Skip to Content

Seventh Circuit Finds That Fraudulent, Hacker-Directed Employee Transfers Not Covered Under Policy Fraud Exclusions

In Office of Special Deputy Receiver v. Hartford Fire Insurance Co., the Seventh Circuit Court of Appeals affirmed dismissal of a claim for coverage under a financial institution bond, holding that a policy exclusion clearly and unambiguously barred coverage for $4 million in losses caused when hackers used an executive’s email account to direct employees to transfer funds out of the company. The court concluded that the exclusion clearly excluded losses for fraud arising from certain email instructions, that coverage restrictions in a related affirmative coverage grant did not apply to the exclusion, and that the policy did not create illusory coverage as certain policy riders offered meaningful coverage even after the applicable exclusion.

The underlying loss occurred when hackers compromised the Office of the Special Deputy Receiver’s (OSD) chief financial officer’s email account, impersonated the CFO, and directed employees to transfer more than $7 million out of the company. The OSD ultimately recovered $3 million, leaving approximately $4 million in remaining losses at issue. When the insurer denied the OSD’s claim, the OSD sued seeking a declaratory judgment that coverage applied.

The policy at issue included two relevant riders. Rider 13 covered computer systems fraud, providing coverage for losses caused directly by the fraudulent entry or alteration of data or programs within the OSD’s computer systems that resulted in a transfer of property. Rider 17 covered electronic mail-initiated transfer fraud, providing affirmative coverage only where the fraudulent instruction “purports and reasonably appears to have originated from” a customer of the OSD, an employee acting on a customer’s instructions, or another financial institution acting on a customer’s behalf. Rider 17 also contained a critical exclusion, barring coverage for “loss resulting directly or indirectly from [the OSD] having, in good faith, transferred or delivered Funds, Certificated Securities or Uncertificated Securities, in reliance upon a fraudulent instruction sent to [the OSD] through electronic mail, except when covered [by Rider 17’s affirmative coverage, as quoted above].”

The parties did not dispute that the fraudulent transfers were not within Rider 17’s affirmative coverage, but the court noted that the affirmative coverage did include a restriction that only losses associated with emails that “purport and reasonably appear to have originated from” (1) a customer, (2) an employee acting on the instructions of a customer, or (3) another financial institution acting on behalf of a customer would receive affirmative coverage. The exclusion, however, was not similarly limited to exclude coverage based on the sender of the email instruction; it more broadly excluded coverage when the email instruction recipient was an OSD employee. Given these differing scopes, the court considered whether the sender-based restriction from the affirmative grant should be read into the exclusion, which, on its face, barred coverage based solely on the recipient being the OSD.

While the court found that Rider 17’s exclusion and affirmative grant of coverage should be read together, it ultimately held that it would be improper to impute the sender-based restriction from the positive grant of coverage to the exclusion. In making this finding, the court held that the insured bargained for affirmative coverage that met specific criteria, and the parties additionally agreed that certain email fraud that failed to meet those agreed-upon criteria was not covered. The court also noted that this interpretation created a broader scope of exclusion than it did for coverage (e.g., instructions sent to the OSD were excluded regardless of the sender, while instructions had to be sent from a certain person in order to receive affirmative coverage), but found such an outcome was “neither unusual nor a reason to rewrite the contract.”

The court also rejected the OSD’s argument that applying Rider 17’s exclusion to conduct potentially covered by Rider 13 created illusory coverage. Rider 13 remained fully operative for any computer systems fraud not involving reliance on a fraudulent email instruction directed to the OSD, which was sufficient to preserve its coverage.

As a result, the court only needed to assess whether the hacker’s email, though sent from an OSD account, still constituted a “fraudulent instruction sent to [the OSD].” The court first rejected the OSD’s argument that internal emails were sent “within” rather than “to” the company, finding that the exclusion turned on recipient identity, not the sender’s origin. Then the court held that coverage was clearly and unambiguously excluded given that: (1) electronic mail must be directed to a specific recipient, regardless of who sent it; (2) in this case, the instruction was sent to employees at the OSD; and (3) the policy unambiguously excluded fraud arising from instructive emails directed to the OSD.

Authored By
Related Industries
Property & Casualty Insurance
©2026 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.