A New York federal court denied AIG Specialty Insurance Company’s (“AIG”) motion to dismiss breach of contract and bad faith claims in a lawsuit filed by SS&C Technology Holdings, Inc. (“SS&C”). SS&C alleges that AIG breached its contract by failing to cover losses stemming from a cyber incident in which hackers duped the company out of millions of dollars.

SS&C, a multibillion-dollar financial technology company, sought coverage for a cyber incident that occurred in 2016, when hackers emailed SS&C employees from spoofed email addresses, purporting to come from one of SS&C’s clients. The hackers requested wire transfers from the client’s account to a bank account in Hong Kong. Over the course of three weeks, SS&C employees transferred over $5.9 million to impersonated accounts. Once SS&C discovered the scheme, it alerted Hong Kong authorities and cooperated with its client and the proper authorities to recover the stolen funds. The client eventually filed suit against SS&C.

SS&C sought coverage under its AIG cyber policy. AIG denied coverage, arguing that a policy exclusion that bars coverage for claims stemming from an insured’s criminal acts also excluded criminal acts committed by third-party fraudsters. AIG also claimed that it never sold SS&C “cyber insurance,” rather it sold SS&C a “specialty risk protector policy of insurance” that did not provide indemnity coverage for losses arising from dishonest, fraudulent or criminal acts, and thus the event involving Hong Kong-based hackers who engaged in criminal conduct was not covered. AIG agreed to pay defense costs to defend SS&C in cases related to the incident, but refused to indemnify the actual losses.

The court rejected AIG’s overly broad reading of the criminal act exclusion, stating that the policy “clearly indicates [the exclusion] applies only to dishonest, fraudulent, criminal, or malicious acts committed by SS&C, and not to these such acts committed by third-party fraudsters.” The court found that, at the very least, AIG’s interpretation of the exclusion would render the provision potentially ambiguous, which would be construed in favor of SS&C.

AIG’s attempt to deny coverage for SS&C’s email spoofing incident underscores the need for policyholders to review their insurance policies to make sure they have adequate coverage in place to protect against cyber losses. Another example is Mondelez Intl. Inc. v. Zurich Am. Ins., which we previously blogged about, where Zurich invoked a “war exclusion” in an attempt to avoid covering Mondelez International Inc.’s expenses stemming from its exposure to the NotPetya malware virus in 2017.

SS&C, and cases like it, highlight the need for policyholders to not only insist on narrowly tailored exclusionary language in their policies, but also the importance of not accepting an insurer’s interpretation of exclusionary language. Hunton Andrews Kurth’s Insurance Recovery Group will continue to monitor and report on SS&C, Mondelez, and similar cases involving insurers attempting to avoid paying cyber-related losses.