An Illinois appellate court just sent a costly message to a construction
management firm: If your loss stems from a cyber incident, you'd better have cyber
insurance. After falling victim to a wire transfer scam during a construction project, a
construction management firm turned to its professional liability insurer for coverage.
But the insurer quickly denied the claim, pointing to the policy's cyber exclusion and
the company's lack of cyber coverage.
Undeterred, the developer filed a lawsuit against the construction firm,
strategically omitting any reference to the hack. The goal? To trigger coverage by
recasting the claim as standard professional negligence. Read the actual Illinois case
below to see if this tactic worked.
Subscribers to IRMI's Insurance Law
Essentials will receive the following as part of their package.
A semimonthly* newsletter that gives you the most recent and
important coverage decisions, allowing you to keep up-to-date with changes in
the law and stay ahead of the competition.
Access more than 10,000 case summaries. Save time and money
finding the cases that are important to you, such as how courts in your
jurisdiction interpret a certain additional insured endorsement, waivers of
subrogation, other insurance provisions, contractual liability, and much
more.
Access the actual policy forms (where available)—a feature
exclusive to Insurance Law Essentials! Improve
your coverage arguments, and build your own database of forms.
*Except for November and December, when the newsletter is sent
monthly.
Coverage Dispute: Insured Tenders Wire Transfer Hack Claim to Professional Liability Insurer
Monroe Infrastructure began a project to construct roads and other improvements in Tennessee. It hired Galey Consulting, a company that provided professional construction management services to builders, developers, and others. Galey agreed to oversee construction management and handle invoice approval on a development project.
In late 2021, the owner of Galey's email account was hacked, allowing fraudsters to intercept legitimate communications and insert fake instructions for payment. As a result, Monroe mistakenly wired $673,384.18 to a fraudulent bank account. At the time of the loss, Galey did not have cyber insurance. Instead, it only had an architects and engineers professional liability policy.
That policy contained a cyber-event exclusion that precluded coverage for any claim "arising directly or indirectly out of any cyber event." The policy's definition of "cyber event" included "any actual or suspected unauthorized access to … any computer systems … including a … hacking attack." The policy's definition of "computer systems" meant "all electronic computers including operating systems, software, hardware, microcontrollers and all communication and open system networks and any data or websites wheresoever hosted, off-line media libraries and data back-ups and mobile devices including but not limited to smartphones, iPhones, tablets or personal digital assistants."
Despite this lack of cyber insurance, Galey sought coverage under its professional liability policy and sent a tender describing the wire fraud and hack. However, the insurer responded that the policy "does not carry any cyber and privacy cover which would respond to the funds loss."
After this denial, Monroe demanded reimbursement from Galey and later filed suit for negligence, breach of contract, and breach of fiduciary duty, but intentionally omitted any mention of hacking or fraud in its complaint. Instead, Monroe's demand on Galey focused on its responsibilities for providing "pay application management" services to Monroe. According to the demand, Galey Consulting had acted unreasonably by failing to have in place a protocol and system to ensure that invoices presented were paid correctly. Also, the demand asserted that Galey acted negligently by failing to "utilize telephonic confirmation" before making electronic payment of the invoice.
After this demand, Monroe filed an underlying lawsuit against Galey Consulting, seeking to recover the diverted payment of $673,384.18 "that was erroneously and at the instruction of Galey sent to an improper wire account that was not owned or in the control of NES." The underlying suit did not allege that an email hacking or wire fraud incident played any role in causing the loss it suffered. The omission appeared designed to avoid triggering the policy's cyber-event exclusion.
A coverage lawsuit was filed contesting the denial. Galey and Monroe eventually settled the lawsuit via a $725,000 consent judgment that gave Monroe an assignment of rights to go after the insurer for breach of the duty to defend and indemnify.
Eventually, the trial court found that the underwriters had no duty to defend either Galey Consulting or Brian Galey against the underlying lawsuit filed by Monroe. It further found that the underwriters did not have a duty to indemnify Monroe about the consent judgment that was entered in the underlying lawsuit.
Court's Ruling
The First District Illinois Appellate Court in Certain Underwriters at Lloyd's,
London v. Galey Consulting LLC, 2025 IL App (1st)
241909-U (July 28, 2025), ruled that the cyber-event exclusion barred coverage under
the professional liability policy for the wire fraud loss. In reaching this result,
the court first addressed the claimant's argument that the court, in the context of
the duty to defend, should not have considered the actual facts related to the wire
fraud and hack. Instead, the claimant contended that Illinois law only allowed the
consideration of the allegations in the underlying suit, which did not contain
allegations regarding the cyber incident.
The appellate court rejected the claimant's argument that the actual facts regarding the cyber event should not be considered in ruling on the duty to defend. The court ruled that Illinois law permits insurers to introduce extrinsic evidence when applying policy exclusions, so long as the evidence does not resolve a disputed issue in the underlying litigation. The court then criticized the claimant's and insured's litigation strategy, holding as follows.
As stated, nothing in the underlying complaint alleges that the hacking of Galey's e-mail account or wire fraud played any role in causing Monroe's losses. However, we also find nothing in the summary judgment record that tends to raise any factual dispute as to whether the loss at issue originated from an incident of e-mail hacking and wire fraud. We do not believe in this instance that the absence of such allegations from the underlying complaint requires the courts to "'wear judicial blinders'" to the role that an e-mail hacking incident played in causing this loss when determining whether a policy exclusion applies. We note that the Underwriters' declaratory judgment action had been filed six months before the time when Monroe filed the underlying complaint. It is thus clear that Monroe's counsel was well aware by that time of the Underwriters' position that the cyber events exclusion precluded coverage because the loss arose out of the unauthorized accessing of Galey's e-mail account by a hacker attempting to commit wire fraud. Accordingly, it would appear that the failure to allege anything about e-mail hacking or wire fraud in the underlying complaint was an attempt to avoid pleading directly into the policy's cyber events exclusion.
Thus, the court allowed the insurer to rely on the actual facts related to the cyber event.
Next, the court addressed the claimant's argument that the policy's cyber-event exclusion did not preclude coverage for losses that had other concurrent causes. Based on this argument for interpretation, Monroe argued that the cyber-event exclusion did not bar coverage in this case because the allegations of the underlying suit attributed Monroe's loss to various acts, errors and omissions, and misrepresentations by Galey that resulted in his failure to properly manage Monroe's pay application with respect to the project.
The court rejected this secondary argument by noting that the cyber-event exclusion was broad. The court held as follows.
We reject Monroe's argument that any acts or omissions alleged in the underlying complaint are concurrent causes of its loss, such that its loss cannot be characterized as "arising directly or indirectly out of any cyber event." Our supreme court has recognized that "[t]he phrase 'arising out of' has a set meaning in the law." The definition of the phrase is generally recognized to mean "originating from," "growing out of," or "flowing from." This is the recognized definition of the phrase as applied in the insurance context. We note, however, that the phrase is given a more limited interpretation in favor of the insured when it is used in an exclusion than when used in a grant of coverage.
We find it clear from Brian Galey's summary of events that Monroe's loss can only be characterized as "arising directly or indirectly out of" a cyber event, even if other potential causes of the loss can also be identified. The hacking of Galey's e-mail account and resulting efforts at wire fraud were the originating events that ultimately led to Monroe's funds being sent to a bank account not owned by NES. These were the events from which all other causes of the loss flowed. Had they not occurred, Galey would not have received fraudulent bank account information or believed he was acting upon legitimate instructions from NES when he instructed the wire transfer of Monroe's funds to that account. In other words, none of the other allegedly negligent or wrongful acts by Galey would have resulted in the diversion of Monroe's funds if the e-mail hacking and wire fraud incident had not occurred. Accordingly, we hold that the cyber events exclusion is applicable under its plain language and negates any duty to defend on the part of the Underwriters in the present case.
The court, therefore, ruled that no coverage was owed.
Takeaway: Even when an
underlying suit omits any reference to an issue that is excluded, insurers in
Illinois may still use the insured's own claims notice to invoke an exclusion in the
duty-to-defend context. However, the facts must be undisputed and cannot conflict
with the allegations in the underlying suit.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
An Illinois appellate court just sent a costly message to a construction management firm: If your loss stems from a cyber incident, you'd better have cyber insurance. After falling victim to a wire transfer scam during a construction project, a construction management firm turned to its professional liability insurer for coverage. But the insurer quickly denied the claim, pointing to the policy's cyber exclusion and the company's lack of cyber coverage.
Undeterred, the developer filed a lawsuit against the construction firm, strategically omitting any reference to the hack. The goal? To trigger coverage by recasting the claim as standard professional negligence. Read the actual Illinois case below to see if this tactic worked.
Subscribers to IRMI's Insurance Law Essentials will receive the following as part of their package.
If you are not a subscriber, click here to subscribe today!
*Except for November and December, when the newsletter is sent monthly.
Coverage Dispute: Insured Tenders Wire Transfer Hack Claim to Professional Liability Insurer
Monroe Infrastructure began a project to construct roads and other improvements in Tennessee. It hired Galey Consulting, a company that provided professional construction management services to builders, developers, and others. Galey agreed to oversee construction management and handle invoice approval on a development project.
In late 2021, the owner of Galey's email account was hacked, allowing fraudsters to intercept legitimate communications and insert fake instructions for payment. As a result, Monroe mistakenly wired $673,384.18 to a fraudulent bank account. At the time of the loss, Galey did not have cyber insurance. Instead, it only had an architects and engineers professional liability policy.
That policy contained a cyber-event exclusion that precluded coverage for any claim "arising directly or indirectly out of any cyber event." The policy's definition of "cyber event" included "any actual or suspected unauthorized access to … any computer systems … including a … hacking attack." The policy's definition of "computer systems" meant "all electronic computers including operating systems, software, hardware, microcontrollers and all communication and open system networks and any data or websites wheresoever hosted, off-line media libraries and data back-ups and mobile devices including but not limited to smartphones, iPhones, tablets or personal digital assistants."
Despite this lack of cyber insurance, Galey sought coverage under its professional liability policy and sent a tender describing the wire fraud and hack. However, the insurer responded that the policy "does not carry any cyber and privacy cover which would respond to the funds loss."
After this denial, Monroe demanded reimbursement from Galey and later filed suit for negligence, breach of contract, and breach of fiduciary duty, but intentionally omitted any mention of hacking or fraud in its complaint. Instead, Monroe's demand on Galey focused on its responsibilities for providing "pay application management" services to Monroe. According to the demand, Galey Consulting had acted unreasonably by failing to have in place a protocol and system to ensure that invoices presented were paid correctly. Also, the demand asserted that Galey acted negligently by failing to "utilize telephonic confirmation" before making electronic payment of the invoice.
After this demand, Monroe filed an underlying lawsuit against Galey Consulting, seeking to recover the diverted payment of $673,384.18 "that was erroneously and at the instruction of Galey sent to an improper wire account that was not owned or in the control of NES." The underlying suit did not allege that an email hacking or wire fraud incident played any role in causing the loss it suffered. The omission appeared designed to avoid triggering the policy's cyber-event exclusion.
A coverage lawsuit was filed contesting the denial. Galey and Monroe eventually settled the lawsuit via a $725,000 consent judgment that gave Monroe an assignment of rights to go after the insurer for breach of the duty to defend and indemnify.
Eventually, the trial court found that the underwriters had no duty to defend either Galey Consulting or Brian Galey against the underlying lawsuit filed by Monroe. It further found that the underwriters did not have a duty to indemnify Monroe about the consent judgment that was entered in the underlying lawsuit.
Court's Ruling
The First District Illinois Appellate Court in Certain Underwriters at Lloyd's, London v. Galey Consulting LLC, 2025 IL App (1st) 241909-U (July 28, 2025), ruled that the cyber-event exclusion barred coverage under the professional liability policy for the wire fraud loss. In reaching this result, the court first addressed the claimant's argument that the court, in the context of the duty to defend, should not have considered the actual facts related to the wire fraud and hack. Instead, the claimant contended that Illinois law only allowed the consideration of the allegations in the underlying suit, which did not contain allegations regarding the cyber incident.
The appellate court rejected the claimant's argument that the actual facts regarding the cyber event should not be considered in ruling on the duty to defend. The court ruled that Illinois law permits insurers to introduce extrinsic evidence when applying policy exclusions, so long as the evidence does not resolve a disputed issue in the underlying litigation. The court then criticized the claimant's and insured's litigation strategy, holding as follows.
Thus, the court allowed the insurer to rely on the actual facts related to the cyber event.
Next, the court addressed the claimant's argument that the policy's cyber-event exclusion did not preclude coverage for losses that had other concurrent causes. Based on this argument for interpretation, Monroe argued that the cyber-event exclusion did not bar coverage in this case because the allegations of the underlying suit attributed Monroe's loss to various acts, errors and omissions, and misrepresentations by Galey that resulted in his failure to properly manage Monroe's pay application with respect to the project.
The court rejected this secondary argument by noting that the cyber-event exclusion was broad. The court held as follows.
The court, therefore, ruled that no coverage was owed.
Takeaway: Even when an underlying suit omits any reference to an issue that is excluded, insurers in Illinois may still use the insured's own claims notice to invoke an exclusion in the duty-to-defend context. However, the facts must be undisputed and cannot conflict with the allegations in the underlying suit.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.