One issue courts often confront is the question of what they may properly consider in determining whether or not an insurer has a duty to defend an insured in a given set of circumstances. In many jurisdictions, the courts may consider only the underlying complaint and the terms and conditions of the policy, and nothing else. In a recent decision, an Illinois intermediate appellate court, applying Illinois law, held that the trial court properly considered extrinsic matter – in this case, the insured’s description of events in his notice of claim to the insurer—in holding that the policy’s Cyber Events exclusion precluded coverage, even though the underlying complaint did not refer to the cybersecurity incident. The court’s decision raises some interesting questions, as discussed below.

A copy of the Illinois Court’s July 28, 2025, opinion can be found here.  A July 31, 2025 LinkedIn post about the decision by Geoffry Fehling of the Hunton Andrews Kurth law firm can be found here.

Background

Galey Consulting provides professional construction management services to builders and developers. Brian Galey is the principal of Galey Consulting. Monroe Infrastructure is a road construction company. In February 2021, Galey Consulting contracted to provide oversight and management of all construction activities for Monroe. Among the activities for which Galey Construction was responsible was “pay application management,” which included reviewing and approving requests by subcontractors and others for payment.

As Galey later discovered, in November 2021, his work e-mail account was hacked. The hackers installed a mechanism within his account diverting emails that had been sent to his account by Nashville Electric Services (NES). The hackers later sent Galey an email purporting to be from NES changing NES’s payment procedures and requiring electronic payment. The hacker used phony emails sent to Galey’s account to respond to Galey’s requests for confirmation of the changes. These events ultimately resulted in Galey instructing Monroe to send approximately $673,000 to a fraudulent account. Galey later discovered the hack and the mispayment. Monroe demanded that Galey reimburse Monroe for the mispayment. Galey notified his E&O insurer of the incident, referring in his notice to the hack of his email account, wire fraud, and to the resulting mispayment.

Galey’s insurer denied coverage for the events described in Galey’s notice, in reliance on the policy’s Cyber Event exclusion and on Galey’s description in his notice of claim of the hacking incident and wire fraud.  The insurer filed an action in Illinois state court seeking a judicial declaration that there was no coverage under the policy.

Monroe then filed a liability lawsuit against Galey and Galey Consulting, in which Monroe alleged that the defendants had been negligent in failing to have security protocols and procedures in place and otherwise had breached their duties to Monroe. Monroe’s complaint did not refer to the hack or to the phony emails.

After Monroe filed the lawsuit, the insurer issued a revised coverage letter, in which it said, in reliance on Galey’s description of events in his notice of claims, that the Cyber Event exclusion still precluded coverage, notwithstanding the fact that Monroe’s complaint did not refer to the hack and phony emails. Monroe and Galey settled Monroe’s lawsuit. The settlement consisted of the entry of a judgment against Galey and Galey’s assignment to Monroe of Galey’s rights under the E&O policy.

Monroe, as a party to the insurer’s declaratory judgment action, filed a motion for summary judgment, seeking coverage. The insurer filed a cross-motion for summary judgment, seeking a ruling that coverage did not apply. The trial court granted the insurer’s motion and denied Monroe’s motion. Monroe appealed.

Relevant Policy Language

The policy’s Cyber Event exclusion provides in pertinent part that coverage is precluded for any claim “arising directly or indirectly out of a cyber event.” The policy’s definitions section provides in pertinent part that the term “cyber event” includes “any actual or suspected unauthorized access to … any computer systems … including a hacking attack.” The policy also includes a broad definition of “computer systems.”

The July 28, 2025, Opinion

On July 28, 2025, the Illinois Intermediate Appellate Court, First Division, affirmed the lower court’s rulings, in an opinion written by Justice James Fitzgerald Smith for a 2-1 majority, over a dissent by Justice Aurelia Pucinski. In affirming that the Cyber Event exclusion precluded coverage, the appellate court said that Galey’s summary of events in his notice of claim to the insurer was properly considered on the question whether the exclusion applied, even though the underlying complaint did not mention the email hack or wire fraud.

In reaching its conclusions in the case, the appellate court had to consider what a court applying Illinois may properly consider in determining whether an insurer has a duty to defend. Among other things, the court said, while generally courts are to compare the allegations in the underlying complaint to the terms and conditions of the policy, under Illinois law, an insurer in a declaratory judgment proceeding “may challenge the existence of a duty to defend by offering evidence to prove that the insured’s actions fell within the limitations of one of the policy’s exclusions.”

Based on this, the appellate court said that Galey’s description in his notice of claim of the e-mail hacking and wire fraud was appropriate for consideration. The court went on to say that absence of these kinds of allegations from the underlying complaint does not require the court to “wear judicial blinders” to the role the e-mail hacking played.

Finally, the appellate court held that the Cyber Event exclusion precludes coverage even for losses that may have other or concurrent causes, if, as is the case here, the loss arose directly or indirectly out of a cyber event. The court said that none of the other allegedly wrongful acts by Galey would have resulted in the diversion of Monroe’s funds if the e-mail hacking and wire fraud had not occurred.

In dissent, Justice Pucinski argued that both the trial court and the appellate court had chosen to focus on the middle of the story. The beginning of the story, the dissenting justice said, was Galey’s prior “failure to implement the necessary protections that any competent and reasonable manager/consultant would have put in place to prevent hacking.” That failure, Justice Pucinski said, “was negligent, an error and omission, and a breach of fiduciary duty that created a cascade of trouble.”

Discussion

Most states, in order to determine whether or not an insurer has a duty to defend, apply what is sometimes called the “eight corners” rule, pursuant to which the courts may consider and compare the underlying complaint with the terms and conditions of the policy. More importantly for purposes of this particular case, in most states applying the “eight corners” rule (even those states that don’t call the rule the “eight corners” rule), courts may not consider anything extrinsic to the underlying complaint and the policy in determining the duty to defend.

There are a minority of states that do permit courts to consider extrinsic matter. As this case makes clear, Illinois is one of the states that permits courts to consider extrinsic matter, at least in connection with an insurer’s declaratory judgment action seeking the determination of coverage.

As Geoffrey Fehling points out in his LinkedIn post about this decision, this case is one of those situations where the choice of law to be applied is outcome determinative. Under the laws of many states, the court would not have been free to consider extrinsic matter – in this case, the summary Brian Galey provided in his notice of claim. While I can see arguments that could be made for and against allowing the Galey’s summary to be considered (among other things, as the court said, it should not have to “wear blinders”), I think I come down on the general principle that courts ought not to consider extrinsic matter.

As a general matter, I think this decision by a court ought not to involve extrinsic matter, as the coverage determination process should not have to become some sort of mini-trial on extraneous factual matters. In the context of this case, I think the better course would have been for the extrinsic matter to be disregarded, first, because I agree with the dissenting judge that the professional negligence was prior to and the cause of the subsequent harm, and therefore the extrinsic matter is irrelevant, and second, because the net effect of using Galey’s statements to preclude coverage penalizes the policyholder for performing a duty required by the policy (that is, providing notice of claim).

The bottom line here is that the extrinsic evidence was permitted, as a result of the operation of Illinois law. Which leads to one of the current hot topics under discussion in the insurance industry – that is, whether or not insureds (or for that matter, insurers) should seek to include a choice of law clause in their insurance policies? Historically, both insurers and insureds have resisted the inclusion of choice of law clauses, as both sides want to try to preserve the right to argue that one jurisdiction or another’s law applies in a given set of circumstances, depending on which law is more favorable with respect to whatever issue turns out to be in dispute. As this case show, the law to be applied certainly can make a difference.

There is one other thing about this case worth commenting on, and that is the existence in this policy of the Cyber Event exclusion. Many readers know there has long been a lot of concern in the insurance industry about so-called “silent cyber” – that is, coverage for cyber incidents creeping into other kinds of policies, beyond just purpose-built cyber policies. Some might say that the kind of E&O policy at issue here should not in fact be picking up loss arising from an email hack. On the other hand, it could be argued, based on the theory the dissenting justice described, that this loss was the result of prior negligence of the insured, and therefore that coverage should not be precluded. My only comment is that Cyber Event exclusions of this kind are increasingly pervasive, and they can, as here, result in the preclusion of coverage for loss that might otherwise be available.

Whatever else may be said about the presence of the Cyber Event exclusion on the policy at issue in this case, you do kind of wonder why all of this was not handled under Galey’s cyber insurance policy. Possibly because Galey did not have a cyber policy, I suppose. Which is kind of a cautionary lesson that in this day and age, every enterprise should have cyber insurance in place.

The one thing that I should add is that in my summary of the facts above, I left a lot out. It is worth reading the opinion in full, to appreciate the extent of what happened here. There are a host of cyber security loss prevention lessons that can be drawn from this case. There were at least a couple of cross-road points where Galey arguably could have thwarted the hackers’ scheme and averted the loss.