While cyber liability coverage decisions are usually few and far between, courts in two jurisdictions have issued buzzworthy rulings this summer. After a New Mexico court issued a troubling, results-oriented decision in Kane v. Beazley earlier this summer, an Illinois appellate court reached a well-reasoned ruling on July 28 in another cyber liability coverage case: Certain Underwriters at Lloyd’s London Subscribing to Policy No. PSK013943706 v. Galey Consulting, LLC 2025 IL App (1st) 241909-U, 2025 WL 2104966 (July 28, 2025). Unlike the court in Kane, the Galey court interpreted the policy as written and did not rewrite it to provide cyber coverage that had not been purchased.
In the Galey case, a dispute over a misdirected payment resulted in litigation that exposed a very significant gap in the policyholder’s liability insurance program. The trial court ruled, and an appellate court affirmed, that the liability insurer had no duty to defend or indemnify the insured in connection with the underlying litigation due to a cyber exclusion contained in its architects and engineers’ policy. The Galey case is a classic example of a court properly applying a cyber exclusion to a funds transfer fraud loss despite the claimant’s creative pleading that avoided mentioning the cyber event.
A “Legit” Request for Payment That Was Nothing of the Sort
In Galey, Monroe Infrastructure (Monroe) became involved in a project to build roads and other infrastructure improvements in Nashville. Monroe, in turn, hired Galey Consulting to provide professional construction management services for the project. Under the parties’ contract, Galey Consulting’s responsibilities included overseeing and managing all construction activities as well as “pay application management”; that is, reviewing and approving requests by third parties to receive payment by Monroe for work done on the project.
The work e-mail account of Galey Consulting’s principal, Brian Galey, was hacked. The hackers intercepted and diverted e-mails that Galey received from contractor Nashville Electric Service (NES) and posed as NES in communications with Galey. After Galey received a legitimate NES invoice, the hackers requested that Galey change the payment procedures in place for the NES account and forward payment in the amount of the invoice to a different account. Unbeknownst to Galey, the account belonged to the hackers, not NES.
Monroe asked that Galey take steps to confirm the payment information with NES to prevent fraud, including a phone call, but Galey stated that he knew the payment request was “legit.” While Galey made some effort to confirm the legitimacy of the payment instructions, all his efforts were over email. Ultimately, Monroe issued payment in the amount of $673,384.18 to the hackers’ account. This payment was never recovered.
A Cyber Claim Under a Non-Cyber Policy
Upon discovering the fraudulent nature of the transfer, Galey Consulting put its liability insurers on notice of a potential claim under an architects and engineers’ policy. The policy expressly excluded coverage for any claim “arising directly or indirectly out of any cyber event.” The policy’s definition of cyber event included “any actual or suspected unauthorized access to…any computer systems…including a…hacking attack.” The policy's definition of “computer systems” specified “all electronic computers including operating systems, software, hardware, microcontrollers and all communication and open system networks and any data or websites wheresoever hosted, off-line media libraries and data back-ups and mobile devices including but not limited to smartphones, iPhones, tablets or personal digital assistants.”
Despite the clear exclusion, Galey Consulting’s broker inquired whether the claim would be insured under the “errors and omissions” coverage. In support of the claim, Galey submitted a summary of the key facts of the incident together with the notice. The insurers denied coverage, citing the cyber exclusion, and subsequently filed a declaratory judgment action to establish that they had no duty to defend or indemnify any potential claim by Monroe arising out of a cyber event.
After the coverage action was already pending, Monroe sued Galey Consulting—and the “potential” claim became a real lawsuit. Given that the coverage issues had already been identified in the coverage action, Monroe was incentivized to craft its complaint against Galey to maximize the potential that Galey’s insurance would cover any settlement or judgment. Accordingly, Monroe carefully avoided any reference to an excluded “cyber event” in its complaint. Monroe clearly hoped that the court would strictly apply the “four corners” rule and decline to consider facts outside the four corners of the complaint (i.e., the Galey summary) in determining whether the insurers had a duty to defend. The insurers characterized Monroe’s omissions in its complaint as “an improper and transparent attempt to plead into coverage.”
The Galey Court Gets It Exactly Right
Both the trial court and the appellate court in Galey agreed with the Insurers, concluding that the Galey summary—and its allegations of cyber fraud—were fair game. On the merits, the courts examined whether Monroe’s action against Galey Consulting for failing to properly facilitate payments fell within the exclusion for actions “arising directly or indirectly out of a cyber event.” Again, both the lower court and appellate court agreed. The appellate court held that regardless of the steps in the chain of causation this loss arose out of a cyber event:
We find it clear from [] Galey’s summary of events that Monroe’s loss can only be characterized as “arising directly or indirectly out of” a cyber event, even if other potential causes of the loss can also be identified. . . [N]one of the other allegedly negligent or wrongful acts by Galey would have resulted in the diversion of Monroe's funds if the e-mail hacking and wire fraud incident had not occurred. Accordingly, we hold that the cyber events exclusion is applicable under its plain language and negates any duty to defend on the part of the Underwriters in the present case.
Indeed, there is always an act or omission by the insured that precedes a successful funds transfer fraud scheme—whether it be failing to secure its computer system or failing to verify the payment instructions. If the insured could recharacterize the loss as one arising out of negligence as opposed to arising out of a cyber event, then this exclusion could never apply. The majority in Galey appropriately applied the cyber event exclusion to bar Galey Consulting’s claim for a defense and indemnity. The court properly interpreted the policy as written, even though the result was no coverage for the policyholder.
The Kane Court Got It Exactly Wrong
By contrast, earlier this summer, the court in Kane twisted itself in knots in an effort to find coverage for funds transfer fraud under a cyber liability provision insuring an entirely different risk — security breaches. In Kane, a New Mexico court found coverage by interpreting a policy as providing liability coverage for claims “for” a security breach as broad coverage for all claims “arising out of” a security breach. And it also ignored the clear intent of the policy to limit loss arising from a funds transfer fraud to $250,000. In that case, there was separate coverage in the policy for funds transfer fraud with a $250,000 sublimit.
Both the Kane and Galey cases illustrate how companies affected by cybercrime attempt to work around gaps in cyber coverage to obtain compensation for their losses and how courts respond to those gaps.
In Kane, the policyholder created circumstances that were calculated to give rise to a lawsuit against it, which it could then tender to its insurer for defense and indemnification. Despite the clear gap in coverage, the court went to great lengths to find coverage for the policyholder and implicitly condoned the insured’s attempts to create a covered suit.
In Galey, the underlying claimant attempted to maximize coverage by pleading around the policy’s cyber exclusion. However, in Galey, the court declined to rewrite the policy or remedy the obvious coverage gap.
The Galey court properly enforced the insurance contract as written. By providing coverage only for the losses that an insured bargained and paid for, courts maintain the stability of the insurance industry – a benefit to both insurers and policyholders. Businesses cannot and should not rely on courts to rescue them from being uninsured or underinsured for cyber-related losses. They must carefully review their coverage program with an eye toward identifying which risks they are most likely to face. Since many contractors handle not only high value payments between owners and subcontractors, but also sensitive client data and corporate information, they are attractive targets for cybercriminals. In addition, many are small businesses with less sophistication around cyber security, making them particularly vulnerable.
_________________________________
This article was originally published by CLM Magazine.
