The slip opinion is the first version of an opinion released by the Clerk of the Court of Appeals. Once an opinion is selected for publication by the Court, it is assigned a vendor-neutral citation by the Clerk of the Court for compliance with Rule 23-112 NMRA, authenticated and formally published. The slip opinion may contain deviations from the formal authenticated opinion.
1 IN THE COURT OF APPEALS OF THE STATE OF NEW MEXICO
2 Opinion Number: __________
3 Filing Date: June 16, 2025
4 No. A-1-CA-41254
5 ALICE T. KANE, Superintendent of Insurance, 6 in her official capacity as Receiver for NEW 7 MEXICO HEALTH CONNECTIONS, INC., 8 a New Mexico not-for-profit corporation,
9 Plaintiff-Appellee,
10 v.
11 SYNDICATE 2623-623 LLOYD’S OF LONDON 12 d/b/a BEAZLEY USA SERVICES, INC,
13 Defendant-Appellant.
14 APPEAL FROM THE DISTRICT COURT OF SANTA FE COUNTY 15 Matthew J. Wilson, District Court Judge
16 Office of the Superintendent of Insurance 17 Stephen Thies 18 Lawrence M. Marcus 19 Santa Fe, NM
20 for Appellee
21 Rodey, Dickason, Sloan, Akin & Robb, P.A. 22 Edward Ricco 23 Albuquerque, NM 1 Day Pitney LLP 2 Jonathan S. Zelig 3 Candace J. Hensley 4 Boston, MA
5 for Appellant 1 OPINION
2 YOHALEM, Judge.
3 {1} This appeal asks this Court to construe the coverage provided by a cyber
4 insurance policy for a claim of damage to a third party “for a security breach.” The
5 policy defines a “security breach” as “a failure of computer security to
6 prevent . . . unauthorized access or use of [the insured’s] computer systems.” The
7 insurer, Syndicate 2623/623 Lloyd’s of London d/b/a Beazley USA Services, Inc.
8 (Beazley), appeals the district court’s order granting New Mexico Health
9 Connections, Inc.’s (NMHC)1 motion for summary judgment, concluding that the
10 phrase “for a security breach” is ambiguous, and construing the phrase to provide
11 coverage under the policy for injury to a third-party “because of” or “resulting from”
12 a security breach. We agree with the district court that the phrase “for a security
13 breach” is ambiguous, and construe this ambiguity under well-established principles
14 of insurance law in favor of the insured. We also agree with the district court that
15 the exclusions to coverage relied on by Beazley do not clearly apply to the loss at
16 issue in this case. Therefore, we affirm the district court.
1 NMHC’s claim is brought by the Superintendent of Insurance, Alice Kane, as a receiver for NMHC, pursuant to NMSA 1978, Sections 59A-41-18 (1984) and -40(A)(1) (1984). That statute authorizes the Superintendent of Insurance to attempt to recover money due to a health-care provider from an insolvent insurer. NMHC is an insolvent insurer that owes money to OptumRX, a health-care provider. Although Kane is the named appellant, we refer to NMHC, the insured in this case, to avoid confusion. 1 BACKGROUND
2 The Policy
3 {2} NMHC, a health-care insurer, purchased a comprehensive cyber breach
4 response policy (the Policy) from Beazley to protect it from breaches of computer
5 security. The Policy covered claims first made during the period from May 1, 2020,
6 to May 1, 2021. Coverage was provided for damages to NMHC from cyber
7 extortion, for the costs of recovering lost data, for the cost of crisis management, for
8 losses due to business interruption, and lesser coverage was provided for losses due
9 to fraudulent instructions, funds transfer fraud, and telephone fraud.2 The Policy also
10 covered damages and claims expenses incurred by NMHC in connection with third-
11 party liability claims. The Policy has a $7 million aggregate limit of liability.
12 {3} The third-party liability coverage at issue appears in a section of the Policy
13 entitled “Data and Network Liability.” That section of the Policy specifies that
14 coverage is provided for damages (defined as “a monetary judgment, award or
15 settlement”); and claims expenses (defined as legal defense costs) that NMHC “is
16 legally obligated to pay because of a claim against [it] during the policy period
2 The parties agree that the Policy’s fraudulent instruction coverage, limited to $250,000, applied here. Beazley does not argue that this coverage was exclusive. The issues of contract interpretation before this Court concern only the third-party liability coverage under the Policy’s data and network agreement. 1 for . . . a [s]ecurity [b]reach.”3 The Policy defines a “security breach,” as “a failure
2 of computer security to prevent . . . unauthorized access or use of computer systems,
3 including unauthorized access or use resulting from the theft of a password from a
4 computer system or from any insured.”
5 {4} Also relevant to this appeal is the loss of money exclusion. Beazley relies on
6 the two following exclusions to argue that even if there is coverage, it does not apply
7 to the loss of funds at issue here.
8 The coverage under this Policy will not apply to any loss arising out of:
9 ....
10 2. any loss, transfer or theft of monies, securities or tangible 11 property of the insured or others in the care, custody or control 12 of the insured organization;
13 3. the monetary value of any transactions or electronic fund 14 transfers by or on behalf of the insured which is lost, diminished, 15 or damaged during transfer from, into or between accounts.
16 NMHC’s Claim for Coverage
17 {5} The facts giving rise to NMHC’s claim for third-party coverage are
18 undisputed. In April 2020, a third-party posing as a senior accountant manager of
19 one of NMHC’s vendors, OptumRX, emailed a fraudulent invoice to NMHC on the
3 The Policy capitalizes many terms to indicate that they are defined in the definition section of the Policy. Because signaling these definitions is not relevant to this opinion, we use the lower case where it normally would be used when quoting from the Policy to make reading easier. 1 form used by OptumRX for its invoices, requesting payment at a fraudulent bank
2 account. In response, NMHC wired $4,415,833.11 to the fraudulent bank account
3 from its Wells Fargo account over the course of five different transfers between April
4 30, 2020, and May 27, 2020.
5 {6} The parties agree that the fraud was perpetrated by a third-party who gained
6 unauthorized access to NMHC’s computer system and email. A copy of a legitimate
7 OptumRX invoice had been obtained from the computer system, and fraudulent
8 account numbers were substituted for OptumRX’s account. Beazley does not dispute
9 that this was “a security breach” as defined by the Policy.
10 {7} Because of this security breach and the fraudulent use of the information
11 obtained, the amounts due to OptumRX under NMHC’s contract with OptumRX
12 were not paid. OptumRX sent a letter to NMHC demanding payment of the
13 outstanding invoice amounts owed by NMHC to OptumRX under the parties’
14 contractual agreement.
15 {8} NMHC reported the claim to Beazley on July 1, 2020, through its legal
16 counsel. The July 1, 2020, email from counsel stated that NMHC “hereby requests
17 that Beazley investigate, defend, and indemnify NMHC for the [third-party] claims
18 asserted by OptumRX.” Beazley denied third-party liability coverage, claiming that
19 the OptumRX claim for the unpaid invoice amounts did not trigger third-party 1 liability coverage under the Policy, and even if it did, the loss of money exclusions
2 quoted above barred coverage for the OptumRX third-party claim.
3 Procedure in the District Court
4 {9} NMHC filed this suit in district court against Beazley for breach of the
5 Policy’s third-party liability provision. Beazley counterclaimed, arguing the two
6 exclusions identified above applied. The parties filed cross-motions for summary
7 judgment. Beazley argued that the Policy did not provide liability coverage to
8 NMHC under the provision governing third-party claims because OptumRX’s claim
9 is not a claim for damages “for a security breach,” covered by the Policy, but is
10 instead a garden-variety claim for breach of contract based on NMHC’s failure to
11 pay OptumRX’s invoices. Beazley claimed that the Policy’s third-party coverage
12 applies only to claims directly “for” the security breach itself. Beazley’s example of
13 a covered claim is a suit for damages for an insured’s loss or public exposure of
14 third-party private data. Claims for a breach of contract, like OptumRX’s claim for
15 damages, even where the breach of contract was “caused by” a security breach, are
16 not, according to Beazley, claims “for” a security breach.
17 {10} Beazley further argued that even if the district court found that coverage
18 extended to OptumRX’s breach of contract claim, the two specific exclusions in the
19 Policy applying to claims for the loss of money quoted above each bar any recovery
20 by NMHC. The parties’ dispute about the first exclusion from coverage focused on 1 whether money in NMHC’s Wells Fargo bank account was “in the care, custody or
2 control” of NMHC when it was transferred to the fraudulent account. The
3 controversy over the second exclusion concerned whether the funds transferred to
4 the fraudulent account were “lost, diminished, or damaged during transfer from, into
5 or between accounts.” 4
6 The District Court’s Ruling
7 {11} At the hearing on the parties’ cross-motions for summary judgment, the
8 district court made an oral ruling that “[a]s a result of a security breach and
9 fraudulent instructions, funds were withdrawn from NMHC’s accounts that were in
10 the care, custody, and control of Wells Fargo Bank.” The district court concluded
11 that the OptumRX claim was “for . . . a security breach” covered by the Policy
12 because the claim “arose from a security breach and flowed from a security breach.”
13 As to the application of the loss of money exclusions, the district court ruled that
14 “[t]he exclusion language does not apply to the facts underlying the OptumRX
4 We note that in addition to the arguments it successfully made in the district court on the meaning of the third-party coverage provision and the exclusions to the policy, NMHC has argued for the first time on appeal that Beazley’s initial letter disclaiming coverage failed to adequately alert NMHC to Beazley’s reasons for denying coverage, a violation of New York law—the law the parties contracted to apply to the Policy. We do not reach this argument, both because it would be unfair to Defendant who was not able to defend against this argument in the district court and because we affirm on the grounds raised in the district court. See Eldin v. Farmers All. Mut. Ins. Co., 1994-NMCA-172, ¶ 21, 119 N.M. 370, 890 P.2d 823 (declining to apply the right for any reason doctrine on grounds that it would be unfair to the appellant). 1 claim” because “[t]he funds that were stolen were not in the care, custody, and
2 control of the insured”; the stolen funds “were in the care, custody, and control of
3 Wells Fargo Bank.” Although rejecting Beazley’s argument that the exclusion for
4 funds “lost, diminished, or damaged during transfer” barred coverage, the district
5 court did not state its reasoning. Concluding that the Policy’s third-party liability
6 provision covered OptumRX’s claim against NMHC, and that no exclusion applied,
7 the district court granted summary judgment in favor of NMHC, awarding it
8 $3,533,804.95, the invoiced amount remaining unpaid to OptumRX after law
9 enforcement recovered a portion of the funds diverted by the security breach.
10 Beazley appeals.
11 DISCUSSION
12 {12} On appeal, Beazley again argues, as it did in the district court: (1) that the
13 Policy’s third-party liability coverage does not apply because OptumRX’s breach of
14 contract claim was not “a claim for . . . a security breach”; and (2) that two of the
15 listed loss of money exclusions bar coverage because the lost funds were (a) in the
16 “care, custody or control” of NMHC, and (b) were lost during transfer from, into or
17 between accounts. We address each of Beazley’s arguments in turn, after addressing
18 the standard of review and general principles of law governing the construction of
19 insurance contracts. 1 I. Standard of Review
2 {13} We review a district court’s order granting or denying summary judgment de
3 novo. See United Nuclear Corp. v. Allstate Ins. Co., 2012-NMSC-032, ¶ 9, 285 P.3d
4 644. Where, as here, an appellant does not assert the existence of a genuine issue of
5 material fact precluding summary judgment, but rather agrees that the facts are
6 undisputed, “our task is to determine whether the district court correctly applied the
7 law to the facts.” See Gonzales v. Allstate Ins. Co., 1996-NMSC-041, ¶ 7, 122 N.M.
8 137, 921 P.2d 944. “Similarly, the interpretation of terms within an insurance policy
9 is a matter of law about which the court has the final word, and is subject to de novo
10 review.” United Nuclear Corp., 2012-NMSC-032, ¶ 9 (internal quotation marks and
11 citation omitted).
12 II. Choice of Law
13 {14} The Policy includes a choice of law provision stating that New York law will
14 apply to any dispute. The parties, however, agree that this Court may apply New
15 Mexico law governing the construction of insurance contracts because our law is
16 nearly identical to New York law on this question. We agree that the principles of
17 law governing the interpretation of insurance contracts are nearly the same in both
18 states and therefore accept the parties’ invitation to apply New Mexico law. We
19 apply New York law, however, in accordance with the Policy terms, on any issue
20 other than the general law of contract construction. 1 III. Governing Principles of Insurance Policy Interpretation
2 {15} The questions before this Court on appeal are questions of contract
3 construction. Insurance policies are interpreted by our courts (and New York courts)
4 applying the principles generally applicable to the interpretation of contracts. “Our
5 analysis of the insurance policy proceeds with the primary goal of ascertaining the
6 intentions of the contracting parties with respect to the challenged terms at the time
7 they executed the contract.” Ponder v. State Farm Mut. Auto. Ins. Co., 2000-NMSC-
8 033, ¶ 11, 129 N.M. 698, 12 P.3d 960 (alteration, internal quotation marks, and
9 citation omitted). “As with other contracts, where an insurance policy’s terms have
10 a common and ordinary meaning, that meaning controls in determining the intent of
11 the parties.” United Nuclear Corp., 2012-NMSC-032, ¶ 10 (internal quotation marks
12 and citation omitted).
13 {16} A term is ambiguous when it “is reasonably and fairly susceptible of different
14 constructions.” Id. (internal quotation marks and citation omitted). So long as the
15 insured’s expectations are reasonable, we will be guided by those expectations and
16 will, as a matter of public policy, construe ambiguities in an insurance policy “in
17 favor of the insured and against the insurer.” Ponder, 2000-NMSC-033, ¶ 26. Public
18 policy recognizes that insurance companies control the language of the policy, and
19 “[an insurance company] does so with far more knowledge than the typical insured 1 of the consequences of particular words.” Sanchez v. Herrera, 1989-NMSC-073,
2 ¶ 21, 109 N.M. 155, 783 P.2d 465.
3 IV. Third-Party Coverage “for a Security Breach”
4 {17} We begin by applying these principles of interpretation to the parties’ dispute
5 about the construction of the coverage provisions of the Policy. Only if we determine
6 that there is coverage under the Policy do we then determine whether an exclusion
7 applies to bar coverage. See Pulte Homes of N.M., Inc. v. Ind. Lumbermens Ins. Co.,
8 2016-NMCA-028, ¶ 9, 367 P.3d 869.
9 A. The Parties’ Contentions
10 {18} As we have already noted, the parties’ coverage dispute focuses on the policy
11 terms under the heading “Data and Network Liability.” That section of the Policy
12 specifies that coverage is provided for damages (defined as a judgment or
13 settlement), and claims expenses (defined as legal defense costs),
14 which the [i]nsured is legally obligated to pay because of any claim first 15 made against an insured during the policy period for:
16 ....
17 2. a security breach.
18 {19} There is no dispute on appeal about the meaning of the term “security breach.”
19 The parties agree that the unauthorized invasion of NMHC’s email and the theft from
20 that account of an OptumRX invoice that was then modified to redirect payments to
21 OptumRX to a fraudulent account was a “security breach,” as that term is defined 1 by the contract. The dispute about coverage here, therefore, focuses on the meaning
2 of the preposition “for” in the phrase “for a security breach.” Beazley argues that
3 OptumRX does not assert “a claim against NMHC “for a security breach,” because
4 OptumRX “does [not] allege that, as a result of such a breach, information pertaining
5 to OptumRX was stolen or compromised.” Beazley argues that the preposition “for”
6 plainly and solely means “equivalent to” and concludes that coverage is provided
7 only for a loss directly connected to the security breach. Beazley’s construction
8 would narrow the Policy’s coverage for third-party claims to recover damages to the
9 loss or disclosure of private, third-party data from the insured’s computer system.
10 {20} NMHC, in contrast, construes the phrase “a claim for a security breach” to
11 include a third-party claim for damages where a security breach was causally
12 connected to the loss. According to NMHC, the preposition “for” in the Policy’s
13 coverage provision requires only a causal connection between the loss or damages
14 claimed and the security breach. NMHC would define “for” as meaning “because
15 of,” “arising out of,” or “as a result of.”
16 B. The Sources Relied on by This Court to Construe Words in an Insurance 17 Policy
18 {21} Although New Mexico law allows this Court to consider extrinsic evidence to
19 make a preliminary finding on the question of ambiguity, extrinsic evidence often
20 involves testimony as to the parties’ circumstances at the time the policy was 1 purchased, their business interests, and other external evidence of intent. See Ponder,
2 2000-NMSC-033, ¶ 13. No such evidence was presented by either party in this case.
3 We turn, therefore, to other forms of extrinsic evidence as tools of contract
4 construction. We generally look first to other relevant terms of the policy to see
5 whether construing the policy as a whole explains the meaning and intent of the word
6 or phrase at issue. See United Nuclear Corp., 2012-NMSC-032, ¶¶ 16-18. We then
7 look to the dictionary definitions of the disputed word or phrase, to any opinions by
8 our courts or the courts of other jurisdictions on the meaning of similar language,
9 and finally to any industry practice or drafting history. See id. ¶¶ 16-37. No one of
10 these factors is dispositive on the question of ambiguity but, taken together, they
11 help resolve the question. See id. ¶ 38 (relying on these factors together).
12 1. Other Provisions in the Policy
13 {22} We note first that the Policy does not define the word “for” or provide any
14 explanation elsewhere in the Policy of the extent of coverage intended for claims
15 “for a security breach.” There is, for example, no provision limiting third-party
16 liability for a security breach specifically to the loss of data. Indeed, the Policy lists
17 “a data breach” separately from “a security breach” as a type of claim covered by
18 the Policy. Generally, we would not expect two types of coverage to be coextensive.
19 Although not dispositive, the third-party claim provision, read as a whole, suggests 1 that a claim for damages for a breach of security may extend beyond damages arising
2 from a data breach—the only damages Beazley’s definition would cover.
3 {23} Beazley points to other provisions in the Policy that use the phrases “arising
4 out of” or “resulting from,” and argues that the use of the word “for,” rather than
5 these other terms, makes clear that the word “for” means something different and
6 narrower than “arising out of” or “resulting from.” We do not agree. Despite a
7 lengthy list of definitions in the Policy, including many common words, there is no
8 definition of “arising out of,” “resulting from,” or “for” to distinguish these terms,
9 or to indicate that they mean something special. These terms are commonly used
10 interchangeably in everyday language, and without a definition in the Policy, an
11 insured would likely read them as interchangeable. Moreover, we do not see how
12 the use of the phrase “resulting from” or “arising out of” in a handful of other
13 provisions throughout the Policy clarifies the meaning of the word “for” in the
14 provision at issue. We note that the Policy also uses in the “Data Recovery Costs”
15 provision a phrase clearly restricting coverage to costs incurred “as a direct result
16 of a security breach.” Although Beazley seeks to define “for a security breach” as
17 meaning “as a direct result of a security breach,” it does not use that far clearer phrase
18 in the provision at issue. 1 {24} Concluding that the other terms used in the Policy do not definitively resolve
2 the question of ambiguity, we continue our review by next examining the dictionary
3 definitions of the preposition “for.”
4 2. Dictionary Definitions
5 {25} “When a term is undefined in the policy, a reviewing court may look to that
6 term’s usual, ordinary, and popular meaning, such as found in a dictionary.” Id. ¶ 19
7 (internal quotation marks and citation omitted). “Although the mere existence of
8 multiple dictionary definitions of a word, without more, does not create an
9 ambiguity, dictionary definitions can serve as an appropriate starting point for
10 analysis.” Id. ¶ 20 (text only) (citations omitted).
11 {26} Beazley directs this Court to one specific definition of the word “for” from
12 Webster’s Third New International Dictionary (Unabridged ed. 2002) (Webster’s
13 Third), defining “for” as “in exchange as the equivalent of” (as in “all that trouble
14 for nothing,” or “my kingdom for a horse”). We note that Webster’s Third also
15 defines “for,” in relevant part, as “because of,” “on account of,” “as regards,” and
16 “for this reason or on this ground,” definitions that suggest a causal connection rather
17 than equivalence between the two nouns it connects—in this case damages and
18 claims expenses “because of,” “on account of,” or “resulting from” a security
19 breach.” 1 {27} Like the word “sudden,” construed by our Supreme Court in United Nuclear
2 Corp., the word “for” has multiple commonplace definitions. Both Beazley’s
3 preferred meaning of “equivalent to” and NMHC’s preferred meaning of “because
4 of” or “resulting from” are included in the common usage of the word “for.” As our
5 Supreme Court found in United Nuclear Corp., competing definitions—reflecting
6 both parties’ views—tend to demonstrate the ambiguity of a term. 2012-NMSC-032,
7 ¶ 22.
8 3. Divergence of Opinion Among Courts
9 {28} The parties turn to the opinions of courts in other jurisdictions that have
10 construed the word “for.” We emphasize at the outset that neither party has pointed
11 to an opinion construing that word in the context of a cyber insurance policy. Indeed,
12 our research shows that there are few published decisions interpreting such policies
13 anywhere in the country.
14 {29} We do not find either party’s analogies to decisions differentiating claims “for
15 bodily injury” from claims “because of” or “resulting from” bodily injury helpful.
16 First, these decisions are divided, similar to the division in dictionary definitions. 5
Compare Am. Ins. Co. v. Naylor, 87 P.2d 260, 265 (Colo. 1939) (applying 5
the broad definition of “for” to mean “because of,” “on account of,” and “in consequence of”), with Farmers Tex. Cnty. Mut. Ins. Co. v. Zuniga, 548 S.W.3d 646, 652-54 (Tex. Ct. App. 2017) (concluding that the insurance policy agreement to “pay all damages for bodily injury” is unambiguous because “[t]he plain meaning of the word ‘for’ is ‘in exchange as the equivalent of’” (quoting Webster’s Third 886); see also Lumbermens Mut. Cas. Co. v. Yeroyan, 5 A.2d 726, 727 (N.H. 1939) (finding 1 Most importantly, however, this is an area of insurance policy construction
2 developed over decades by insurers and courts addressing phrases widely used in
3 common insurance policies. The parties each cite to several cases supporting their
4 viewpoint. Despite the common use in insurance policies of this phrase, these courts
5 still differ on the meaning of the phrase “for bodily injury.” The Georgia Supreme
6 Court, in Greenwood Cemetery, Inc. v. Travelers Indemnity Co., 232 S.E.2d 910,
7 913 (Ga. 1977), in construing the word “for” in the phrase “for mental anguish,”
8 highlighted the multiple reasonable meanings of the word “for”:
9 [t]he word ‘for’ has numerous meanings. The insurer would read the 10 word ‘for’ as meaning ‘equivalent to’ (and therefore not greater than) 11 or ‘to the amount, value or extent of.’ The insured would read the word 12 ‘for’ as meaning ‘by reason of’ or ‘because of, on account of.
13 {30} We, therefore, conclude that there is a lack of an interpretive consensus among
14 courts, and take this as an “indicator of ambiguity.” See United Nuclear Corp., 2012-
15 NMSC-032, ¶ 29 (noting that a lack of consensus both among courts and outside the
16 courts may itself indicate ambiguity).
17 4. Industry Practice and Drafting History
18 {31} As we have already noted, neither party provided any details in the summary
19 judgment record surrounding the formation of the insurance contract here. We note,
20 however, that cybersecurity insurance is a relatively new area of insurance coverage.
“for” is “synonymous with the phrase ‘on account of’” (quoting Cormier v. Hudson, 187 N.E. 625, 626 (Mass. 1933)). 1 As technological advances have occurred and the use of internet and computer data
2 systems have become commonplace in business, and more and more businesses run
3 on cyber platforms, there has been an “exponential increase in the number of cyber
4 security breaches in recent years.” See Deborah L. Johnson, Demystifying the
5 Elusive Quest for Cyber Insurance Protection: The Need for New Contract
6 Language, 44 Cardozo L. Rev. 2361, 2367 (2023).
7 {32} Purchasers of a cyber insurance policy often have little knowledge about the
8 breadth and sophistication of the cybersecurity risks they face. Id. at 2408. The
9 insurers are far more knowledgeable. This imbalance is exacerbated by the lack of
10 standard policy language among insurers to define or limit coverage. Id. at 2373. A
11 business purchasing cybersecurity coverage is unlikely to imagine all of the
12 consequences of the increasingly sophisticated methods of breaching computer
13 security and may view the insurance policy as protecting against all but the most
14 clearly stated exceptions to coverage. See Sanchez, 1989-NMSC-073, ¶ 21 (noting
15 that “[t]he typical insured does not bargain for individual terms within policy
16 clauses,” making “only broad choices regarding [the] general concepts of coverage,
17 risk, and cost”).
18 {33} Again, although this context and history of cyber risks and cyber insurance is
19 not alone dispositive on the question of ambiguity, it is another indication that the 1 phrase “for a security breach” would not have a single, obvious meaning to an
2 insured.
3 C. The Phrase “for a Security Breach” Is Ambiguous
4 {34} Because every one of the aids this Court looks to for assistance in determining
5 whether a phrase or a word in an insurance policy is ambiguous supports multiple
6 reasonable meanings of the phrase at issue here and of the word “for,” we hold that
7 the phrase is ambiguous. We interpret an ambiguous phrase in an insurance policy
8 as purely a question of law, and we construe ambiguity in a policy in the insured’s
9 favor. United Nuclear Corp., 2012-NMSC-032, ¶ 39. We, therefore, agree with the
10 district court that the Policy’s coverage includes claims of loss “because of,”
11 resulting from,” or “on account of” a security breach.
12 IV. The Exclusions Do Not Apply
13 {35} We now turn to the two loss of money exclusions that Beazley argues bars
14 coverage. Exclusionary clauses are construed under the same rules of construction
15 that apply to coverage provisions. “It is the obligation of the insurer to draft an
16 exclusion that clearly and unambiguously excludes coverage.” Computer Corner,
17 Inc. v. Fireman’s Fund Ins. Co., 2002-NMCA-054, ¶ 7, 132 N.M. 264, 46 P.3d 1264.
18 Generally, if ambiguous, we construe exclusionary clauses in insurance contracts
19 narrowly against the insurer. See Knowles v. United Servs. Auto. Ass’n, 1992-
20 NMSC-030, ¶ 9, 113 N.M. 703, 832 P.2d 394. 1 A. The Money Was Not “Lost, Diminished, or Damaged During Transfer”
2 {36} Section three of the loss of money exclusion states that coverage under the
3 Policy will not apply to any loss of monetary value “during transfer from, into or
4 between accounts.” Beazley summarily states that this exclusion applies to deny
5 coverage for OptumRX’s third-party claim, without explaining the basis for its belief
6 that this language clearly covers the loss of the NMHC payments transferred to a
7 fraudulent address, apparently without a loss in value of the funds during the
8 transfer. There are no facts in the summary judgment record showing that the transfer
9 was flawed or the security of the transfer breached “during transfer.”
10 {37} We employ a presumption of correctness in the rulings of the district court,
11 and the burden is on the appellant to clearly demonstrate error. See Farmers, Inc. v.
12 Dal Mach. & Fabricating, Inc., 1990-NMSC-100, ¶ 8, 111 N.M. 6, 800 P.2d 1063.
13 In the absence of a developed argument by Beazley, we decline to address this issue
14 further. See State v. Dickert, 2012-NMCA-004, ¶ 46, 268 P.3d 515.
15 B. The Funds Were Not in the “Care, Custody or Control” of NMHC
16 {38} Beazley next argues that the funds transferred pursuant to the fraudulent
17 instructions were in the “care, custody or control” of NMHC and that, therefore, the
18 Policy’s loss of money exclusion applies. This section excludes coverage under the
19 Policy for any loss, transfer or theft of money “in the care, custody or control of the
20 insured organization.” The district court concluded that the stolen money was not in 1 the “care, custody or control” of NMHC; it was in the “care, custody, and control of
2 Wells Fargo Bank.” Therefore, this exclusion from coverage did not apply.
3 {39} Beazley argues that the phrase “care, custody or control” should be read
4 disjunctively, requiring this Court to find only that NMHC had “control” of the funds
5 in its Wells Fargo account for the exclusion to apply. The dispute between the parties
6 as to the meaning of this exclusion turns on whether the words “care, custody or
7 control,” are to be understood in the disjunctive, as independent words separately
8 defined in the law, or whether the phrase “care, custody or control,” is a phrase with
9 its own meaning in the law.
10 {40} We first note that neither the individual words nor the phrase “care, custody
11 or control” are defined in the Policy. Given the absence of a definition in the Policy,
12 we turn to New York law to resolve this issue. Although the parties have agreed that
13 New Mexico law is the same as New York law as to the principles governing the
14 construction of an insurance policy, on the question of the meaning of a phrase used
15 in the Policy, the Policy directs that we apply New York law. We honor the plain
16 language of the parties’ choice of law contract term.
17 {41} New York courts have repeatedly construed “care, custody or control,” as a
18 phrase with a particular meaning in the law. 6 Moreover, commentators have agreed
See, e.g., Greater N.Y. Mut. Ins. Co. v. Pro. Sec. Bureau, Ltd., 402 N.Y.S.2d 6
448 (N.Y. App. Div. 1978); Broome Cnty. v. Travelers Indem. Co., 451 N.Y.S.2d 272 (N.Y. App. Div. 1982). 1 that “care, custody or control” is an established legal phrase or term of art widely
2 used in the insurance context to denote exclusive physical dominion over property.
3 See generally 9 Couch on Insurance § 126:22, Westlaw (database updated June
4 2025).
5 {42} The question under New York law, then, is whether the depositor, NMHC, or
6 the bank, Wells Fargo, had exclusive dominion over the property—the money in
7 NMHC’s account—at the time the payment at issue was made. Our research shows
8 that “[i]t is well-settled under New York law that the relationship between a bank
9 and its depositor is the contractual relationship of debtor and creditor and the amount
10 on deposit represents an indebtedness by the bank to the depositor.” Reichling v.
11 Cont’l Bank, 813 F. Supp. 197, 198 (E.D.N.Y. 1993); see 9 NY Jur. 2d, Banks,
12 § 226, Westlaw (database updated May 2025). Under New York law, “the money
13 deposited with the bank belongs to the bank and is not the property of the depositor.”
14 Reichling, 813 F. Supp. at 198 (emphasis added) (alteration, internal quotation
15 marks, and citation omitted). New York law, therefore, arguably places the “care,
16 custody or control” of a depositor’s funds with the bank holding the account. NMHC
17 deposited the funds with Wells Fargo; Wells Fargo, under contract, had the funds in
18 its “care, custody and control” at the time the money was transferred. The body of
19 New York law we reference is sufficient to allow a reasonable insured to conclude
20 that this exclusion did not apply to funds placed in the protection of a bank account, 1 and only applied to property, securities and funds directly held in the “care, custody
2 and control” of NMHC.
3 CONCLUSION
4 {43} Because a reasonable insured would construe the ambiguous coverage term at
5 issue to afford coverage and would not read the exclusions to apply here, we affirm.
6 {44} IT IS SO ORDERED.
7 _________________________ 8 JANE B. YOHALEM, Judge
9 WE CONCUR:
10 ___________________________ 11 J. MILES HANISEE, Judge
12 ___________________________ 13 MEGAN P. DUFFY, Judge