A single compromised executive inbox can trigger millions of dollars in wire transfers — and, as a new Seventh Circuit decision shows, insurance may not pay even when the organization believed it bought computer-fraud and email-transfer coverage.
In Office of the Special Deputy Receiver v. Hartford Fire Insurance Company (No. 25-2309, decided June 18, 2026), the court affirmed dismissal of a breach-of-contract suit brought by the Office of the Special Deputy Receiver (OSD), an Illinois nonprofit that administers estates for insolvent insurers. Hackers spear-phished the CFO’s email, impersonated the executive to other staff, and directed nearly $4 million in unauthorized transfers. Hartford denied the claim; the district court agreed; the Seventh Circuit held the loss was excluded as a matter of law.
Freeman Mathis & Gary summarized the ruling on JD Supra on July 7, 2026 — a timely reminder for law firms, financial institutions, and any organization that wires funds on email instructions: technical controls and policy language must align before the fraud, not after the denial letter.
Case at a Glance
| Item | Detail |
|---|---|
| Court | U.S. Court of Appeals for the Seventh Circuit |
| Case | Office of the Special Deputy Receiver v. Hartford Fire Insurance Co., No. 25-2309 |
| Decision date | June 18, 2026 (argued May 12, 2026) |
| Victim | Office of the Special Deputy Receiver (osdchi.com) — Illinois insurance receivership administrator |
| Insurer | Hartford Fire Insurance Company (thehartford.com) |
| Loss | ~$4 million in unauthorized wire transfers |
| Attack | Spear-phishing → compromised CFO mailbox → internal executive impersonation |
| Outcome | No coverage — Rider 17 exclusion for fraudulent email instructions sent to OSD applied |
| Procedural posture | Appeal from Rule 12(b)(6) dismissal — court accepted OSD’s pleaded facts as true |
What Happened
According to the Seventh Circuit opinion and insurance trade reporting:
- Hackers used a spear-phishing campaign to compromise the CFO’s email account at OSD.
- From that trusted internal mailbox, they emailed other employees with fraudulent wire instructions.
- Staff executed the transfers, believing they were following legitimate executive direction.
- OSD submitted a claim under its Financial Institution Bond for Insurance Companies.
- Hartford denied coverage, arguing the loss fell under an email-fraud exclusion rather than affirmative computer-fraud coverage.
- The Northern District of Illinois dismissed OSD’s complaint; the Seventh Circuit affirmed.
The court emphasized that Rider 17’s exclusion turns on who received the fraudulent message — not whether the sender appeared to be an insider. Emails sent to OSD employees containing fraudulent transfer instructions therefore triggered the exclusion, even though outsiders had hijacked the CFO account.

Why the Policy Did Not Pay
OSD’s Hartford bond included overlapping riders. Two mattered on appeal:
| Rider | Role in dispute |
|---|---|
| Rider 13 — Computer fraud | OSD argued the hack and impersonation qualified as computer-systems fraud |
| Rider 17 — Email-initiated transfer fraud | Contained narrow affirmative coverage for certain external spoofing scenarios and an exclusion for losses from fraudulent instructions “sent to” OSD unless that narrow grant applied |
The Seventh Circuit found OSD’s facts did not fit Rider 17’s limited affirmative coverage. Because the fraudulent instructions were plainly sent to OSD personnel, the Rider 17 exclusion controlled, and Rider 13 did not rescue the claim.
Practical takeaway for policyholders
| Question | Why it matters |
|---|---|
| Does exclusion language key off recipient or sender? | This case turned on messages received by employees |
| Is internal impersonation after mailbox takeover covered? | Here, no — even though hackers were external |
| Do computer fraud and email fraud riders work together or conflict? | Courts may read them holistically; gaps between riders hurt claimants |
| Are MFA, callback procedures, and DMARC documented before renewal? | Insurers increasingly map denials to missing controls, not just exclusions |

Domain Security Audits — July 8, 2026
We scanned domains tied to the parties and reporting counsel. 100% is the ideal score for domain security (identity, transport, website, and infrastructure controls fully hardened).
| Organization | Domain | Overall | Identity | Transport | Website | Risk |
|---|---|---|---|---|---|---|
| Office of the Special Deputy Receiver | osdchi.com | 78% | 90% | 15% | 70% | Good |
| Illinois Dept. of Insurance (parent agency) | idoi.illinois.gov | 36% | 0% | 45% | 45% | Weak |
| Hartford Fire Insurance | thehartford.com | 60% | 65% | 15% | 45% | Above Average |
| Freeman Mathis & Gary (coverage counsel) | fmg.law | 54% | 50% | 15% | 45% | Average |
Pattern across all four domains: 15% Transport Security — no effective MTA-STS enforcement or TLS-RPT on the public mail path we probed. That gap matters because BEC and post-incident correspondence (claim denials, wire recall attempts, client alerts) still ride SMTP transport even when inboxes are compromised.
OSD (osdchi.com) leads the set at 78% overall with 90% Identity — stronger DMARC/SPF posture than the Illinois Department of Insurance portal (0% Identity on idoi.illinois.gov). None of the scanned domains reach the 100% ideal; transport and website headers remain the common weak layer.

Audit links:
What Law Firms and Finance Teams Should Do Now
Before the next wire request:
- Out-of-band verification for any new beneficiary or changed instructions — phone or video to a known number, not a number in the email thread.
- Enforce DMARC (
p=rejectafter monitoring) and MTA-STS on firm domains handling trust accounts and settlement wires. - MFA everywhere mailboxes can authorize payments — especially CFO, controller, and trust accounting roles.
Before cyber renewal:
- Map policy riders and exclusions to your actual wire workflow — internal impersonation after phishing is now a published Seventh Circuit fact pattern.
- Document preventive controls insurers ask about (MFA, phishing-resistant auth, backup callbacks, IR retainers).
- Treat denied claims data like the Five Eyes AI warning: exclusions bite when language is unambiguous.
If you operate in Texas:
- Align wire-fraud playbooks with Texas SB 2610 documentation expectations and the State Bar fraud context for attorneys handling client funds.
Run a free domain scan at audit.emailmenow.com — paid unlock adds remediation steps and evidence suitable for insurance and compliance files.
Related Reading
- Five Eyes warn AI-driven cyberattacks could arrive within months — insurance denial statistics and BEC trends
- California State Bar fraud alert for attorneys — wire fraud and changed-instruction scams
- FBI Kali365 Microsoft 365 phishing kit warning — executive mailbox takeover tooling
- Law firm breach tracker
Sources: JD Supra — Freeman Mathis & Gary · Seventh Circuit opinion (PDF) · Insurance Business · OSD