Hartford dropped from phishing attack coverage fight

A federal judge in Illinois ruled Monday that while The Hartford Insurance Group Inc. is not obligated to cover the nearly $4 million a Chicago-based not-for-profit organization lost in a phishing attack, the loss could fall under the computer fraud coverage in a cyber policy issued by one of its specialty units.

U.S. District Judge Andrea R. Wood of the Northern District of Illinois said in Office of the Special Deputy Receiver v. Hartford Fire Insurance Co. et al., an email fraud exclusion in Hartford’s financial institutions bond for insurance companies was unambiguous.

The judge said The Hartford correctly denied coverage because the loss resulted from human decision-making rather than data entry, the theft of confidential information and written instruments bearing a forged signature.

The Hartford and HSB Specialty Insurance Co. issued policies to the Office of the Special Deputy Receiver, which handles the estates of insolvent or troubled Illinois insurers. In June 2021, a hacker perpetrated a phishing attack on OSD’s then-chief financial officer, resulting in eight wire transfers totaling nearly $7 million. OSD notified its bank, which was able to halt some of the transfers and recover nearly $3 million. Approximately $4 million was lost from the hack, court records show.

The Hartford denied coverage for the event. HSB provided some coverage under the social engineering provision of its cyber insurance policy. OSD sued the insurers for breach of contract and asked for an order requiring them to cover the event. The insurers moved for dismissal.

Judge Wood refused to dismiss HSB, saying the allegations in the lawsuit sufficiently state that the hack could fall under the policy’s computer fraud coverage.

Representatives for the parties did not respond to requests for comment.