In a well-reasoned recent opinion, an Illinois appellate court strictly construed a cyber policy, ruling that reasonable—but contractually unnecessary—payments made by an insured following a cyberattack did not constitute insured “extra expense.”
While the decision is designated as “unpublished,” it is an important decision for cyber insurers and insureds alike. Specifically, the case provides clear guidance in situations where an insured takes appropriate, but ultimately flawed, actions in response to a cyber event that increase the amount of loss sustained.
The loss in Villa (Villa Financial Servs., LLC v. Underwriters at Lloyd’s of London & Other Insurers Subscribing to Policy No. ESK0339447455, 2025 IL App (1st) 250754-U, Nov. 2025) arose out of a 2021 cyberattack on Kronos Group, a payroll services company. As a result of the attack, Villa, a management company for multiple nursing homes, was unable to use Kronos Group’s payroll services, including its payroll data. In order to meet its payroll obligations for that period, Villa paid its employees based on payroll data from prior periods. Using this outdated data resulted in some employees being overpaid and others being underpaid, with the net result being an overpayment to employees of $1.2 million.
After attempting unsuccessfully to recover these overpayments from Kronos, Villa turned to its cyber insurance carrier and sought coverage, claiming the amounts as incurred “extra expense.” The cyber insurer denied the claim on the grounds that the overpayment did not qualify as an “extra expense” as it was not “necessary,” as required under the policy. Villa filed suit.
The cyber policy insured “income loss and extra expense” incurred “as a direct result of an interruption to your business operations caused by computer systems downtime arising directly out of a cyber event or system failure.” The policy defined extra expense as the “reasonable sums necessarily incurred to mitigate an interruption to and continue your business operations.”
The insurer moved for judgment on the pleadings, arguing that Villa could never demonstrate that the payroll overpayments were “necessarily incurred.” Villa argued it had no choice but to continue processing payroll and making payments based on the best information it had at the time. The court granted the insurer’s motion on the grounds that Villa had “fail[ed] to allege sufficient facts” to show how the overpayment was “essential, indispensable, or requisite for it to continue its business operations.”
Villa filed a motion for reconsideration of the trial court’s decision and asked for an opportunity to amend its complaint to allege facts showing why the overpayments were necessary to continue its operations. The trial court denied the motion but amended its order to make clear that Villa could not, as a matter of law, allege any facts that would bring the overpayments into coverage. The trial court explained it was undisputed that Villa was not required to “pay its employees more than they were owed in order to continue its business operations.”
On appeal, the appellate court affirmed the trial court’s ruling. The appellate court noted that in evaluating the issue it had to draw all fair inferences in favor of the insured. Despite the high legal burden, the insurer still prevailed. The insurer argued the only amounts “necessarily incurred” were the amounts actually owed to Villa’s employees. Villa argued it could not access the timekeeping records due to the cyberattack so it had no choice but to use records from previous payroll cycles.
In affirming the trial court’s ruling, the appellate court explained that it would be altering the policy to create new coverage if it required the insurer to reimburse Villa for the overpayments:
While it may be true that plaintiff felt it had no choice in that moment but to pay out extra funds in order to meet its payroll obligations, plaintiff’s apparent misfortune does not create coverage where none exists under the policy.
The court concluded that, given the plain meaning of the term “necessarily incurred”, there was no reasonable interpretation of the policy that would require the insurance company to reimburse Villa for payments that it was not obligated to make. The court held that the fact Villa may have acted reasonably and as a prudent business owner was irrelevant to the analysis of whether the overpayments were insured:
While exigent circumstances might have made plaintiff believe that it was prudent to make the excess payments or perhaps the circumstances required plaintiff to temporarily overpay its employees to meet its true wage payment obligations, there is no reasonable basis to conclude that the parties intended that defendant would indemnify plaintiff for such expenditures based on the language of the policy.
The court acknowledged that processing the payments based on outdated data and risking overpayment “might have made good business sense,” but that did not create insurance coverage.
The court further noted that just because the cyberattack was the “but for” cause of the overpayment did not mean there was coverage, stating “while the overpayments made by plaintiff were a consequence of the ransomware attack, they were not covered by the insurance contract.”
In the court below, the insurer made the additional argument that Villa failed to mitigate its losses because it did not attempt to recover the overpayments from its employees; however, the trial court did not address this argument, and the appellate court did not consider it. It is notable that some states require an employee’s written consent before an employer can recover overpayments. Other times, employees leave the company, making recovery efforts impossible or cost prohibitive.
Both the trial and appellate courts found the reasoning in the 2004 Illinois appellate court decision in Chatham Corporation v. Dann Insurance informative in reaching their rulings. In Chatham, an explosion caused Chatham’s sterilization facility to shut down for seven months. Chatham’s property insurance policy defined extra expenses as “necessary expenses” that “would not have [been] incurred” had no loss occurred.
Chatham was contractually required to find an alternative sterilization facility for one of its clients while its facility was down and to pay the cost of shipping unsterilized items from Chatham’s facility to the alternative facility. Chatham located an alternative facility and paid to ship its client’s goods to this facility. But Chatham also paid to ship the sterilized goods from the alternative facility to the client’s customers. The contract did not require Chatham to pay that shipping cost. The insurer concluded that because Chatham was not contractually required to pay those shipping costs, they did not qualify as extra expense.
The trial court granted summary judgment in favor of Chatham’s insurer, and the appellate court affirmed the judgment. The appellate court held that the coverage was limited to “necessary expenses” and that necessary in this context meant “essential, indispensable, or requisite.” The court held the outbound shipping was not necessary but rather was gratuitous or voluntary. The court held that expenses Chatham “wanted to incur on a gratuitous or voluntary basis” are the “the opposite of ‘necessary.'”
On its face, the Villa decision appears to be in tension with the Fifth Circuit Court of Appeals’ decision in Southwest Airlines Co. v. Liberty Insurance Underwriters, Inc. In Southwest, the Fifth Circuit reversed the trial court’s grant of summary judgment in favor of the insurer and held that it was a question of fact as to whether certain categories of Southwest’s claimed loss, including promo codes and travel vouchers Southwest voluntarily issued to its customers following a service disruption caused by a massive computer failure, were insured under a cyber risk insurance policy. It is important to keep in mind, however, that the courts in Villa and Southwest were construing different policy language. In Southwest, the court was not analyzing the word “necessary” but rather the word “solely.” In Southwest, the insured sought coverage under a provision insuring “all Loss . . . that an Insured incurs . . . solely as a result of a System Failure.”
The court in Southwest grappled with whether “solely” meant there is no intermediate causes (such as a discretionary decision) or whether it meant there is no other originating or precipitating causes. The court concluded that “solely” could mean that there were no other originating causes even if there were other causes along the causal chain. The court held that Southwest’s decision to give the customer benefits was a decision along the chain but the precipitating cause of the loss was still the system disruption. The court remanded the case to the lower court to analyze such issues as whether the extension of benefits including vouchers were reasonable and put the insured back into the position it would have been had no loss occurred. The court noted that the insured should not receive a windfall, such as receiving coverage for benefits given to customers whose travel was unaffected by the cyber event.
The Villa decision is a reminder that the terms of the insurance contract at issue are critical, and a contract is a contract. The Villa court refused to ignore the policy’s clear language, even if that meant that the policyholder did not recover for its full loss. The Villa court declined to take a results-oriented approach, even where the policyholder’s business decisions were practical, defensible, and reasonable under the circumstances.
Photo: Generated with AI, AdobeStock
Was this article valuable?
Here are more articles you may enjoy.
Foundation Firmed: AM Best Switches View of US Homeowners Insurers to Stable 
Deadly Bear Attacks in Japan Prompt New Products From Insurers 
Litigation Finance Hits a Wall After Bets on Huge Gains Falter 
Best Quarter in a Quarter Century, Says S&P Q3 Analysis of US P/C 
