wired payment to the fraudulent bank account listed on the invoices, believing that it was paying its vendor. Eventually, the vendor contacted NMHC seeking payment for the actual invoices, which caused NMHC to discover the security breach.

NMHC failed to pay the vendor who was awaiting payment for the vendor’s original invoices. The vendor then demanded payment from NMHC. NMHC then tendered the vendor’s demand to its insurer and requested defense and indemnification. The insurer denied third party coverage for the claim taking the position that the vendor’s claim for the unpaid invoice amounts did not trigger third-party liability coverage under the policy for a security breach, and even if it did, the policy’s loss of money exclusions barred coverage for the third-party claim. In response, NMHC filed a lawsuit in district court against the insurer for breach of the policy’s third-party liability provision.

While the parties did not dispute that the policy’s fraudulent instruction coverage applied, their dispute rested on whether the vendor’s third-party claim for the unpaid invoices was a claim “for” a security breach.

The district court granted summary judgment in NMHC’s favor and concluded that the policy’s third-party liability provision covered the vendor’s claim against “for” a security breach because the claim “arose from” a security breach and “flowed from a security breach.” The district court also held that the exclusions cited by the insurer were inapplicable.

Court of Appeals Decision

The insurer appealed to the New Mexico Court of Appeals asserting, as it did in the district court, that the policy’s third-party liability coverage does not apply because the vendor’s claim was not a claim “for” a security breach and that the policy’s exclusions relating to loss of money barred coverage.

The Court of Appeals examined the policy’s third-party coverage data and network liability coverage which provided coverage for, among other things, any claim first made against an insured during the policy period “for . . . a security breach.” There was no dispute about the term “security breach” or whether the fraudulent and unauthorized invasion of NMHC’s email constituted a security breach. However, the parties tussled over what the term “for” meant. The insurer claimed that the preposition “for” in the policy phrase solely meant “equivalent to” and concluded that coverage is provided only for a loss directly connected to the security breach, and not for the related fraudulent funds transfer. NMHC, on the other hand, construed “for” as meaning “because of,” “arising out of,” or “as a result of.”

The Court of Appeals first looked to the dictionary while analyzing the policy’s meaning of the word “for.” The court acknowledged that both parties’ preferred meanings of “for” were included in the common usage of the word, which demonstrated ambiguity. The Court of Appeals also discussed that lack of consensus among courts in interpreting the meaning of a policy term, such as “for,” is indicative of ambiguity. The court ultimately accepted the reasoning of the policyholder and the district court and determined that “for” could reasonably be understood to either mean “directly connected” to or “causally connected” to a security breach.

The Court of Appeals also looked to the policy’s data recovery costs coverage provision, which covered costs incurred “as a direct result of a security breach.” The court reasoned that because the liability coverage provided coverage “for a security breach” without restricting coverage to events where a breach or loss must be “direct,” that it could encompass both “direct and indirect” losses.

The Court of Appeals also rejected the insurer arguments that various policy exclusions relating to loss of money applied to preclude coverage for the third-party claim, finding that the exclusions did not clearly and unambiguously apply to the situation at hand.

For policyholders, the Kane decision reinforces that even a single-word preposition can be ambiguous when it results in at least two reasonable interpretations. Indeed, policyholders need only demonstrate that a policy word or phrase is open to two reasonable interpretations, while insurers must prove that their interpretation is the only reasonable one.