The slip opinion is the first version of an opinion released by the Clerk of the Court of Appeals.

Once an opinion is selected for publication by the Court, it is assigned a vendor-neutral citation by the Clerk of the Court for compliance with Rule 23-112 NMRA, authenticated and formally published. The slip opinion may contain deviations from the formal authenticated opinion.

1 IN THE COURT OF APPEALS OF THE STATE OF NEW MEXICO Opinion Number: __________ Filing Date: June 16, 2025 No. A-1-CA-41254 ALICE T. KANE, Superintendent of Insurance, in her official capacity as Receiver for NEW MEXICO HEALTH CONNECTIONS, INC., a New Mexico not-for-profit corporation, 9 Plaintiff-Appellee, v. SYNDICATE 2623-623 LLOYD’S OF LONDON d/b/a BEAZLEY USA SERVICES, INC, 13 Defendant-Appellant.

14 APPEAL FROM THE DISTRICT COURT OF SANTA FE COUNTY Matthew J. Wilson, District Court Judge Office of the Superintendent of Insurance Stephen Thies Lawrence M. Marcus Santa Fe, NM for Appellee Rodey, Dickason, Sloan, Akin & Robb, P.A.

22 Edward Ricco Albuquerque, NM Day Pitney LLP Jonathan S. Zelig Candace J. Hensley Boston, MA for Appellant 1 OPINION YOHALEM, Judge.

3 {1} This appeal asks this Court to construe the coverage provided by a cyber insurance policy for a claim of damage to a third party “for a security breach.” The policy defines a “security breach” as “a failure of computer security to prevent . . . unauthorized access or use of [the insured’s] computer systems.” The insurer, Syndicate 2623/623 Lloyd’s of London d/b/a Beazley USA Services, Inc. (Beazley), appeals the district court’s order granting New Mexico Health Connections, Inc.’s (NMHC)1 motion for summary judgment, concluding that the phrase “for a security breach” is ambiguous, and construing the phrase to provide coverage under the policy for injury to a third-party “because of” or “resulting from” a security breach. We agree with the district court that the phrase “for a security breach” is ambiguous, and construe this ambiguity under well-established principles of insurance law in favor of the insured. We also agree with the district court that the exclusions to coverage relied on by Beazley do not clearly apply to the loss at issue in this case. Therefore, we affirm the district court.

NMHC’s claim is brought by the Superintendent of Insurance, Alice Kane, as a receiver for NMHC, pursuant to NMSA 1978, Sections 59A-41-18 (1984) and -40(A)(1) (1984). That statute authorizes the Superintendent of Insurance to attempt to recover money due to a health-care provider from an insolvent insurer.

NMHC is an insolvent insurer that owes money to OptumRX, a health-care provider.

Although Kane is the named appellant, we refer to NMHC, the insured in this case, to avoid confusion.

1 BACKGROUND The Policy {2} NMHC, a health-care insurer, purchased a comprehensive cyber breach response policy (the Policy) from Beazley to protect it from breaches of computer security. The Policy covered claims first made during the period from May 1, 2020, to May 1, 2021. Coverage was provided for damages to NMHC from cyber extortion, for the costs of recovering lost data, for the cost of crisis management, for losses due to business interruption, and lesser coverage was provided for losses due to fraudulent instructions, funds transfer fraud, and telephone fraud.2 The Policy also covered damages and claims expenses incurred by NMHC in connection with third- party liability claims. The Policy has a $7 million aggregate limit of liability.

12 {3} The third-party liability coverage at issue appears in a section of the Policy entitled “Data and Network Liability.” That section of the Policy specifies that coverage is provided for damages (defined as “a monetary judgment, award or settlement”); and claims expenses (defined as legal defense costs) that NMHC “is legally obligated to pay because of a claim against [it] during the policy period

The parties agree that the Policy’s fraudulent instruction coverage, limited to $250,000, applied here. Beazley does not argue that this coverage was exclusive.

The issues of contract interpretation before this Court concern only the third-party liability coverage under the Policy’s data and network agreement.

1 for . . . a [s]ecurity [b]reach.”3 The Policy defines a “security breach,” as “a failure of computer security to prevent . . . unauthorized access or use of computer systems, including unauthorized access or use resulting from the theft of a password from a computer system or from any insured.”

5 {4} Also relevant to this appeal is the loss of money exclusion. Beazley relies on the two following exclusions to argue that even if there is coverage, it does not apply to the loss of funds at issue here.

8 The coverage under this Policy will not apply to any loss arising out of: 9 ....

10 2. any loss, transfer or theft of monies, securities or tangible 11 property of the insured or others in the care, custody or control 12 of the insured organization; 13 3. the monetary value of any transactions or electronic fund 14 transfers by or on behalf of the insured which is lost, diminished, 15 or damaged during transfer from, into or between accounts.

16 NMHC’s Claim for Coverage {5} The facts giving rise to NMHC’s claim for third-party coverage are undisputed. In April 2020, a third-party posing as a senior accountant manager of one of NMHC’s vendors, OptumRX, emailed a fraudulent invoice to NMHC on the

The Policy capitalizes many terms to indicate that they are defined in the definition section of the Policy. Because signaling these definitions is not relevant to this opinion, we use the lower case where it normally would be used when quoting from the Policy to make reading easier.

1 form used by OptumRX for its invoices, requesting payment at a fraudulent bank account. In response, NMHC wired $4,415,833.11 to the fraudulent bank account from its Wells Fargo account over the course of five different transfers between April 30, 2020, and May 27, 2020.

5 {6} The parties agree that the fraud was perpetrated by a third-party who gained unauthorized access to NMHC’s computer system and email. A copy of a legitimate OptumRX invoice had been obtained from the computer system, and fraudulent account numbers were substituted for OptumRX’s account. Beazley does not dispute that this was “a security breach” as defined by the Policy.

10 {7} Because of this security breach and the fraudulent use of the information obtained, the amounts due to OptumRX under NMHC’s contract with OptumRX were not paid. OptumRX sent a letter to NMHC demanding payment of the outstanding invoice amounts owed by NMHC to OptumRX under the parties’ contractual agreement.

15 {8} NMHC reported the claim to Beazley on July 1, 2020, through its legal counsel. The July 1, 2020, email from counsel stated that NMHC “hereby requests that Beazley investigate, defend, and indemnify NMHC for the [third-party] claims asserted by OptumRX.” Beazley denied third-party liability coverage, claiming that the OptumRX claim for the unpaid invoice amounts did not trigger third-party liability coverage under the Policy, and even if it did, the loss of money exclusions quoted above barred coverage for the OptumRX third-party claim.

3 Procedure in the District Court {9} NMHC filed this suit in district court against Beazley for breach of the Policy’s third-party liability provision. Beazley counterclaimed, arguing the two exclusions identified above applied. The parties filed cross-motions for summary judgment. Beazley argued that the Policy did not provide liability coverage to NMHC under the provision governing third-party claims because OptumRX’s claim is not a claim for damages “for a security breach,” covered by the Policy, but is instead a garden-variety claim for breach of contract based on NMHC’s failure to pay OptumRX’s invoices. Beazley claimed that the Policy’s third-party coverage applies only to claims directly “for” the security breach itself. Beazley’s example of a covered claim is a suit for damages for an insured’s loss or public exposure of third-party private data. Claims for a breach of contract, like OptumRX’s claim for damages, even where the breach of contract was “caused by” a security breach, are not, according to Beazley, claims “for” a security breach.

17 {10} Beazley further argued that even if the district court found that coverage extended to OptumRX’s breach of contract claim, the two specific exclusions in the Policy applying to claims for the loss of money quoted above each bar any recovery by NMHC. The parties’ dispute about the first exclusion from coverage focused on whether money in NMHC’s Wells Fargo bank account was “in the care, custody or control” of NMHC when it was transferred to the fraudulent account. The controversy over the second exclusion concerned whether the funds transferred to the fraudulent account were “lost, diminished, or damaged during transfer from, into or between accounts.” 4 The District Court’s Ruling {11} At the hearing on the parties’ cross-motions for summary judgment, the district court made an oral ruling that “[a]s a result of a security breach and fraudulent instructions, funds were withdrawn from NMHC’s accounts that were in the care, custody, and control of Wells Fargo Bank.” The district court concluded that the OptumRX claim was “for . . . a security breach” covered by the Policy because the claim “arose from a security breach and flowed from a security breach.”

13 As to the application of the loss of money exclusions, the district court ruled that “[t]he exclusion language does not apply to the facts underlying the OptumRX

We note that in addition to the arguments it successfully made in the district court on the meaning of the third-party coverage provision and the exclusions to the policy, NMHC has argued for the first time on appeal that Beazley’s initial letter disclaiming coverage failed to adequately alert NMHC to Beazley’s reasons for denying coverage, a violation of New York law—the law the parties contracted to apply to the Policy. We do not reach this argument, both because it would be unfair to Defendant who was not able to defend against this argument in the district court and because we affirm on the grounds raised in the district court. See Eldin v. Farmers All. Mut. Ins. Co., 1994-NMCA-172, ¶ 21, 119 N.M. 370, 890 P.2d 823 (declining to apply the right for any reason doctrine on grounds that it would be unfair to the appellant).

1 claim” because “[t]he funds that were stolen were not in the care, custody, and control of the insured”; the stolen funds “were in the care, custody, and control of Wells Fargo Bank.” Although rejecting Beazley’s argument that the exclusion for funds “lost, diminished, or damaged during transfer” barred coverage, the district court did not state its reasoning. Concluding that the Policy’s third-party liability provision covered OptumRX’s claim against NMHC, and that no exclusion applied, the district court granted summary judgment in favor of NMHC, awarding it $3,533,804.95, the invoiced amount remaining unpaid to OptumRX after law enforcement recovered a portion of the funds diverted by the security breach.

10 Beazley appeals.

11 DISCUSSION {12} On appeal, Beazley again argues, as it did in the district court: (1) that the Policy’s third-party liability coverage does not apply because OptumRX’s breach of contract claim was not “a claim for . . . a security breach”; and (2) that two of the listed loss of money exclusions bar coverage because the lost funds were (a) in the “care, custody or control” of NMHC, and (b) were lost during transfer from, into or between accounts. We address each of Beazley’s arguments in turn, after addressing the standard of review and general principles of law governing the construction of insurance contracts.

1 I. Standard of Review {13} We review a district court’s order granting or denying summary judgment de novo. See United Nuclear Corp. v. Allstate Ins. Co., 2012-NMSC-032, ¶ 9, 285 P.3d 4 644. Where, as here, an appellant does not assert the existence of a genuine issue of material fact precluding summary judgment, but rather agrees that the facts are undisputed, “our task is to determine whether the district court correctly applied the law to the facts.” See Gonzales v. Allstate Ins. Co., 1996-NMSC-041, ¶ 7, 122 N.M. 8 137, 921 P.2d 944. “Similarly, the interpretation of terms within an insurance policy is a matter of law about which the court has the final word, and is subject to de novo review.” United Nuclear Corp., 2012-NMSC-032, ¶ 9 (internal quotation marks and citation omitted).

12 II. Choice of Law {14} The Policy includes a choice of law provision stating that New York law will apply to any dispute. The parties, however, agree that this Court may apply New Mexico law governing the construction of insurance contracts because our law is nearly identical to New York law on this question. We agree that the principles of law governing the interpretation of insurance contracts are nearly the same in both states and therefore accept the parties’ invitation to apply New Mexico law. We apply New York law, however, in accordance with the Policy terms, on any issue other than the general law of contract construction.

1 III. Governing Principles of Insurance Policy Interpretation {15} The questions before this Court on appeal are questions of contract construction. Insurance policies are interpreted by our courts (and New York courts) applying the principles generally applicable to the interpretation of contracts. “Our analysis of the insurance policy proceeds with the primary goal of ascertaining the intentions of the contracting parties with respect to the challenged terms at the time they executed the contract.” Ponder v. State Farm Mut. Auto. Ins. Co., 2000-NMSC- 033, ¶ 11, 129 N.M. 698, 12 P.3d 960 (alteration, internal quotation marks, and citation omitted). “As with other contracts, where an insurance policy’s terms have a common and ordinary meaning, that meaning controls in determining the intent of the parties.” United Nuclear Corp., 2012-NMSC-032, ¶ 10 (internal quotation marks and citation omitted).

13 {16} A term is ambiguous when it “is reasonably and fairly susceptible of different constructions.” Id. (internal quotation marks and citation omitted). So long as the insured’s expectations are reasonable, we will be guided by those expectations and will, as a matter of public policy, construe ambiguities in an insurance policy “in favor of the insured and against the insurer.” Ponder, 2000-NMSC-033, ¶ 26. Public policy recognizes that insurance companies control the language of the policy, and “[an insurance company] does so with far more knowledge than the typical insured of the consequences of particular words.” Sanchez v. Herrera, 1989-NMSC-073, ¶ 21, 109 N.M. 155, 783 P.2d 465.

3 IV. Third-Party Coverage “for a Security Breach” {17} We begin by applying these principles of interpretation to the parties’ dispute about the construction of the coverage provisions of the Policy. Only if we determine that there is coverage under the Policy do we then determine whether an exclusion applies to bar coverage. See Pulte Homes of N.M., Inc. v. Ind. Lumbermens Ins. Co., 2016-NMCA-028, ¶ 9, 367 P.3d 869.

9 A. The Parties’ Contentions {18} As we have already noted, the parties’ coverage dispute focuses on the policy terms under the heading “Data and Network Liability.” That section of the Policy specifies that coverage is provided for damages (defined as a judgment or settlement), and claims expenses (defined as legal defense costs), 14 which the [i]nsured is legally obligated to pay because of any claim first 15 made against an insured during the policy period for: 16 ....

17 2. a security breach.

18 {19} There is no dispute on appeal about the meaning of the term “security breach.”

19 The parties agree that the unauthorized invasion of NMHC’s email and the theft from that account of an OptumRX invoice that was then modified to redirect payments to OptumRX to a fraudulent account was a “security breach,” as that term is defined by the contract. The dispute about coverage here, therefore, focuses on the meaning of the preposition “for” in the phrase “for a security breach.” Beazley argues that OptumRX does not assert “a claim against NMHC “for a security breach,” because OptumRX “does [not] allege that, as a result of such a breach, information pertaining to OptumRX was stolen or compromised.” Beazley argues that the preposition “for” plainly and solely means “equivalent to” and concludes that coverage is provided only for a loss directly connected to the security breach. Beazley’s construction would narrow the Policy’s coverage for third-party claims to recover damages to the loss or disclosure of private, third-party data from the insured’s computer system.

10 {20} NMHC, in contrast, construes the phrase “a claim for a security breach” to include a third-party claim for damages where a security breach was causally connected to the loss. According to NMHC, the preposition “for” in the Policy’s coverage provision requires only a causal connection between the loss or damages claimed and the security breach. NMHC would define “for” as meaning “because of,” “arising out of,” or “as a result of.”

16 B. The Sources Relied on by This Court to Construe Words in an Insurance 17 Policy {21} Although New Mexico law allows this Court to consider extrinsic evidence to make a preliminary finding on the question of ambiguity, extrinsic evidence often involves testimony as to the parties’ circumstances at the time the policy was purchased, their business interests, and other external evidence of intent. See Ponder, 2000-NMSC-033, ¶ 13. No such evidence was presented by either party in this case.

3 We turn, therefore, to other forms of extrinsic evidence as tools of contract construction. We generally look first to other relevant terms of the policy to see whether construing the policy as a whole explains the meaning and intent of the word or phrase at issue. See United Nuclear Corp., 2012-NMSC-032, ¶¶ 16-18. We then look to the dictionary definitions of the disputed word or phrase, to any opinions by our courts or the courts of other jurisdictions on the meaning of similar language, and finally to any industry practice or drafting history. See id. ¶¶ 16-37. No one of these factors is dispositive on the question of ambiguity but, taken together, they help resolve the question. See id. ¶ 38 (relying on these factors together).

12 1. Other Provisions in the Policy {22} We note first that the Policy does not define the word “for” or provide any explanation elsewhere in the Policy of the extent of coverage intended for claims “for a security breach.” There is, for example, no provision limiting third-party liability for a security breach specifically to the loss of data. Indeed, the Policy lists “a data breach” separately from “a security breach” as a type of claim covered by the Policy. Generally, we would not expect two types of coverage to be coextensive.

19 Although not dispositive, the third-party claim provision, read as a whole, suggests that a claim for damages for a breach of security may extend beyond damages arising from a data breach—the only damages Beazley’s definition would cover.

3 {23} Beazley points to other provisions in the Policy that use the phrases “arising out of” or “resulting from,” and argues that the use of the word “for,” rather than these other terms, makes clear that the word “for” means something different and narrower than “arising out of” or “resulting from.” We do not agree. Despite a lengthy list of definitions in the Policy, including many common words, there is no definition of “arising out of,” “resulting from,” or “for” to distinguish these terms, or to indicate that they mean something special. These terms are commonly used interchangeably in everyday language, and without a definition in the Policy, an insured would likely read them as interchangeable. Moreover, we do not see how the use of the phrase “resulting from” or “arising out of” in a handful of other provisions throughout the Policy clarifies the meaning of the word “for” in the provision at issue. We note that the Policy also uses in the “Data Recovery Costs” provision a phrase clearly restricting coverage to costs incurred “as a direct result of a security breach.” Although Beazley seeks to define “for a security breach” as meaning “as a direct result of a security breach,” it does not use that far clearer phrase in the provision at issue.

1 {24} Concluding that the other terms used in the Policy do not definitively resolve the question of ambiguity, we continue our review by next examining the dictionary definitions of the preposition “for.”

4 2. Dictionary Definitions {25} “When a term is undefined in the policy, a reviewing court may look to that term’s usual, ordinary, and popular meaning, such as found in a dictionary.” Id. ¶ 19 (internal quotation marks and citation omitted). “Although the mere existence of multiple dictionary definitions of a word, without more, does not create an ambiguity, dictionary definitions can serve as an appropriate starting point for analysis.” Id. ¶ 20 (text only) (citations omitted).

11 {26} Beazley directs this Court to one specific definition of the word “for” from Webster’s Third New International Dictionary (Unabridged ed. 2002) (Webster’s Third), defining “for” as “in exchange as the equivalent of” (as in “all that trouble for nothing,” or “my kingdom for a horse”). We note that Webster’s Third also defines “for,” in relevant part, as “because of,” “on account of,” “as regards,” and “for this reason or on this ground,” definitions that suggest a causal connection rather than equivalence between the two nouns it connects—in this case damages and claims expenses “because of,” “on account of,” or “resulting from” a security breach.”

1 {27} Like the word “sudden,” construed by our Supreme Court in United Nuclear Corp., the word “for” has multiple commonplace definitions. Both Beazley’s preferred meaning of “equivalent to” and NMHC’s preferred meaning of “because of” or “resulting from” are included in the common usage of the word “for.” As our Supreme Court found in United Nuclear Corp., competing definitions—reflecting both parties’ views—tend to demonstrate the ambiguity of a term. 2012-NMSC-032, ¶ 22.

8 3. Divergence of Opinion Among Courts {28} The parties turn to the opinions of courts in other jurisdictions that have construed the word “for.” We emphasize at the outset that neither party has pointed to an opinion construing that word in the context of a cyber insurance policy. Indeed, our research shows that there are few published decisions interpreting such policies anywhere in the country.

14 {29} We do not find either party’s analogies to decisions differentiating claims “for bodily injury” from claims “because of” or “resulting from” bodily injury helpful.

16 First, these decisions are divided, similar to the division in dictionary definitions. 5

Compare Am. Ins. Co. v. Naylor, 87 P.2d 260, 265 (Colo. 1939) (applying the broad definition of “for” to mean “because of,” “on account of,” and “in consequence of”), with Farmers Tex. Cnty. Mut. Ins. Co. v. Zuniga, 548 S.W.3d 646, 652-54 (Tex. Ct. App. 2017) (concluding that the insurance policy agreement to “pay all damages for bodily injury” is unambiguous because “[t]he plain meaning of the word ‘for’ is ‘in exchange as the equivalent of’” (quoting Webster’s Third 886); see also Lumbermens Mut. Cas. Co. v. Yeroyan, 5 A.2d 726, 727 (N.H. 1939) (finding Most importantly, however, this is an area of insurance policy construction developed over decades by insurers and courts addressing phrases widely used in common insurance policies. The parties each cite to several cases supporting their viewpoint. Despite the common use in insurance policies of this phrase, these courts still differ on the meaning of the phrase “for bodily injury.” The Georgia Supreme Court, in Greenwood Cemetery, Inc. v. Travelers Indemnity Co., 232 S.E.2d 910, 913 (Ga. 1977), in construing the word “for” in the phrase “for mental anguish,” highlighted the multiple reasonable meanings of the word “for”: 9 [t]he word ‘for’ has numerous meanings. The insurer would read the 10 word ‘for’ as meaning ‘equivalent to’ (and therefore not greater than) 11 or ‘to the amount, value or extent of.’ The insured would read the word 12 ‘for’ as meaning ‘by reason of’ or ‘because of, on account of.

13 {30} We, therefore, conclude that there is a lack of an interpretive consensus among courts, and take this as an “indicator of ambiguity.” See United Nuclear Corp., 2012- NMSC-032, ¶ 29 (noting that a lack of consensus both among courts and outside the courts may itself indicate ambiguity).

17 4. Industry Practice and Drafting History {31} As we have already noted, neither party provided any details in the summary judgment record surrounding the formation of the insurance contract here. We note, however, that cybersecurity insurance is a relatively new area of insurance coverage.

“for” is “synonymous with the phrase ‘on account of’” (quoting Cormier v. Hudson, 187 N.E. 625, 626 (Mass. 1933)).

1 As technological advances have occurred and the use of internet and computer data systems have become commonplace in business, and more and more businesses run on cyber platforms, there has been an “exponential increase in the number of cyber security breaches in recent years.” See Deborah L. Johnson, Demystifying the Elusive Quest for Cyber Insurance Protection: The Need for New Contract Language, 44 Cardozo L. Rev. 2361, 2367 (2023).

7 {32} Purchasers of a cyber insurance policy often have little knowledge about the breadth and sophistication of the cybersecurity risks they face. Id. at 2408. The insurers are far more knowledgeable. This imbalance is exacerbated by the lack of standard policy language among insurers to define or limit coverage. Id. at 2373. A business purchasing cybersecurity coverage is unlikely to imagine all of the consequences of the increasingly sophisticated methods of breaching computer security and may view the insurance policy as protecting against all but the most clearly stated exceptions to coverage. See Sanchez, 1989-NMSC-073, ¶ 21 (noting that “[t]he typical insured does not bargain for individual terms within policy clauses,” making “only broad choices regarding [the] general concepts of coverage, risk, and cost”).

18 {33} Again, although this context and history of cyber risks and cyber insurance is not alone dispositive on the question of ambiguity, it is another indication that the phrase “for a security breach” would not have a single, obvious meaning to an insured.

3 C. The Phrase “for a Security Breach” Is Ambiguous {34} Because every one of the aids this Court looks to for assistance in determining whether a phrase or a word in an insurance policy is ambiguous supports multiple reasonable meanings of the phrase at issue here and of the word “for,” we hold that the phrase is ambiguous. We interpret an ambiguous phrase in an insurance policy as purely a question of law, and we construe ambiguity in a policy in the insured’s favor. United Nuclear Corp., 2012-NMSC-032, ¶ 39. We, therefore, agree with the district court that the Policy’s coverage includes claims of loss “because of,” resulting from,” or “on account of” a security breach.

12 IV. The Exclusions Do Not Apply {35} We now turn to the two loss of money exclusions that Beazley argues bars coverage. Exclusionary clauses are construed under the same rules of construction that apply to coverage provisions. “It is the obligation of the insurer to draft an exclusion that clearly and unambiguously excludes coverage.” Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 2002-NMCA-054, ¶ 7, 132 N.M. 264, 46 P.3d 1264.

18 Generally, if ambiguous, we construe exclusionary clauses in insurance contracts narrowly against the insurer. See Knowles v. United Servs. Auto. Ass’n, 1992- NMSC-030, ¶ 9, 113 N.M. 703, 832 P.2d 394.

1 A. The Money Was Not “Lost, Diminished, or Damaged During Transfer” {36} Section three of the loss of money exclusion states that coverage under the Policy will not apply to any loss of monetary value “during transfer from, into or between accounts.” Beazley summarily states that this exclusion applies to deny coverage for OptumRX’s third-party claim, without explaining the basis for its belief that this language clearly covers the loss of the NMHC payments transferred to a fraudulent address, apparently without a loss in value of the funds during the transfer. There are no facts in the summary judgment record showing that the transfer was flawed or the security of the transfer breached “during transfer.”

10 {37} We employ a presumption of correctness in the rulings of the district court, and the burden is on the appellant to clearly demonstrate error. See Farmers, Inc. v. Dal Mach. & Fabricating, Inc., 1990-NMSC-100, ¶ 8, 111 N.M. 6, 800 P.2d 1063.

13 In the absence of a developed argument by Beazley, we decline to address this issue further. See State v. Dickert, 2012-NMCA-004, ¶ 46, 268 P.3d 515.

15 B. The Funds Were Not in the “Care, Custody or Control” of NMHC {38} Beazley next argues that the funds transferred pursuant to the fraudulent instructions were in the “care, custody or control” of NMHC and that, therefore, the Policy’s loss of money exclusion applies. This section excludes coverage under the Policy for any loss, transfer or theft of money “in the care, custody or control of the insured organization.” The district court concluded that the stolen money was not in the “care, custody or control” of NMHC; it was in the “care, custody, and control of Wells Fargo Bank.” Therefore, this exclusion from coverage did not apply.

3 {39} Beazley argues that the phrase “care, custody or control” should be read disjunctively, requiring this Court to find only that NMHC had “control” of the funds in its Wells Fargo account for the exclusion to apply. The dispute between the parties as to the meaning of this exclusion turns on whether the words “care, custody or control,” are to be understood in the disjunctive, as independent words separately defined in the law, or whether the phrase “care, custody or control,” is a phrase with its own meaning in the law.

10 {40} We first note that neither the individual words nor the phrase “care, custody or control” are defined in the Policy. Given the absence of a definition in the Policy, we turn to New York law to resolve this issue. Although the parties have agreed that New Mexico law is the same as New York law as to the principles governing the construction of an insurance policy, on the question of the meaning of a phrase used in the Policy, the Policy directs that we apply New York law. We honor the plain language of the parties’ choice of law contract term.

17 {41} New York courts have repeatedly construed “care, custody or control,” as a phrase with a particular meaning in the law. 6 Moreover, commentators have agreed

See, e.g., Greater N.Y. Mut. Ins. Co. v. Pro. Sec. Bureau, Ltd., 402 N.Y.S.2d 6 448 (N.Y. App. Div. 1978); Broome Cnty. v. Travelers Indem. Co., 451 N.Y.S.2d 272 (N.Y. App. Div. 1982).

1 that “care, custody or control” is an established legal phrase or term of art widely used in the insurance context to denote exclusive physical dominion over property.

3 See generally 9 Couch on Insurance § 126:22, Westlaw (database updated June 2025).

5 {42} The question under New York law, then, is whether the depositor, NMHC, or the bank, Wells Fargo, had exclusive dominion over the property—the money in NMHC’s account—at the time the payment at issue was made. Our research shows that “[i]t is well-settled under New York law that the relationship between a bank and its depositor is the contractual relationship of debtor and creditor and the amount on deposit represents an indebtedness by the bank to the depositor.” Reichling v. Cont’l Bank, 813 F. Supp. 197, 198 (E.D.N.Y. 1993); see 9 NY Jur. 2d, Banks, § 226, Westlaw (database updated May 2025). Under New York law, “the money deposited with the bank belongs to the bank and is not the property of the depositor.”

14 Reichling, 813 F. Supp. at 198 (emphasis added) (alteration, internal quotation marks, and citation omitted). New York law, therefore, arguably places the “care, custody or control” of a depositor’s funds with the bank holding the account. NMHC deposited the funds with Wells Fargo; Wells Fargo, under contract, had the funds in its “care, custody and control” at the time the money was transferred. The body of New York law we reference is sufficient to allow a reasonable insured to conclude that this exclusion did not apply to funds placed in the protection of a bank account, and only applied to property, securities and funds directly held in the “care, custody and control” of NMHC.

3 CONCLUSION {43} Because a reasonable insured would construe the ambiguous coverage term at issue to afford coverage and would not read the exclusions to apply here, we affirm.

6 {44} IT IS SO ORDERED.

7 _________________________ 8 JANE B. YOHALEM, Judge WE CONCUR:

10 ___________________________ J. MILES HANISEE, Judge

12 ___________________________ MEGAN P. DUFFY, Judge