A Matter of Time: Negligence Claim for Cyber Fraud Falls Outside Consecutive Claims-Made Cyber Policies

April 3, 2026

The United States District Court for the Southern District of Ohio, applying Ohio law, has held that a negligence claim arising from a cyber fraud incident was not first made or reported while the first policy was in effect, and that notice was outside the second policy’s 30-day reporting window. Spinnaker Ins. Co. v. Heart of Gold Title, LLC, 2026 WL 710135 (S.D. Ohio Mar. 13, 2026). The court also held that the second policy’s prior knowledge exclusion precluded coverage because the title company was aware of the cyber incident prior to the policy’s effective date.

Between February and March 2024, two individuals wired funds pursuant to bogus wiring instructions sent by someone impersonating the insured title company.  Shortly after the fraud was discovered, the title company’s IT vendor reviewed the company’s information systems and confirmed that they had not been infiltrated.  In October 2024, the individuals filed a negligence action against the title company, alleging breach of duties by failing to maintain adequate cybersecurity protocols.  The title company provided notice of the underlying lawsuit to its cyber insurer in November 2024. 

The title company had two consecutive cyber policies, effective from August 2023 to August 2024 and from August 2024 to August 2025, respectively. Both policies were claims-made-and-reported, and the declarations pages stated that each policy “applies only to claims first made and reported to the insurer during the policy period or any applicable extended period.”  The insurer denied coverage.

In the ensuing coverage litigation, the court held that no coverage was available under either policy.  As to the 2023-2024 policy, there was no coverage because the underlying lawsuit was a “Claim” made and reported after the policy period ended.  The insuring agreement of the 2023-2024 policy provides coverage for “Loss” and “Defense Expenses” resulting from a “Claim that is Discovered during the Policy Period.”  The court found that the earliest plausible “Claim” was the underlying negligence action filed in October 2024, as the title company never received any prior written demand.  The lawsuit was thus filed in October 2024 and reported in November 2024, after the policy expired in August 2024.

As to the 2024-2025 policy, the court held that there was no coverage because the title company provided notice outside of the policy’s 30-day post-discovery reporting period.  The 2024-2025 policy’s notice condition provided that, “after a situation that results in, or may result in, a Loss covered under this Policy is Discovered,” the insured “must notify [the insurer] in writing as soon as practicable, but not to exceed thirty (30) days from the date Discovered[.]”  “Discovered” was defined as the time when specified senior personnel “first become[] aware of facts which would cause a reasonable person to believe that a Loss covered by this Policy has been or will be incurred,” even if “the exact amount or details of Loss may not then be known.”  Given that the incident occurred between February and March 2024 and that the title company immediately undertook an IT review to assess infiltration, the court determined that “Discovery” took place at least seven months before the title company gave notice in November 2024.  

The court also held that a prior knowledge exclusion barred coverage for any cyber incident or Wrongful Act of which the title company was aware prior to the policy’s effective date in August 2024.  Because the pleadings showed the title company’s awareness in early 2024, the exclusion applied on the same facts that established the late notice defense.  

Finally, the court dismissed the title company’s bad faith claim, concluding that the insurer had a reasonable basis to deny coverage based on the 2024-2025 policy’s notice condition and prior knowledge exclusion.

Practice Areas

Wiley Executive Summary

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek