(Article from Insurance Law Alert, December 2025)
For more information, please visit the Insurance Law Alert Resource Center.
Holding
An Illinois trial court properly dismissed a coverage suit against a cyber insurer because the insured’s inadvertent overpayment to employees following a cyberattack on the company’s payroll vendor was not covered under the policy. Villa Fin. Serv’s, LLC v. Underwriters at Lloyd’s of London, 2025 Ill. App. Unpub. LEXIS 2116 (Ill. App. Ct. Nov. 24, 2025).
Background
Villa Financial Services contracted with a third-party vendor for its payroll operations. In 2021, the vendor notified Villa that it was the victim of a ransomware attack and was unable to initiate its payroll processes. Therefore, to meet its payroll obligations, Villa paid its employees based on data from prior payroll periods. This method resulted in an overpayment of more than $1.2 million.
Villa sought coverage from Underwriters under a Cyber Private Enterprise Policy. When the insurer denied coverage, Villa sued, seeking a declaration that the overpayments constituted an “extra expense,” defined by the policy as “reasonable sums necessarily incurred to mitigate an interruption to business operations.” The trial court granted Underwriters’ motion for judgment on the pleadings and the appellate court affirmed.
Decision
The appellate court’s ruling centered on its finding that the inadvertent overpayments to Villa’s employees were not “necessary.” As a threshold matter, the court held that the undefined term “necessary” was not ambiguous and means “essential, indispensable, or requisite.” The court further acknowledged that Villa may have been unable to access reliable payroll records due to the cyberattack on its vendor but emphasized that the overpayments were not amounts that Villa was contractually obligated to pay and were therefore not “necessary.” Rather, only amounts actually earned by Villa’s employees could be deemed “necessary” for the continued operation of the business.
Comments
The decision highlights an important distinction between consequential expenses and necessary expenses. The court explained: “while the overpayments made by plaintiff were a consequence of the ransomware attack, they were not covered by the insurance contract . . . . Incurring those additional expenses might have made good business sense to plaintiff, but they were not necessarily incurred for purposes of the extra expense provision.”