In a well-reasoned recent opinion, an Illinois appellate court strictly construed a cyber policy, ruling that reaso
nable—but contractually unnecessary—payments made by an insured following a cyberattack did not constitute insured “extra expense.”
While the decision is designated as “unpublished,” it is an important decision for cyber insurers and insureds alike. Specifically, the case provides clear guidance
in situations where an insured takes appropriate, but ultimately flawed, actions in response to a cyber event that increase the amount of loss sustained.
The loss in Villa (Villa Financial Servs., LLC v. Underwriters at Lloyd’s of London & Other Insurers Subscribing to Policy No. ESK0339
447455, 2025 IL App (1st) 250754-U, Nov. 2025) arose out of a 2021 cyberattack on Kronos Group, a payroll services company. As a result of the attack, Villa, a management company for multiple nursing homes, w
as unable to use Kronos Group’s payroll services, including its payroll data. In order to meet its payroll obligations f
or that period, Villa paid its employees based on payroll data from prior periods. Using this outdated data resu
lted in some employees being overpaid and others being underpaid, with the net result being an overpayment to employees of $1.2 million.
After attempting unsuccessfully to recover these overpayments from Kronos, Villa turned to its cyber insurance carrier and sought coverage, claiming the a
mounts as incurred “extra expense.” The cyber insurer denied the claim on the grounds that the overpayment did not q
ualify as an “extra expense” as it was not “necessary,” as required under the policy. Villa filed suit.
Watch More Image Part 2 >>>
The cyber policy insured “income loss and extra expense” incurred “as a direct result of an interruption
to your business operations caused by computer systems downtime arising directly out of a cyber event or system fail
ure.” The policy defined extra expense as the “reasonable sums necessarily incurred to mitigate an interruption to and continue your business operations.”
The insurer moved for judgment on the pleadings, arguing that Villa could never demonstrate that the payroll overpayments were “necessarily incurred.” Villa argued it had no choice but to continue proc
essing payroll and making payments based on the best information it had at the time. The court granted the insurer’s
motion on the grounds that Villa had “fail[ed] to allege sufficient facts” to show how the overpayment was “essential, indispensable, or requisite for it to continue its business operations.”
Villa filed a motion for reconsideration of the trial court’s decision and asked for an opportunity to amend its complaint to allege facts showing why the overpayments were necessary to continue its operations. The tr
ial court denied the motion but amended its order to make clear that Villa could not, as a matter of law, allege any facts that would bring the overpayments int
o coverage. The trial court explained it was undisputed that Villa was not required to “pay its employees more than they were owed in order to continue its business operations.”
On appeal, the appellate court affirmed the trial court’s ruling. The appellate court noted that in evaluating the issue it had to draw all fair inferences in favor of the insured. Despite the high legal burd
en, the insurer still prevailed. The insurer argued the only amounts “necessarily incurred” were the amounts actually owed to Villa’s employees. Villa argued it could not access the timekeeping records due to the c
yberattack so it had no choice but to use records from previous payroll cycles.
In affirming the trial court’s ruling, the appellate court explained that it would be altering the policy to create new coverage if it required the insurer to reimburse Villa for the overpayments:
While it may be true that plaintiff felt it had no choice in that moment but to pay out extra funds in order to meet its
payroll obligations, plaintiff’s apparent misfortune does not create coverage where none exists under the policy.