OFFICE OF SPECIAL DEPUTY RECEIVER v. HARTFORD FIRE INSURANCE COMPANY (2026)

The Office of the Special Deputy Receiver contracted with Hartford Fire Insurance Company for fraud insurance. OSD's Chief Financial Officer fell prey to hackers—they gained access to the CFO's email account and used it to communicate with other employees, directing them to transfer funds outside the Office. The transfers were made, and OSD suffered a loss of nearly $4 million. When OSD tried to recover under the Hartford policy, the insurer refused to pay, contending that the loss fell outside the agreement's coverage. OSD then flled this lawsuit in federal court, seeking a declaratory judgment and alleging that Hartford breached the parties' contract. The district court agreed with Hartford's interpretation of the bond and dismissed OSD's claims against Hartford. Because the contract unambiguously excludes coverage, we affirm.

I

This is an appeal from a motion to dismiss, which means we accept all well-pleaded allegations of fact as true and draw all reasonable inferences in the plaintiff's favor. Alarm Detection Sys., Inc. v. Village of Schaumburg, 930 F.3d 812, 821 (7th Cir. 2019). We consider the text of the policy because the complaint referred to that document, which is central to the claims at issue. See Brownmark Films, LLC v. Comedy Partners, 682 F.3d 687, 690 (7th Cir. 2012) (discussing the incorporation-by-reference doctrine).

The Office of the Special Deputy Receiver (OSD or Office) is an Illinois nonprofit corporation that administers estates for insolvent or financially troubled insurance companies. See 215 Ill. Comp. Stat. 5/192–93, 202 (state law makes the Illinois Director of Insurance the receiver for these companies, and the Director may appoint a special deputy to assist in the administration of receiverships). OSD purchased insurance from Hartford Fire Insurance Company—a policy titled Financial Institution Bond for Insurance Companies. The Hartford bond included a main policy document and a series of riders, two of which are at issue.

Rider 13 provided coverage for computer systems fraud. In relevant part, it said that Hartford would cover:

Loss resulting directly from a fraudulent

(1) entry of Electronic Data or Computer Program into, or

(2) change of Electronic Data or Computer Program within

any Computer System operated by [OSD] ․ provided that the entry or change causes

(i) Property to be transferred, paid or delivered[.]

Rider 17 provided coverage for Electronic Mail Initiated Transfer Fraud. As relevant here, Rider 17 said that Hartford would cover:

Loss resulting directly from [OSD] having, in good faith, transferred or delivered Funds, Certificated Securities or Uncertificated Securities, in reliance upon a fraudulent instruction sent to [OSD] through electronic mail, and:

(1) which fraudulent instruction purports and reasonably appears to have originated from:

(a) a Customer of [OSD], or

(b) an Employee acting on instructions of such Customer, or

(c) another financial institution acting on behalf of such Customer with authority to make such instructions;

but, in fact, was not originated by the party referenced in (a) – (c) above whose identification it bears[.]

Rider 17 also excluded coverage for certain losses, including:

loss resulting directly or indirectly from [OSD] having, in good faith, transferred or delivered Funds, Certificated Securities or Uncertificated Securities, in reliance upon a fraudulent instruction sent to [OSD] through electronic mail, except when covered [by Rider 17's affirmative coverage, as quoted above].

Both riders explained that they modified the entire bond, and Rider 17's exclusion provision said that it was an amendment to the exclusions section of the main policy document.

While the Hartford bond was in force, fraudsters outside OSD used a spear phishing scheme to gain access to the CFO's email account. See United States v. Khalupsky, 5 F.4th 279, 290 n.29 (2d Cir. 2021) (“Spear phishing occurs when a hacker sends a misleading email to an account user in order to deceive that user into providing the hacker with his login credentials, often by inducing the user to click on a link that in turn prompts them to enter the credentials.”). Impersonating the CFO and using his email account, the fraudsters sent emails to other OSD employees, instructing them to transfer assets to fund new investments. The hackers changed the rules or settings within the CFO's email account such that they were able to respond to questions about the transfers. OSD's staff wired the money as requested, and over the course of a few weeks OSD lost nearly $7 million (of which it later recovered about $3 million).

OSD filed related claims with Hartford and another insurance company. Hartford refused to pay, asserting (among other reasons) that the exclusion under Rider 17 applied. The other insurance company denied coverage in part.

OSD then sued both Hartford and the other insurance company in federal court, invoking diversity jurisdiction. As relevant here, OSD sought a declaratory judgment that its claim was covered by the bond and alleged breach of contract based on Hartford's failure to pay. The insurance companies moved to dismiss under Federal Rule of Civil Procedure 12(b)(6). The district court granted Hartford's motion and denied the other company's. OSD later agreed to dismiss its claims against the second insurance company, and the district court entered judgment. OSD appeals the dismissal of its claims against Hartford.

II

We review de novo a district court's dismissal under Rule 12(b)(6). Fosnight v. Jones, 41 F.4th 916, 921 (7th Cir. 2022). To withstand dismissal, a complaint must “state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). OSD's claims arise under state law, and the parties agree that Illinois law applies. “An insurance policy is a contract, and the general rules governing the interpretation of other types of contracts also govern the interpretation of insurance policies.” Hobbs v. Hartford Ins. Co. of the Midwest, 214 Ill.2d 11, 291 Ill.Dec. 269, 823 N.E.2d 561, 564 (2005). Our task is to “ascertain and give effect to the intention of the parties, as expressed in the policy language.” Thounsavath v. State Farm Mut. Auto. Ins. Co., 423 Ill.Dec. 150, 104 N.E.3d 1239, 1244 (Ill. 2018). If the terms are unambiguous, we enforce them as written, consistent with public policy. Id. An ambiguity exists if the policy is subject to more than one reasonable interpretation. Crescent Plaza Hotel Owner, L.P. v. Zurich Am. Ins. Co., 20 F.4th 303, 308 (7th Cir. 2021).

It's undisputed that OSD's claims do not fall within Rider 17's affirmative coverage. Whether the exclusion in Rider 17 applies turns on a simple question: is an email sent from a hacker posing as one OSD employee to another OSD employee “a fraudulent instruction sent to” OSD? If yes, Rider 17's exclusion applies, and dismissal was appropriate. If no, then the exclusion doesn't apply, and OSD's suit should proceed in the district court. Illinois law requires us to read this exclusion narrowly and apply it only if the application is “clear and free from doubt.” Bradley Hotel Corp. v. Aspen Specialty Ins. Co., 19 F.4th 1002, 1006–07 (7th Cir. 2021) (citation modified).

Emails, like all messages, originate with a sender and end with a recipient. Sometimes the sender and recipient are the same person. The exclusion in Rider 17 doesn't include all emails—it's limited to the subset of messages sent to one particular recipient, OSD. In other words, losses resulting from an emailed, fraudulent instruction sent to OSD (but not other recipients) fall under the exclusion and are not covered. But while the exclusion is restricted by recipient, it says nothing about any limit based on a message's sender. For instance, the exclusion doesn't say that messages originating only from senders outside OSD trigger the exclusion. Rather, it simply says messages sent to OSD qualify. In this case, the emails in question were sent to OSD employees. They included a fraudulent instruction that led to a loss. The exclusion applies.

OSD's arguments to the contrary aren't persuasive. OSD contends that the emails at issue were sent within the Office (rather than to it). This is semantics. Just because a message's sender and recipient are the same person does not mean that the message wasn't sent to that person. Put differently, if these emails weren't sent to OSD, then who were they sent to? Styling the messages as having been sent within the Office doesn't somehow eliminate the categories of sender and recipient (categories which the contract itself uses), and the exclusion tells us to look only at recipient. In this case, that's OSD.

A better, but still unsuccessful, argument is that the exclusion implicitly incorporates a restriction on senders, such that it only applies to emails sent from outside the Office. OSD correctly observes that Rider 17's affirmative grant of coverage includes such a restriction: the Rider provides coverage for losses associated with emails that purport and reasonably appear to have originated from (1) a customer, (2) an employee acting on the instructions of a customer, or (3) another financial institution acting on behalf of a customer. OSD also notes that the contract elsewhere explained in explicit terms that coverages for fraud by fax and telephone included communications sent within the company.

We must read Rider 17's exclusion and positive statement of coverage together, considering the entire contract, because the “intent of the parties is not to be gathered from detached portions of a contract or from any clause or provision standing by itself.” Gallagher v. Lenart, 226 Ill.2d 208, 314 Ill.Dec. 133, 874 N.E.2d 43, 58 (2007). Yet context only goes so far—we also must not add words where they are not written. See Decatur Lumber & Mfg. Co. v. Crail, 350 Ill. 319, 183 N.E. 228, 229 (1932); Sheehy v. Sheehy, 299 Ill.App.3d 996, 234 Ill.Dec. 34, 702 N.E.2d 200, 204 (1998). Rider 17's positive coverage includes a restriction on senders; the exclusion does not. Nothing about the context of Rider 17 (or the rest of the contract) suggests that the parties meant to restrict the exclusion in the same way as the positive coverage. See also Thompson v. Gordon, 241 Ill.2d 428, 349 Ill.Dec. 936, 948 N.E.2d 39, 47 (2011) (noting that courts presume that contracting parties purposefully choose the words they use).

Put differently, OSD bargained for email fraud coverage that met specific criteria. The parties agreed in the exclusion that email fraud that didn't meet that criteria wasn't covered. That Rider 17's exclusion is in some ways broader than the positive coverage (applying to both direct and indirect losses and restricted only based on recipient) is neither unusual nor a reason to rewrite the contract. Similarly, while the parties elsewhere explicitly drew lines between communications from outside OSD and messages sent from one part of OSD to another, that doesn't mean they were required to use the same level of specificity or necessarily intended such a restriction in Rider 17.

OSD's last stand is that Rider 17 shouldn't apply at all or creates ambiguity in the agreement because (1) Rider 13's computer systems fraud coverage applies to the fraud as alleged, (2) the claim doesn't fall within Rider 17's affirmative coverage, and (3) applying the exclusion from Rider 17 creates a conflict with the coverage under Rider 13.

Insofar as OSD is suggesting that Rider 17 must be read in isolation from the rest of the contract, that's plainly wrong. Both Riders 13 and 17 modified and became part of the Hartford bond, with Rider 13 adding coverage that was subject to the policy's exclusions, including those added by Rider 17. It's true that a plain text application of Rider 17's exclusion creates some conflict with the coverage for computer systems fraud under Rider 13 (because fraud involving email otherwise covered by Rider 13 might also fall under the exclusion). Yet conflict between coverage and exclusion provisions creates ambiguity only when the exclusion swallows or nullifies the positive coverage, see Citizens Ins. Co. of Am. v. Wynndalco Enters., LLC, 70 F.4th 987, 995–96 (7th Cir. 2023); Nat'l Fire Ins. Co. of Hartford v. Visual Pak Co., 477 Ill.Dec. 608, 243 N.E.3d 888, 907 (Ill. App. Ct. 2023), and that's not what we have here. Subtracting claims barred by Rider 17's exclusion, Rider 13's coverage still applies to all instances of computer systems fraud that don't involve reliance on fraudulent instructions sent to OSD by email. That means the exclusion does not render Rider 13's coverage illusory. See Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins. USA, Inc., 102 F.4th 438, 441 (7th Cir. 2024) (holding that an exclusion which left “plenty of room for coverage” did not create an ambiguity); Wynndalco, 70 F.4th at 999. OSD objects that it's strange that a fraud that might otherwise be covered by Rider 13 is not covered because it was perpetuated by email. But there's nothing strange or ambiguous about an exclusion knocking out parts of coverage in a policy—that's what exclusions do. See Visual Pak Co., 477 Ill.Dec. 608, 243 N.E.3d at 907.

This contract isn't ambiguous, and our task is to apply the agreement as written. See Hobbs, 291 Ill.Dec. 269, 823 N.E.2d at 564. Fraud that falls outside Rider 17's coverage and is perpetuated by an email sent to OSD isn't covered. That's what happened here, which means OSD cannot recover under the policy.

Affirmed

Kirsch, Circuit Judge.