For the Record: Cyber Coverage “For” a Security Breach is Ambiguous under New Mexico Law

July 7, 2025

The New Mexico Court of Appeals has held that cyber policy language affording coverage “for” a security breach was ambiguous and must be construed broadly to provide coverage for a breach of contract claim “because of,” “resulting from,” or “on account of” a security breach. Kane ex rel. N.M. Health Connections, Inc. v. Syndicate 2623-623 Lloyd’s of London, 2025 WL 1733046 (N.M. Ct. App. June 16, 2025).

A fraudster gained access to a health insurance company’s computer system and requested payment of legitimate vendor invoices to a fraudulent bank account. The health insurance company wired over $4.4 million to the fraudster. The vendor never received payment for its invoices and alleged breach of contract. The company sought coverage for the vendor’s claim under its cyber insurance policy. The cyber insurer denied coverage on the ground that the vendor’s claim was not “for” a security breach; rather, it was a “garden-variety claim for breach of contract.” The district court disagreed, holding that the phrase “for” a security breach was ambiguous and must be construed to provide coverage for claims “because of” or “resulting from” a security breach, like the vendor’s claim. The district court also rejected the insurer’s alternative argument that two exclusions barred coverage because the stolen funds were either in the “care, custody or control” of the insured or were “lost, diminished, or damaged during transfer.”

On appeal, the New Mexico Court of Appeals affirmed, concluding that under New Mexico law “for” a security breach was ambiguous because (1) “for” was not defined in the policy; (2) an insured could read “for,” “resulting from,” and “arising from” interchangeably; (3) coverage was not limited to damages “as a direct result of” a security breach; (4) there are competing dictionary definitions of “for” that reflect both parties’ views; (5) there is a lack of interpretive consensus among courts construing “for” in the context of insuring clauses; and (6) “[a] business purchasing cybersecurity coverage . . . may view the insurance policy as protecting against all but the most clearly stated exceptions to coverage.” The court thus construed “for” a security breach broadly in favor of the insured to afford coverage for claims “because of,” resulting from,” or “on account of” a security breach, such as the vendor’s claim. The court also affirmed the district court’s holding that the two loss of money exclusions did not bar coverage, concluding that the funds at issue did not lose value during their transfer and that under New York law, which governed pursuant to the policy’s choice-of-law provision, the funds deposited with the insured’s bank were within the bank’s “care, custody or control” at the time of transfer rather than the insured’s.

Practice Areas

Wiley Executive Summary

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek