A federal appeals court has upheld a $4 million coverage denial by Hartford Fire Insurance Company, ruling a single exclusion clause barred the claim.
In a decision issued June 18, 2026, the US Court of Appeals for the Seventh Circuit affirmed a district court's dismissal of a lawsuit brought by the Office of the Special Deputy Receiver (OSD), an Illinois non-profit that administers the estates of insolvent or financially troubled insurance companies. The case reached the Seventh Circuit on appeal from a motion to dismiss, meaning the court was required to accept OSD's well-pleaded allegations as true for the purpose of the ruling, rather than resolve disputed facts at trial.
OSD held a Financial Institution Bond for Insurance Companies from Hartford. Two riders were at issue: one covering computer systems fraud, the other covering fraud initiated through email. According to the complaint, outside hackers ran what the court described as "a spear phishing scheme" to gain access to the email account of OSD's chief financial officer. Posing as the CFO, the hackers emailed other OSD employees with instructions to wire funds into what appeared to be new investments, and altered settings within the account so they could respond to follow-up questions without raising suspicion. Staff wired the money as instructed. Over several weeks, OSD's complaint alleges a gross loss of nearly $7 million, of which about $3 million was later recovered — a net loss of nearly $4 million.
OSD filed a claim with Hartford, which denied it. Hartford pointed to wording in the email-fraud rider excluding coverage for losses tied to a "fraudulent instruction sent to [OSD] through electronic mail." It was undisputed that the claim did not qualify for that rider's own affirmative coverage in the first place. OSD then sued Hartford, seeking a declaratory judgment that the loss was covered and alleging breach of contract. The district court agreed with Hartford's reading of the policy and dismissed OSD's claims under Federal Rule of Civil Procedure 12(b)(6). OSD appealed that dismissal.
The Seventh Circuit's holding turned on a narrow question of contract wording: does an email sent by a hacker impersonating one OSD employee, to another OSD employee, count as an instruction "sent to" OSD? OSD argued the messages moved within the company rather than into it from outside, and that the exclusion should apply only to fraud originating from beyond the organization.
The panel disagreed. Writing for the court, Circuit Judge Kirsch found the exclusion's language turned on who received the email, not who sent it. "The exclusion in Rider 17 doesn't include all emails - it's limited to the subset of messages sent to one particular recipient, OSD," the court wrote. Because the fraudulent emails reached OSD employees, the exclusion applied regardless of where the scheme originated.
The court also rejected OSD's argument that this reading nullified its separate computer systems fraud coverage. The panel found that coverage still applied to computer fraud losses that did not involve a fraudulent email sent to OSD, so the exclusion did not swallow the other rider's coverage entirely. "[T]here's nothing strange or ambiguous about an exclusion knocking out parts of coverage in a policy - that's what exclusions do," the panel wrote.
The Seventh Circuit affirmed the dismissal of OSD's claims against Hartford. The opinion does not indicate whether OSD has sought further review.
For insurers and claims teams handling financial institution bonds and cyber-adjacent crime coverage, the ruling is a reminder that exclusion language keyed to who receives a fraudulent email - rather than who sends it - can capture losses from internal, employee-to-employee messages, even where a hacker outside the organization triggered the scheme. It also illustrates how courts read multiple riders together, rather than in isolation, when deciding whether an exclusion added by one rider narrows coverage granted by another.