Cyber criminals do not need a gun, a mask, or a getaway car. They need a password, a believable message, and a business that trusts what appears on its own computer screen. This is what happened in Office of the Special Deputy Receiver v. Hartford Fire Insurance Company. 1 This is a cyber insurance decision that every business owner, insurance agent, broker, and risk manager should read before the next fraudulent wire transfer occurs.

The Office of the Special Deputy Receiver, known as OSD, administered receivership estates for insolvent insurance companies. Hackers gained access to the email account of OSD’s chief financial officer through a spear-phishing scheme. Once inside, they used the CFO’s own email account to communicate with other OSD employees and direct wire transfers. OSD ultimately suffered a multimillion-dollar loss.

OSD had purchased a financial institution bond from Hartford. One rider provided computer systems fraud coverage. OSD argued that the loss resulted directly from fraudulent entry into and changes within its computer system. The argument for coverage was that a cyber thief used OSD’s computer system as the instrument of the crime. This was not merely a fake invoice mailed from the outside. It was a compromise of the insured’s own digital environment.

Hartford denied coverage. It relied on a different rider addressing electronic mail-initiated transfer fraud. That rider contained an exclusion for losses resulting directly or indirectly from the insured transferring funds in reliance upon a fraudulent instruction sent to the insured through email, unless the loss satisfied the limited email-fraud coverage requirements.

The Seventh Circuit held that the email-fraud exclusion applied to the bond as a whole. It was not limited to the email-fraud rider alone. The court found that the fraudulent wire instructions were sent to OSD through email because they were sent to OSD employees, even though they came from inside a compromised OSD account.

I thought that OSD’s argument had merit. It was exactly the kind of argument policyholders should make when a cyber theft begins with a computer-system intrusion. OSD said this was a computer systems fraud loss, not a customer email-transfer fraud loss. OSD also argued that Hartford’s interpretation made the computer-fraud coverage far less valuable. If the hacker used internal chat, a document, or some other electronic method, coverage might exist. But because the final command traveled by email, Hartford argued the claim fell into an exclusion.

The court was not persuaded. It viewed the policy as an integrated contract and enforced the exclusion as written. The court said the policy did not have to cover every computer fraud scheme simply because it covered some. The result is not surprising given the wording Hartford had in the bond. Every Hartford policyholder should be calling about this very common scenario. Hartford is selling a Swiss cheese cyber policy with this endorsement and should be clear about its limitations at the point of sale.

Many businesses believe they have “cyber insurance” or “computer fraud coverage” because those words appear somewhere in a policy, bond, endorsement, or proposal. That belief may be dangerously incomplete. The real question is whether the policy covers the exact way the money is stolen. Cyber criminals exploit gaps between trust, technology, internal processes, and banking procedure. Insurance companies often exploit these gaps with the wording found in the primary insurance agreements, exclusions, sub-limits, and conditions. I have been writing about this for quite some time, as noted in “Can Businesses Trust Their Cyber and Crime Package Policies to Provide Coverage?

Business email compromise is one of the most common and expensive forms of cyber fraud. It is also one of the most misunderstood from an insurance coverage standpoint. These losses may implicate cyber policies, crime policies, fidelity bonds, funds transfer fraud coverage, computer fraud coverage, social engineering fraud coverage, invoice manipulation coverage, and email fraud endorsements. Those coverages are not the same. They often have different limits, different deductibles, different verification requirements, and different exclusions.

Agents and brokers should take this case seriously. It is not enough to tell a client that it has cyber coverage. It is not enough to say the client has computer fraud coverage. The client needs to understand whether common fraudulent wire transfer schemes are covered when a hacker compromises an employee’s email account, impersonates an executive, changes email rules, uses internal communications, sends vendor payment instructions, or tricks accounting personnel into moving money.

A business that wires money should have a serious conversation with its insurance professional about social engineering fraud, funds transfer fraud, computer fraud, and business email compromise coverage. The conversation should include limits, sublimits, callback requirements, dual authorization procedures, exclusions for email instructions, and whether losses caused by compromised internal accounts are treated differently from emails sent by outsiders.

Insurance companies know this risk is exploding. Artificial intelligence will only make these scams more believable. A fake email is no longer full of misspellings and awkward phrasing. A fraudulent instruction can sound exactly like the CEO. A fake voicemail can sound like the CFO. A video call can look real enough to fool a tired employee at the end of a long day. The human eye and ear are no longer reliable fraud-prevention tools.

Businesses must build redundant protections. No large wire should go out based solely on an email. Every new banking instruction should be verified through a trusted, previously established communication channel. Employees should be trained to slow down when urgency, secrecy, or executive pressure is part of the request. Accounting departments should be praised for questioning suspicious instructions, not punished for delaying a transaction.

Insurance buyers must also demand clarity. Does the policy cover a fraudulent instruction sent from a compromised internal email account? Does it cover vendor impersonation? Does it cover executive impersonation? Does it cover deepfake voice instructions? Does it require callback verification? If that verification is missed, is coverage lost entirely? Is the available limit $250,000 when the real exposure is $5 million? These questions should be asked before the loss, not after the denial letter.

This case also carries a lesson for insurers and those selling insurance. The risk is real, growing, and devastating. Businesses need insurance that responds to modern fraud, not coverage that disappears because the criminal used the most common tool of modern business communication, an email. If the industry wants to sell meaningful protection against cyber fraud, the forms must be understandable, the limits must be adequate, and the exclusions must not turn promised protection into a mirage. Alternatively, a warning should be made when one of the most common methods of cybercrime is excluded.

Policyholders should not wait for a hacker to teach them how their insurance policy works. By then, the lesson may cost millions.

Thought For The Day

“Current AI systems have learned how to deceive humans.”
— Peter S. Park, Simon Goldstein, Aidan O’Gara, Michael Chen, and Dan Hendrycks, “AI Deception: A Survey of Examples, Risks, and Potential Solutions,” Patterns, 2024.

Office of Special Deputy Receiver v. Hartford Fire Ins. Co., — F.4th —, 2026 WL 1758981 (7th Cir. June 18, 2026). See Special Deputy Receiver Brief, Hartford Brief, and Special Deputy Receiver Reply Brief.