Texas Gulf Bank is taking its insurers to court after they refused to cover nearly $1.5 million in cyber fraud losses - putting insurance policy exclusions in the spotlight.
In a complaint filed in the US District Court for the Southern District of Texas, Texas Gulf Bank, N.A. alleges that Great American Security Insurance Company, Great American Alliance Insurance Company, and ABA Insurance Services, Inc. breached their contracts and acted in bad faith by denying coverage for a cyber fraud incident. The lawsuit, which remains ongoing, highlights the tension between financial institutions and insurers over the boundaries of cyber liability and financial institution bond coverage.
According to the complaint, the dispute began when Sequeira Civil Construction, LLC (SC2), a customer of Texas Gulf Bank, sued the bank in October 2023. SC2 alleged that the bank erred in making unauthorized wire transfers from SC2’s account in violation of a Wire Transfer Agreement. The complaint states that, beginning on August 3, 2023, a cybercriminal compromised the email account of SC2 employee Beth Behenna and sent Texas Gulf Bank four unauthorized fraudulent wire transfer request emails. The bank processed some of these requests after calling a telephone number listed in the fraudulent emails, rather than the number in the Wire Transfer Agreement. Texas Gulf Bank was able to recall $297,400, but the remaining $1,481,540 in fraudulent wire transfers was unrecoverable. SC2 issued a demand to Texas Gulf Bank on September 11, 2023, seeking payment for the $1,481,540 transferred from its account. Texas Gulf Bank and SC2 mediated the lawsuit on May 22, 2025, and Texas Gulf Bank paid $787,500 to settle the Sequeira Lawsuit.
Texas Gulf Bank provided timely notice of SC2’s claim and the lawsuit to GASIC under the Cyber Policy. ABA Insurance Services, acting on behalf of Great American Security Insurance Company, issued a letter on October 12, 2023, refusing coverage for the claim. ABAIS maintained that the Cyber Policy’s “Non-Company Security Breach Exclusion” barred coverage. The exclusion states:
“The Insurer will not be liable to make any payment for Loss, Regulatory Correction Expense, Public Relations Expense, or Privacy Breach Response Expense in connection with any Claim, Privacy Breach Incident, or Denial of Service Attack arising out of, or in any way involving, a breach of any computer system or any communication network, other than the Company’s Computer System. The Insurer also will not be liable to make any payment for Loss, Regulatory Correction Expense, Public Relations Expense, or Privacy Breach Response Expense in connection with any Claim, Privacy Breach Incident, or Denial of Service Attack in any way relating to the unauthorized access to, or use of, login, password, access key, or other Confidential Information where such information was obtained from the Customer, or any other means under the Customer’s control, regardless of whether the information was obtained through theft, trick, artifice, fraud, or false pretenses.”
ABAIS, on behalf of Great American Alliance Insurance Company, also denied coverage under the bond, asserting that the bank’s authentication procedure did not meet the bond’s requirements. Specifically, ABAIS stated that callbacks to verify wire instructions were not made to a “Predetermined Telephone Number” established by the customer and the bank in a Written Agreement, as required by the bond’s Funds Transfer Fraud Insuring Agreement. The complaint alleges that the bond does not require the Predetermined Telephone Number to be set forth in the Written Agreement.
Texas Gulf Bank alleges that the insurers misrepresented the terms of the policies and bonds, failed to conduct reasonable investigations, and violated Texas insurance statutes. The bank seeks damages in an amount not less than $1.2 million as well as attorneys’ fees in an amount not less than $50,000.
At the heart of the dispute are two questions for the insurance industry: How far do policy exclusions reach when cybercriminals exploit weaknesses outside the insured’s own systems? And what constitutes adequate verification under a financial institution bond when fraudsters manipulate standard procedures?
For insurance professionals, the case is a reminder of the complexities and evolving risks in cyber coverage. As banks and other financial institutions face increasingly sophisticated threats, the fine print of insurance policies - and how insurers interpret it - can mean the difference between absorbing a major loss and shifting the burden to the insurer.
As of now, the case is unresolved, and the outcome could affect how insurers and insureds navigate the landscape of cyber risk and financial fraud.
